A Study of Security Headers — Learning Notes

HTTP Security Headers

The web servers like Apache and Nginx will respond to the request with data along with headers, some of the headers are to prevent the attacks or exploitation of the vulnerabilities and seldom it will have metadata with it.

These are the security headers

1. Cache-Control

2. X-Frame-Options

3. X-XSS Protection

4. Content Security Policy

5. X- Content-Type-Options

6. HSTS — Strict Transport Security

7. Same Origin Policy

1. Cache-Control

The cache-control is a general-header, and the directive of the caching mechanism is specified by the header for both requests and response.

When user login to the application, the user will have access to the authenticated pages and once the user logout from the application, then a malicious user can check the history of the cached page and it can be used for the further attacks.

When the header implements with requests or response, it will have control of the caching, control, duration, validation part

Cache request directives

Cache-Control: max-age=<seconds>
Cache-Control: max-stale[=<seconds>]
Cache-Control: min-fresh=<seconds>
Cache-Control: no-cache 
Cache-Control: no-store
Cache-Control: no-transform
Cache-Control: only-if-cached

Cache response directives

Cache-Control: must-revalidate
Cache-Control: no-cache
Cache-Control: no-store
Cache-Control: no-transform
Cache-Control: public
Cache-Control: private
Cache-Control: proxy-revalidate
Cache-Control: max-age=<seconds>
Cache-Control: s-maxage=<seconds>

As it is mentioned, the cache has to re-validate, no caching and duration will be implemented with the application.

2. X-Frame-Options

The X-Frame-Options is a response header, whether a page of an application allowed to render a page in the frame — iFrame. The missing of the header in the response might cause to exploit the clickjack vulnerability by a malicious user/attacker to load up the page in iFrame.

X-Frame-Options: deny
X-Frame-Options: sameorigin
X-Frame-Options: allow-from https://example.com/

3. X-XSS Protection

The response header is a feature of the Safari, IE and Chrom browsers and it will prevent the loading of the popup window when it detects the rXSS attacks.

When a malicious user or attacker tries to inject the reflective cross-site script payload into the application parameter, the header will prevent the page rendering.

X-XSS-Protection: 0
X-XSS-Protection: 1
X-XSS-Protection: 1; mode=block
X-XSS-Protection: 1; report=<reporting-uri>

4. Content Security Policy

The Content-Security-Policy adds layer security to detect and mitigate certain types of attacks, like cross-site scripting -XSS and data injection attacks.

Malicious scripts are executed by the victim’s browser, since the browser trusts the source of the content, even though the script is not from the legit server.

The CSP header can be implemented by the web admins, so the application can have additional security against the cross-site scripting since the CSP allows only to load the scripts from the listed/allowed domains.

Besides, the CSP can be used to mention which protocols allow using “secure flag”, so all the HTTP requests redirect to https.

Content Security Policy, allowed requests and blocking requests

Syntax

Content-Security-Policy: policy

Eg:-

1. Accepts content from own origin, no subdomain

Content-Security-Policy: default-src 'self'

2. Accepts content from own origin and subdomain

Content-Security-Policy: default-src 'self' *.trusted.com

3. Accepts image from users of the application and audio and videos from trusted domain and scripts from trusted code.

Content-Security-Policy: default-src 'self'; img-src *; media-src media1.com media2.com; script-src userscripts.example.com

5. X- Content-Type-Options

The “X-Content-Type-Options” is a response header sets by the server, which will help to stop the sniffing content.

X-Content-Type-Options: nosniff

6. HSTS — Strict-Transport Security

The HSTS response header is used to lets a web application to interact the client/browser that, the connection is should only access through secure hypertext transfer protocol, the parameters can be included for the maximum age to set expire time and include subdomains to enable for all subdomains

Strict-Transport Security, Requests and Response

Strict-Transport-Security: max-age=<expire-time>
Strict-Transport-Security: max-age=<expire-time>; includeSubDomains
Strict-Transport-Security: max-age=<expire-time>; preload

7. Same Origin Policy

The SOP is security mechanism to restrict how a document or script loaded from different server to the original server to use any functionality or resource and it isolates the document which causes to be a vulnerability or exploit, simply reducing the attack vectors

• What domains you can contact via “XmlHttpRequest”
• Access to the DOM across separate frames/windows

Same Origin Policy, Request with sop and failed requests.

The way of origin matching is follows for the “http://store.company.com/dir/page.html"

Path differs — Same Origin

http://store.company.com/dir2/other.html Same origin Only the path differs http://store.company.com/dir/inner/another.html Same origin Only the path differs

Protocol must match

https://store.company.com/page.html Failure Different protocol

Port number must match

http://store.company.com:81/dir/page.html Failure Different port (http:// is port 80 by default)

Domain should be same, No wildcard and subdomain

http://news.company.com/dir/page.html Failure Different host

Reference : https://developer.mozilla.org/
https://www.keycdn.com