Security Headers

1. Strict-Transport-Security HTTP Response Header

Instructs the browser to always request a domain using the HTTPS protocol instead of HTTP.

1.1. Why Use HSTS?

  1. Passive Network Attacks – man in the middle attacks, HTTPS stripping attacks.
  2. Active Network Attacks – compromised DNS, evil twin domains, etc.
  3. Mixed Content Vulnerabilities – loading of an insecure resource over a secure request (eg swf)
  4. Performance – removes unnecessary redirects to HTTPS from http.
  5. Because no one types https:// in the address bar.

1.2. HSTS Directives

max-age – number of seconds policy should be kept for.
includeSubDomains – apply this policy to all subdomains of the requested host. Omit to apply policy only to current domain.

1.3. HSTS Examples

Require HTTPS for 60 seconds on current domain:

Strict-Transport-Security: max-age=60

Require HTTPS for 365 days on all subdomains:

Strict-Transport-Security: max-age=31536000; includeSubDomains

Remove HSTS Policy (including subdomains):

Strict-Transport-Security: max-age=0

1.4. How to handle HTTP Requests

Requests Over HTTP (Non Secure)
Should respond with a 301 redirect to the secure url.
Must NOT respond with Strict-Transport-Security header on non-secure HTTP requests.

Requests Over HTTPS

Should always respond with a Strict-Transport-Security header.

1.5. HSTS Browser Support

1.6. HSTS Resources

  1. HSTS Specification:
  2. OWASP: HTTP Strict Transport Security Cheat Sheet

2. X-Frame-Options

Allows the server to specify if the response content should be part of a frame, and if so from what origin.

Note: The frame-ancestors directive from the CSP Level 2 specification officially replaces this non-standard header but is not supported across all browsers. Though X-Frame-Options is not an official standard it is widely supported and can be used in conjunction with CSP.

2.1. Clickjacking

  • AKA UI Redressing
  • Attacker tricks the user into clicking on something that performs an unintended action.

2.2. X-Frame-Options Directives

  • DENY – Specifies that the requested resource should never be embedded in a frame.
  • SAMEORIGIN – Only pages on the same domain may frame the requested resource.
  • ALLOW-FROM origin – Allow a whitelisted origin to frame the requested content.

2.3. X-Frame-Options Resources

  2. OWASP: Clickjacking Defense Cheat Sheet

3. Content-Security-Policy (CSP)

HTTP Response header, allows server to control how resources are loaded.

3.1. Why Content-Security-Policy?

  • Greatly reduces success of Cross Site Scripting (XSS) attacks.
  • Report / log xss attack attempts

3.2. CSP Directives

CSP can protect against a variety of unauthorized asset types.

  • default-src all assets (including scripts)
  • script-src scripts
  • style-src stylesheets
  • img-src limit origins of images
  • connect-src XHR, WebSockets, EventSource
  • base-uri
  • font-src font files
  • form-action
  • frame-ancestors
  • plugin-types restricts the set of plugins that can be invoked
  • object-src Flash and other plugin objects
  • media-src audio and video
  • child-src nested browsing contexts sources
  • sandbox
  • report-uri

3.3. CSP Source Expressions

Source Value Meaning
* Wildcard, allows all origins.
'self' Allow same origin.
'none' Don't allow any resources of this type to load. Allow a domain
* Allow all subdomains on a domain. Scheme specific.
https: Require https.
data: Allow data uri schemes.

3.4. unsafe-inline

  • When script-src or style-src
    are enabled inline style
    or script
    tags are disabled.
    • You can add 'unsafe-inline' to allow it, but defeats much of CSP's purpose.

3.5. unsafe-eval

  • CSP also disables unsafe dynamic code evaluation, such as the JavaScript eval() function.
    • You can add 'unsafe-eval' to a script-src directive to disable this.

3.6. CSP Reports

  • Congure a report-uri to accept CSP exception requests (POST)
  • Be notified of XSS vulnerabilities as they occur
  • Users with CSP-supported browsers make it safer for everybody

Content-Security-Policy: default-src 'self'; report-uri

3.6.1. Report-only headers

  • Content-Security-Policy-Report-Only
  • Notifies you of violations, but won't take action
  • Lets you try CSP risk-free

Specify a report-uri to receive JSON violation reports
Report only: Content-Security-Policy-Report-Only

Content-Security-Policy-Report-Only: default-src 'self'; report-uri

3.7. CSP Browser Support

3.8. CSP Resources