Security is a broad topic, and one that’s hard to master. However, there are some really simple things you can do to increase the security of your web application.
For starters, there are some HTTP Response Headers you can include in your web responses, that can prevent easily preventable vulnerabilities.
This will aim to outline all of the headers recommended by the OWASP Secure Headers Project, as part of a series. Let's begin with a couple.
As a caveat, these are by no means foolproof. However, they do provide a first layer of defense in depth for attackers.
How To
The recommended mechanism for configuring your web application to return these headers in every response, is by configuring your web server. Since nginx
is a widely used option, I will provide examples that demonstrate how to implement these headers via nginx
.
X-Frame-Options
Prevents: Clickjacking
What it is: A Clickjacking attack is when a malicious website overlays their website with another website. The content isn't visible to the user, and so they can be tricked into clicking on things on the trusted website.
Example: Malicious website overlays a bank website with their own website, with a button to win a free iPad. The user clicks the button, but instead is tricked into actually clicking on a (non-visible) button that will wire money to the attacker.
Actual Attack Headline: Facebook hit by more clickjacking attacks
Mitigation: X-Frame-Options: DENY
This header can be used to indicate whether or not a browser should be allowed to render a page in an iframe. Sites can use this to avoid clickjacking attacks by specifying that their content should not be embedded into other sites.
Since X-Frame-Options
was never a formally defined standard, a new header and value, Content-Security-Policy: frame-ancestors 'none';
, has come to take its place. The browser gives precedence to X-Frame-Options
, which is still the most prevalent way to mitigate clickjacking. It is recommended to include both headers in the response, so as to support both older and newer browsers.
# nginx.conf
add_header X-Frame-Options "DENY";
add_header Content-Security-Policy "frame-ancestors 'none';"
X-Content-Type-Options
Prevents: MIME-sniffing
What it is: MIME sniffing is a technique used by web browsers to examine the contents of a file, when the file format is ambiguous. This is done for the purpose of determining the file format, so it can render the contents appropriately. The vulnerability comes into play when an attacker disguises a malicious script as a different file type (let's say a JPG). Doing so allows the attacker to successfully upload the malicious content. Consequently, when the content is loaded, the browser will render it as a script, rather than an image, thereby executing the malicious content.
Mitigation: X-Content-Type-Options: nosniff
This header is a marker used by the server to indicate that the MIME types advertised in the
Content-Type
headers should be followed and not be changed. The header allows you to avoid MIME type sniffing by saying that the MIME types are deliberately configured.
# nginx.conf
add_header X-Content-Type-Options "nosniff";
Summary
By adding a few lines of code to your web server configuration, you can easily prevent some common vulnerabilities.
Top comments (0)