Throughout the following three sections this article discusses the usage of certain security related HTTP headers and their implications on the security of a web application.
- HTTP headers related to security
- HTTP headers related to cookie security
- HTTP headers related to information disclosure
Security related HTTP headers
HTTP Strict Transport Security (HSTS) instructs the client to enforce HTTPs connections to the webapplication in question.
max-age: the lifetime of the header in the browsers cache. if set to 0 the header is removed from the browsers cache
Strict-Transport-Security: max-age=31536000 Strict-Transport-Security: max-age=0
XSS Protection instructs the client to enable the cross site scripting filter, built into most modern browsers.
n: 0 or 1, for disabling or enabling the filter mode: with mode=block the browser is iunstructed to block pages containing xss instead of sanitizing them
X-Xss-Protection: 1; mode=block X-Xss-Protection: 0
Content Type Options instructs the client to interpret a HTTP resource as specified in the content type header. Otherwise modern browsers try to detect the content type either through the filename extension or the content.
nosniff: the only specified value, disables content type sniffing
Frame Options instructs the client how it should behave in the case the webapplication is loaded inside a frame.
deny: rendering the page in a frame is prohibited
sameorigin: rendering the page in a frame is only allowed through a page from the same origin
allow-from: allow rendering the page in a frame through pages from the given origin
X-Frame-Options: deny X-Frame-Options: sameorigin X-Frame-Options: allow-from: example.com
default-src: default source location for all resource types, used as fallback if no specific source location is specified
script-src: define the origin for scripts
object-src: define the origin for plugins
style-src: define the origin for css
img-src: define the origin for images
media-src: define the origin for video and audio
frame-src: define the origin for frames
font-src: define the origin for fonts
connect-src: define the origin for script interfaces
form-action: define the destination the forms action attribute
sandbox: define a sandbox policy
script-nonce: define a nonce which has to be present on script elements in order to execute
plugin-types: define the set of plugins that are allowed
reflected-xss: instruct the client to activate or deactivate heuristics to filter or block reflected cross-site scripting
report-uri: defines the destination for reports about policy violation
'none': disallows the loading of the specified resource type
'self': allows the loading of the specified resource type only from the same origin
'unsafe-inline': allows the use of inline js and css
'unsafe-eval': allows the use of functions like eval()
Content-Security-Policy: default-src 'self'
The past has shown that not all certification authorities are as trustworthy as they should be. Multiple incidents have happened, certificates for genuine sites were issued to the wrong people or orgnizations, breaches of certification authorities' datacenters, etc. Public key pinning allows the specification of a public key's fingerprint. This way if a client reaches a certain site once, it can authenticate the webserver all by itself the next time.
pin-sha256: a public key's fingerprint
max-age: the number of seconds a key pin can live inside the browser's cache
includeSubDomains: whether or not the pin is also valid for all subdomains
Public-Key-Pins: pin-sha256="<sha256>"; pin-sha256="<sha256>"; max-age=15768000; includeSubDomains
Cookie security related HTTP headers
The Secure flag on a cookie instructs the client to only send the cookie through HTTPs. This prevents attacks on cookies using SSL stripping.
The HttpOnly flag on a cookie instructs the browser to disallow access to the cookie through client side scripting. This prevents cookie stealing attacks using cross site scripting.
Information disclosure related HTTP headers
Some webserver software is talky and specifies a lot of information inside HTTP Headers, e.g. webserver version, scripting language used, etc. This can simplify attacks on the webserver itself or the webapplication. The less information gets exposed here le smaller the attack surface becomes. In the following a few common HTTP Headers are listed.
Most of the time the Server header discloses information about the webserver software and version or the used scripting language. A hint for the attacker, which can be safely disabled.
Most of the time the X-Powered-By header discloses information about the webserver software and version or the used scripting language. A hint for the attacker, which can be safely disabled.