{{toc numerate=1}}
===Strict-Transport-Security HTTP Response Header===
Instructs the browser to always request a domain using the HTTPS protocol instead of HTTP.
====Why Use HSTS?===
1. **Passive Network Attacks** - man in the middle attacks, HTTPS stripping attacks.
1. **Active Network Attacks** - compromised DNS, evil twin domains, etc.
1. **Mixed Content Vulnerabilities** - loading of an insecure resource over a secure request (eg swf)
1. **Performance** - removes unnecessary redirects to HTTPS from http.
1. **Because no one types https:// in the address bar.**
====HSTS Directives===
##max-age## - number of seconds policy should be kept for.
##includeSubDomains## - apply this policy to all subdomains of the requested host. Omit to apply policy only to current domain.
====HSTS Examples===
Require HTTPS for 60 seconds on current domain:
##Strict-Transport-Security: max-age=60##
Require HTTPS for 365 days on all subdomains:
##Strict-Transport-Security: max-age=31536000; includeSubDomains##
Remove HSTS Policy (including subdomains):
##Strict-Transport-Security: max-age=0##
====How to handle HTTP Requests===
Requests Over HTTP (Non Secure)
Should respond with a 301 redirect to the secure url.
Must NOT respond with Strict-Transport-Security header on non-secure HTTP requests.
Requests Over HTTPS
Should always respond with a Strict-Transport-Security header.
====HSTS Browser Support===
* http://caniuse.com/stricttransportsecurity
====HSTS Resources====
1. HSTS Specification: https://tools.ietf.org/html/rfc6797
1. OWASP: ((https://www.owasp.org/index.php/HTTP_Strict_Transport_Security_Cheat_Sheet HTTP Strict Transport Security Cheat Sheet))
===X-Content-Type-Options===
X-Content-Type-Options stops a browser from trying to MIME-sniff the content type and forces it to stick with the declared content-type. The only valid value for this header is ##X-Content-Type-Options: nosniff##.
====X-Content-Type-Options Resources====
1. https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
===X-Frame-Options===
Allows the server to specify if the response content should be part of a frame, and if so from what origin.
**Note:** The ##frame-ancestors## directive from the CSP Level 2 specification officially replaces this non-standard header but is not supported across all browsers. Though X-Frame-Options is not an official standard it is widely supported and can be used in conjunction with CSP.
====Clickjacking====
* AKA UI Redressing
* Attacker tricks the user into clicking on something that performs an unintended action.
====X-Frame-Options Directives====
* ##DENY## - Specifies that the requested resource should never be embedded in a frame.
* ##SAMEORIGIN## - Only pages on the same domain may frame the requested resource.
* ##ALLOW-FROM origin## - Allow a whitelisted origin to frame the requested content.
====X-Frame-Options Resources====
1. http://tools.ietf.org/html/rfc7034
1. OWASP: ((https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet Clickjacking Defense Cheat Sheet))
===Content-Security-Policy (CSP)===
HTTP Response header, allows server to control how resources are loaded.
====Why Content-Security-Policy?====
* Greatly reduces success of Cross Site Scripting (XSS) attacks.
* Report / log xss attack attempts
====CSP Directives====
CSP can protect against a variety of unauthorized asset types.
* ##default-src## – all assets (including scripts)
* ##base-uri## –
* ##connect-src## – XHR, WebSockets, EventSource
* ##font-src## – font files
* ##form-action## –
* ##frame-ancestors## –
* ##frame-src## – nested browsing contexts sources
* ##img-src## – limit origins of images
* ##media-src## – audio and video
* ##object-src## – Flash and other plugin objects
* ##plugin-types## – restricts the set of plugins that can be invoked
* ##report-uri## –
* ##sandbox## – preventing popups, the execution of plugins and scripts, and enforcing a same-origin policy
* ##script-src## – scripts
* ##script-src-attr## –
* ##script-src-elem## –
* ##style-src## – stylesheets
====CSP Source Expressions====
#|
*|Source Value | Meaning |*
||* | Wildcard, allows all origins. ||
||'self' | Allow same origin. ||
||'none' | Don't allow any resources of this type to load. ||
||domain.example.com | Allow a domain ||
||*.example.com | Allow all subdomains on a domain. ||
||~https://example.com | Scheme specific. ||
||https: | Require https. ||
||data: | Allow data uri schemes. ||
|#
====unsafe-inline====
* When ##script-src## or ##style-src##
are enabled inline ##style##
or ##script##
tags are disabled.
* You can add ##'unsafe-inline'## to allow it, but defeats much of CSP's purpose.
====unsafe-eval====
* CSP also disables unsafe dynamic code evaluation, such as the JavaScript eval() function.
* You can add ##'unsafe-eval'## to a script-src directive to disable this.
====CSP Reports====
* Congure a report-uri to accept CSP exception requests (POST)
* Be notified of XSS vulnerabilities as they occur
* Users with CSP-supported browsers make it safer for everybody
##""Content-Security-Policy: default-src 'self'; report-uri http://example.com/report.php""##
=====Report-only headers=====
* Content-Security-Policy-Report-Only
* Notifies you of violations, but won't take action
* Lets you try CSP risk-free
Specify a ##report-uri## to receive JSON violation reports
Report only: ##Content-Security-Policy-Report-Only##
##""Content-Security-Policy-Report-Only: default-src 'self'; report-uri http://example.com/report.php""##
====CSP Browser Support====
* http://caniuse.com/contentsecuritypolicy2
====CSP Resources====
* ((http://content-security-policy.com CSP quick reference))
* W3C: ((http://www.w3.org/TR/CSP2/ Content Security Policy Level 2))
* W3C: ((https://w3c.github.io/webappsec-csp/ Content Security Policy Level 3))
* OWASP: ((https://www.owasp.org/index.php/Content_Security_Policy_Cheat_Sheet Content Security Policy Cheat Sheet))
* Mozilla: ((https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy CSP policy directives))
===Permissions-Policy===
A security mechanism that allows developers to explicitly enable or disable various powerful browser features for a given site.
* W3C: https://www.w3.org/TR/permissions-policy-1/
* W3C: ((https://github.com/w3c/webappsec-permissions-policy/blob/main/permissions-policy-explainer.md Permissions Policy Explainer))
* https://w3c.github.io/permissions/
====Permissions Policy Browser Support====
* https://caniuse.com/permissions-policy
===Referrer Policy===
The Referrer-Policy HTTP header governs which referrer information, sent in the Referrer header, should be included with requests made.
====Why Referrer Policy?====
1. **Privacy** -
2. **Security**
3. **Trackback**
====Referrer Policy Directives====
1. ##no-referrer## - Do not send a HTTP Referrer header.
1. ##no-referrer-when-downgrade## - Send the origin as a referrer to URLs as secure as the current page, (https→https), but does not send a referrer to less secure URLs (https→http). This is the default behaviour.
1. ##same-origin## - A referrer will be sent for same-site origins, but cross-origin requests will contain no referrer information.
1. ##origin## - Send the origin of the document.
1. ##strict-origin## - Only send the origin of the document as the referrer to a-priori as-much-secure destination (HTTPS->HTTPS), but don't send it to a less secure destination (HTTPS->HTTP).
1. ##origin-when-cross-origin## - Send the full URL (stripped of parameters) for same-origin requests, but only send the origin for other cases.
1. ##strict-origin-when-cross-origin## - Send a full URL when performing a same-origin request, only send the origin of the document to a-priori as-much-secure destination (HTTPS->HTTPS), and send no header to a less secure destination (HTTPS->HTTP).
1. ##unsafe-url## - Send the full URL (stripped of parameters) for same-origin or cross-origin requests.
====Browser Support====
* https://caniuse.com/#feat=referrer-policy
====Referrer Policy Resources====
* W3C: ((https://www.w3.org/TR/referrer-policy/ Referrer Policy Specifications))
* Mozilla: ((https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy Referrer-Policy))
* https://developer.mozilla.org/en-US/docs/Web/HTML/Element/meta
===Tools===
====Header Analyser====
Analyse the security of your HTTP response headers.
* https://securityheaders.io/
====CSP Analyser====
Analyse the Content Security Policy of your site or any other site.
* https://report-uri.com/home/analyse
====CSP Builder====
Quickly and easily build your own Content Security Policy.
* https://report-uri.com/home/generate
====CSP Hash====
Generate a hash of your JS or CSS to include in your CSP.
* https://report-uri.com/home/hash
====SRI Hash Generator====
Generate a SRI tag for externally loaded assets.
* https://www.srihash.org/