"Do you know most the security vulnerabilities can be fixed by implementing necessary headers in response header?"
-Chandan Kumar
Introduction
"HTTP headers allow the client and the server to pass additional information with the request or the response. An HTTP header consists of its case-insensitive name followed by a colon ':', then by its value (without line breaks). Leading white space before the value is ignored."
-MDN
These headers are the integral part of HTTP communications, they carry information about the client browser, cookies, language, etc.
Headers can be grouped according to their contexts:
General header: Requests and responses but with no relation to the data eventually transmitted in the body.
Request header: Information about the resource to be fetched or about the client itself.
Response header: Information about the response, like its location or about the server itself.
Entity header: Information about the body of the entity, like its content length or its MIME-type.
Secure Headers
The use of these headers are part of the best practices to follow when we're developing an application. 'Secure headers' are designed to restrict modern browsers from encoutering vulnerabilities. Like clickjacking, XSS, MITM, etc.
HTTP Strict Transport Security (HSTS)
Strict-Transport-Security
Is an HTTP response header that mandates that agents should only interact with HTTPS conections and never via HTTP protocol.
Protect from:
- Protocol downgrade attack
- Cookie Hijacking
Values:
| Value | Description |
|---|---|
max-age=SECONDS |
The seconds that the agent should remember that this site only can interact using HTTPS |
includeSubDomains |
Apply the header to all subdomains of the site. |
Example:
Strict-Transport-Security: max-age=31536000 ; includeSubDomains
Reference:
- https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
- https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
- https://www.owasp.org/index.php/HTTP_Strict_Transport_Security
Frame Options
X-Frame-Options
This response header set the policy in the agent to allow or deny rendering your content in iframes of third-party websites. When browsers load iframes, will check the value of the header.
Protect from:
- Clickjacking
Values:
| Value | Description |
|---|---|
deny |
No rendering within a frame |
isameorigin |
No rendering if the origin mismatch |
allow-from: DOMAIN |
Allows rendering if frame is loaded from DOMAIN |
Example:
X-Frame-Options: deny
References:
- https://www.owasp.org/index.php/Clickjacking
- https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options
- https://blogs.msdn.microsoft.com/ieinternals/2010/03/30/combating-clickjacking-with-x-frame-options/
XSS Protection
X-XSS-Protection
This protection header can set values to disable the protection or block reflective XSS attacks. It's a XSS filter.
Protect from:
- XSS attacks
Values:
| Value | Description |
|---|---|
0 |
Filter disabled. |
1 |
Filter enabled, browser will sanitize the page |
1; mode=block |
Filter enabled, browser will prevent rendering of the page |
Example:
X-XSS-Protection: 1; mode=block
References:
- https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
- https://developer.mozilla.org/es/docs/Web/HTTP/Headers/X-XSS-Protection
Content Type
X-Content-Type-Options
This header prevent the browser from sniff MIME types. The client browser will reject responses with incorrect MIME types, minimizing the risk of uploaded content that could be trated as dynamic HTML files.
Protect from:
- Attacks based on MIME type confusion
- 'Execute' arbitrary HTML
Values:
| Value | Description |
|---|---|
nosniff |
Prevent the browser from sniff the MIME type. The browser will trust what the server says and block the resource if it's wrong. |
Example:
X-Content-Type-Options: nosniff
References:
- https://en.wikipedia.org/wiki/Media_type
- https://blog.fox-it.com/2012/05/08/mime-sniffing-feature-or-vulnerability/
- https://developers.google.com/web/updates/2018/07/site-isolation
Content Security Policy
Content-Security-Policy
This header can help to protect agains malicious injection of JavaScript, CSS, plugins and more. There isn't one specific attack that this header can block, but it can prevent that somebody put anything malicious that your app can run.
Protect from:
- XSS
- Clickjacking
- Cross site injections
Values:
There are many values that CSP can take. Refer to MDN Web Docs for detailed information.
Example:
Content-Security-Policy: script-src 'self'
References:
- https://content-security-policy.com/
- https://developer.mozilla.org/en-US/docs/Web/Security/CSP
- https://www.owasp.org/index.php/Content_Security_Policy
Feature Policy
Feature-Policy
This header can enable or disable the use of various browser features. Such camera, fullscreen, microphone, etc.
Protect from:
- Third-party scripts using browser features.
Values:
| Value | Description |
|---|---|
accelerometer |
Disable browser accelerometer |
autoplay |
Disable autoplay in players |
camera |
Disable use of cameras |
microphone |
Disable use of microphones |
usb |
Disable access to usb devices |
vibrate |
Disable vibration function |
Example:
Feature-Policy: vibrate 'none'
References:
- https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy
- https://scotthelme.co.uk/a-new-security-header-feature-policy/
Conclusion
HTTP headers will not make your app inmune to attacks. But they can offer an important layer of security that definetly we can't ignore. You can implement it now without any cost and minimum effort.
Here is a list with popular libraries that can help you to set secure headers in your app.
Photo by: Vivian Maier
Top comments (6)
Nice summary, Anderson!
In addition, I can recommend securityheaders.com. This may be useful for those who want to quickly check how their sites are doing.
Thanks for your comment! I'ts a really cool site to bookmark.
PD: I made a scan to dev.to Here's the results.
Please change the typo on the title HTPP.
Fixed. Thanks!
Found one too:
The browser will trust whata the server says.Thanks for this roundup!
Another one, where @dschu says: