Security & HTTP Headers

andersonjoseph

Anderson. J

Posted on December 1, 2018

Security & HTTP Headers

"Do you know most the security vulnerabilities can be fixed by implementing necessary headers in response header?"

-Chandan Kumar


Introduction

"HTTP headers allow the client and the server to pass additional information with the request or the response. An HTTP header consists of its case-insensitive name followed by a colon ':', then by its value (without line breaks). Leading white space before the value is ignored."
-MDN

These headers are the integral part of HTTP communications, they carry information about the client browser, cookies, language, etc.

Headers can be grouped according to their contexts:

  • General header: Requests and responses but with no relation to the data eventually transmitted in the body.

  • Request header: Information about the resource to be fetched or about the client itself.

  • Response header: Information about the response, like its location or about the server itself.

  • Entity header: Information about the body of the entity, like its content length or its MIME-type.

Secure Headers

The use of these headers are part of the best practices to follow when we're developing an application. 'Secure headers' are designed to restrict modern browsers from encoutering vulnerabilities. Like clickjacking, XSS, MITM, etc.

HTTP Strict Transport Security (HSTS)

Strict-Transport-Security
Is an HTTP response header that mandates that agents should only interact with HTTPS conections and never via HTTP protocol.

Protect from:

  • Protocol downgrade attack
  • Cookie Hijacking

Values:

Value Description
max-age=SECONDS The seconds that the agent should remember that this site only can interact using HTTPS
includeSubDomains Apply the header to all subdomains of the site.

Example:

Strict-Transport-Security: max-age=31536000 ; includeSubDomains

Reference:

Frame Options

X-Frame-Options
This response header set the policy in the agent to allow or deny rendering your content in iframes of third-party websites. When browsers load iframes, will check the value of the header.

Protect from:

  • Clickjacking

Values:

Value Description
deny No rendering within a frame
isameorigin No rendering if the origin mismatch
allow-from: DOMAIN Allows rendering if frame is loaded from DOMAIN

Example:

X-Frame-Options: deny

References:


XSS Protection

X-XSS-Protection
This protection header can set values to disable the protection or block reflective XSS attacks. It's a XSS filter.

Protect from:

  • XSS attacks

Values:

Value Description
0 Filter disabled.
1 Filter enabled, browser will sanitize the page
1; mode=block Filter enabled, browser will prevent rendering of the page

Example:

X-XSS-Protection: 1; mode=block

References:

Content Type

X-Content-Type-Options
This header prevent the browser from sniff MIME types. The client browser will reject responses with incorrect MIME types, minimizing the risk of uploaded content that could be trated as dynamic HTML files.

Protect from:

  • Attacks based on MIME type confusion
  • 'Execute' arbitrary HTML

Values:

Value Description
nosniff Prevent the browser from sniff the MIME type. The browser will trust what the server says and block the resource if it's wrong.

Example:

X-Content-Type-Options: nosniff

References:


Content Security Policy

Content-Security-Policy
This header can help to protect agains malicious injection of JavaScript, CSS, plugins and more. There isn't one specific attack that this header can block, but it can prevent that somebody put anything malicious that your app can run.

Protect from:

  • XSS
  • Clickjacking
  • Cross site injections

Values:

There are many values that CSP can take. Refer to MDN Web Docs for detailed information.

Example:

Content-Security-Policy: script-src 'self'

References:

Feature Policy

Feature-Policy
This header can enable or disable the use of various browser features. Such camera, fullscreen, microphone, etc.

Protect from:

  • Third-party scripts using browser features.

Values:

Value Description
accelerometer Disable browser accelerometer
autoplay Disable autoplay in players
camera Disable use of cameras
microphone Disable use of microphones
usb Disable access to usb devices
vibrate Disable vibration function

Example:

Feature-Policy: vibrate 'none'

References:


Conclusion

HTTP headers will not make your app inmune to attacks. But they can offer an important layer of security that definetly we can't ignore. You can implement it now without any cost and minimum effort.
Here is a list with popular libraries that can help you to set secure headers in your app.

Photo by: Vivian Maier

💖 💪 🙅 🚩
andersonjoseph
Anderson. J

Posted on December 1, 2018

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related

Security & HTTP Headers
http Security & HTTP Headers

December 1, 2018