Security & HTTP Headers
Anderson. J Dec 1 Updated on Dec 05, 2018
"Do you know most the security vulnerabilities can be fixed by implementing necessary headers in response header?"
"HTTP headers allow the client and the server to pass additional information with the request or the response. An HTTP header consists of its case-insensitive name followed by a colon ':', then by its value (without line breaks). Leading white space before the value is ignored."
These headers are the integral part of HTTP communications, they carry information about the client browser, cookies, language, etc.
Headers can be grouped according to their contexts:
General header: Requests and responses but with no relation to the data eventually transmitted in the body.
Request header: Information about the resource to be fetched or about the client itself.
Response header: Information about the response, like its location or about the server itself.
Entity header: Information about the body of the entity, like its content length or its MIME-type.
The use of these headers are part of the best practices to follow when we're developing an application. 'Secure headers' are designed to restrict modern browsers from encoutering vulnerabilities. Like clickjacking, XSS, MITM, etc.
Is an HTTP response header that mandates that agents should only interact with HTTPS conections and never via HTTP protocol.
- Protocol downgrade attack
- Cookie Hijacking
||The seconds that the agent should remember that this site only can interact using HTTPS|
||Apply the header to all subdomains of the site.|
Strict-Transport-Security: max-age=31536000 ; includeSubDomains
This response header set the policy in the agent to allow or deny rendering your content in iframes of third-party websites. When browsers load iframes, will check the value of the header.
||No rendering within a frame|
||No rendering if the origin mismatch|
||Allows rendering if frame is loaded from DOMAIN|
This protection header can set values to disable the protection or block reflective XSS attacks. It's a XSS filter.
- XSS attacks
||Filter enabled, browser will sanitize the page|
||Filter enabled, browser will prevent rendering of the page|
X-XSS-Protection: 1; mode=block
This header prevent the browser from sniff MIME types. The client browser will reject responses with incorrect MIME types, minimizing the risk of uploaded content that could be trated as dynamic HTML files.
- Attacks based on MIME type confusion
- 'Execute' arbitrary HTML
||Prevent the browser from sniff the MIME type. The browser will trust what the server says and block the resource if it's wrong.|
- Cross site injections
There are many values that CSP can take. Refer to MDN Web Docs for detailed information.
Content-Security-Policy: script-src 'self'
This header can enable or disable the use of various browser features. Such camera, fullscreen, microphone, etc.
- Third-party scripts using browser features.
||Disable browser accelerometer|
||Disable autoplay in players|
||Disable use of cameras|
||Disable use of microphones|
||Disable access to usb devices|
||Disable vibration function|
Feature-Policy: vibrate 'none'
HTTP headers will not make your app inmune to attacks. But they can offer an important layer of security that definetly we can't ignore. You can implement it now without any cost and minimum effort.
Here is a list with popular libraries that can help you to set secure headers in your app.
Photo by: Vivian Maier