Security Headers


1. Strict-Transport-Security HTTP Response Header


Instructs the browser to always request a domain using the HTTPS protocol instead of HTTP.

1.1. Why Use HSTS?


  1. Passive Network Attacks - man in the middle attacks, HTTPS stripping attacks.
  2. Active Network Attacks - compromised DNS, evil twin domains, etc.
  3. Mixed Content Vulnerabilities - loading of an insecure resource over a secure request (eg swf)
  4. Performance - removes unnecessary redirects to HTTPS from http.
  5. Because no one types https:// in the address bar.

1.2. HSTS Directives


max-age - number of seconds policy should be kept for.
includeSubDomains - apply this policy to all subdomains of the requested host. Omit to apply policy only to current domain.

1.3. HSTS Examples


Require HTTPS for 60 seconds on current domain:

Strict-Transport-Security: max-age=60

Require HTTPS for 365 days on all subdomains:

Strict-Transport-Security: max-age=31536000; includeSubDomains

Remove HSTS Policy (including subdomains):

Strict-Transport-Security: max-age=0

1.4. How to handle HTTP Requests


Requests Over HTTP (Non Secure)

Should respond with a 301 redirect to the secure url.
Must NOT respond with Strict-Transport-Security header on non-secure HTTP requests.

Requests Over HTTPS

Should always respond with a Strict-Transport-Security header.

1.5. HSTS Browser Support


1.6. HSTS Resources

  1. HSTS Specification: https://tools.ietf.org/html/rfc6797
  2. OWASP: HTTP Strict Transport Security Cheat Sheet

2. X-Content-Type-Options


X-Content-Type-Options stops a browser from trying to MIME-sniff the content type and forces it to stick with the declared content-type. The only valid value for this header is X-Content-Type-Options: nosniff.

2.1. X-Content-Type-Options Resources

  1. https://developer.mozilla.org/[...]Content-Type-Options

3. X-Frame-Options


Allows the server to specify if the response content should be part of a frame, and if so from what origin.


Note: The frame-ancestors directive from the CSP Level 2 specification officially replaces this non-standard header but is not supported across all browsers. Though X-Frame-Options is not an official standard it is widely supported and can be used in conjunction with CSP.

3.1. Clickjacking


  • AKA UI Redressing
  • Attacker tricks the user into clicking on something that performs an unintended action.

3.2. X-Frame-Options Directives


  • DENY - Specifies that the requested resource should never be embedded in a frame.
  • SAMEORIGIN - Only pages on the same domain may frame the requested resource.
  • ALLOW-FROM origin - Allow a whitelisted origin to frame the requested content.

3.3. X-Frame-Options Resources


  1. http://tools.ietf.org/html/rfc7034
  2. OWASP: Clickjacking Defense Cheat Sheet

4. Content-Security-Policy (CSP)


HTTP Response header, allows server to control how resources are loaded.

4.1. Why Content-Security-Policy?


  • Greatly reduces success of Cross Site Scripting (XSS) attacks.
  • Report / log xss attack attempts

4.2. CSP Directives

CSP can protect against a variety of unauthorized asset types.

  • default-src – all assets (including scripts)
  • base-uri
  • connect-src – XHR, WebSockets, EventSource
  • font-src – font files
  • form-action
  • frame-ancestors
  • frame-src – nested browsing contexts sources
  • img-src – limit origins of images
  • media-src – audio and video
  • object-src – Flash and other plugin objects
  • plugin-types – restricts the set of plugins that can be invoked
  • report-uri
  • sandbox – preventing popups, the execution of plugins and scripts, and enforcing a same-origin policy
  • script-src – scripts
  • script-src-attr
  • script-src-elem
  • style-src – stylesheets

4.3. CSP Source Expressions


Source Value Meaning
* Wildcard, allows all origins.
'self' Allow same origin.
'none' Don't allow any resources of this type to load.
domain.example.com Allow a domain
*.example.com Allow all subdomains on a domain.
https://example.com Scheme specific.
https: Require https.
data: Allow data uri schemes.

4.4. unsafe-inline


  • When script-src or style-src
    are enabled inline style
    or script
    tags are disabled.
    • You can add 'unsafe-inline' to allow it, but defeats much of CSP's purpose.

4.5. unsafe-eval


  • CSP also disables unsafe dynamic code evaluation, such as the JavaScript eval() function.
    • You can add 'unsafe-eval' to a script-src directive to disable this.

4.6. CSP Reports


  • Congure a report-uri to accept CSP exception requests (POST)
  • Be notified of XSS vulnerabilities as they occur
  • Users with CSP-supported browsers make it safer for everybody

Content-Security-Policy: default-src 'self'; report-uri http://example.com/report.php

4.6.1. Report-only headers


  • Content-Security-Policy-Report-Only
  • Notifies you of violations, but won't take action
  • Lets you try CSP risk-free

Specify a report-uri to receive JSON violation reports
Report only: Content-Security-Policy-Report-Only

Content-Security-Policy-Report-Only: default-src 'self'; report-uri http://example.com/report.php

4.7. CSP Browser Support


4.8. CSP Resources


5. Permissions-Policy

A security mechanism that allows developers to explicitly enable or disable various powerful browser features for a given site.


5.1. Permissions Policy Browser Support



6. Referrer Policy

The Referrer-Policy HTTP header governs which referrer information, sent in the Referrer header, should be included with requests made.

6.1. Why Referrer Policy?


  1. Privacy -
  2. Security
  3. Trackback

6.2. Referrer Policy Directives


  1. no-referrer - Do not send a HTTP Referrer header.
  2. no-referrer-when-downgrade - Send the origin as a referrer to URLs as secure as the current page, (https→https), but does not send a referrer to less secure URLs (https→http). This is the default behaviour.
  3. same-origin - A referrer will be sent for same-site origins, but cross-origin requests will contain no referrer information.
  4. origin - Send the origin of the document.
  5. strict-origin - Only send the origin of the document as the referrer to a-priori as-much-secure destination (HTTPS->HTTPS), but don't send it to a less secure destination (HTTPS->HTTP).
  6. origin-when-cross-origin - Send the full URL (stripped of parameters) for same-origin requests, but only send the origin for other cases.
  7. strict-origin-when-cross-origin - Send a full URL when performing a same-origin request, only send the origin of the document to a-priori as-much-secure destination (HTTPS->HTTPS), and send no header to a less secure destination (HTTPS->HTTP).
  8. unsafe-url - Send the full URL (stripped of parameters) for same-origin or cross-origin requests.

6.3. Browser Support


6.4. Referrer Policy Resources


7. Tools

7.1. Header Analyser


Analyse the security of your HTTP response headers.

7.2. CSP Analyser


Analyse the Content Security Policy of your site or any other site.

7.3. CSP Builder


Quickly and easily build your own Content Security Policy.

7.4. CSP Hash


Generate a hash of your JS or CSS to include in your CSP.

7.5. SRI Hash Generator


Generate a SRI tag for externally loaded assets.

Comments