HTTP Security Headers

Choose a study mode

Play Quiz
Study Flashcards
Spaced Repetition
Chat to Lesson

Podcast

Play an AI-generated podcast conversation about this lesson
Download our mobile app to listen on the go
Get App

Questions and Answers

What is the purpose of HTTP Security Headers?

To enhance the security of web applications by providing instructions to the browser on how to behave when handling content.

Which of the following is a type of HTTP Security Header?

  • X-XSS-Protection
  • Content Security Policy
  • HTTP Strict Transport Security (HSTS)
  • All of the above (correct)

What is Cross Site Scripting (XSS)?

An attack that involves loading malicious JavaScript code.

What are the possible values for the X-XSS-Protection header?

<p>All of the above (D)</p> Signup and view all the answers

Is it recommended to set X-XSS-Protection to '1; mode=block'?

<p>True (A)</p> Signup and view all the answers

What does CSP stand for, in the context of web security?

<p>Content Security Policy</p> Signup and view all the answers

What is the purpose of the CSP header?

<p>To whitelist origins and use hashing and signatures to prevent complex XSS attacks.</p> Signup and view all the answers

Give an example of a Content-Security-Policy that only allows content from the same origin (not subdomains)

<p>Content-Security-Policy: default-src 'self'</p> Signup and view all the answers

What does HSTS stand for?

<p>HTTP Strict Transport Security</p> Signup and view all the answers

What is the purpose of HSTS?

<p>To ensure that browsers only interact with a website over HTTPS.</p> Signup and view all the answers

Give an example of Strict-Transport-Security with max-age set to <expire-time> and includeSubDomains enabled.

<p>Strict-Transport-Security: max-age=<expire-time>; includeSubDomains</p> Signup and view all the answers

What is the purpose of HTTP Public Key Pinning (HPKP)?

<p>To prevent the use of fraudulently issued certificates by 'pinning' a certificate to a site.</p> Signup and view all the answers

What is a recommendation regarding HTTP Public Key Pinning (HPKP)?

<p>DO NOT ACTIVATE (in case of problems locks users out)</p> Signup and view all the answers

What security issue do small (1-pix) iframes allow?

<p>Clickjacking</p> Signup and view all the answers

What is the purpose of the X-Frame-Options header?

<p>Controls iframing.</p> Signup and view all the answers

What are the possible values for the X-Frame-Options header?

<p>All of the above (D)</p> Signup and view all the answers

Match the X-Frame-Options values with their meanings:

<p>DENY = No Iframing SAMEORIGIN = IFrame only on the same origin. ALLOW-FROM = URLs allowed to Iframe.</p> Signup and view all the answers

The X-Content-Type-Options header controls (disables) what?

<p>Snooping</p> Signup and view all the answers

What value should the X-Content-Type-Options header have to disable snooping?

<p>nosniff</p> Signup and view all the answers

What is decided by the browser when ignoring HTTP headers?

<p>Content-type</p> Signup and view all the answers

What is a potential consequence of the browser ignoring HTTP headers?

<p>Stored XSS attacks</p> Signup and view all the answers

What cookie options can be added for safer web browsing?

<p>Secure, HttpOnly, SameSite=strict</p> Signup and view all the answers

What does the Secure cookie option do?

<p>Ensures the cookie is only sent over HTTPS.</p> Signup and view all the answers

What does the HttpOnly cookie option do?

<p>Prevents JavaScript access to the cookie.</p> Signup and view all the answers

What is a website that be used to test web apps for security?

<p><a href="https://observatory.mozilla.org/">https://observatory.mozilla.org/</a></p> Signup and view all the answers

Flashcards

X-XSS-Protection

Protects against Cross Site Scripting (XSS) attacks by filtering or blocking malicious JavaScript code.

Content Security Policy (CSP)

A security header that allows you to define a policy for what resources the browser is allowed to load, reducing the risk of XSS attacks.

HTTP Strict Transport Security (HSTS)

A web server directive that forces browsers to interact with it only through secure HTTPS connections.

HTTP Public Key Pinning (HPKP)

Allows a website to associate a specific cryptographic public key with a certain web server to prevent MITM attacks with forged certificates.

Signup and view all the flashcards

X-Frame-Options

Protects visitors against clickjacking attacks by preventing the site from being framed within malicious pages.

Signup and view all the flashcards

X-Content-Type-Options

Prevents browsers from trying to MIME-sniff the content type of a response, reducing exposure to XSS attacks.

Signup and view all the flashcards

Cookie Options

Adds security options to cookies for safer web browsing. Includes 'Secure', 'HttpOnly', and 'SameSite'.

Signup and view all the flashcards

Secure Cookie Attribute

HTTPS only.

Signup and view all the flashcards

HttpOnly Cookie Attribute

Not JavaScript accessible.

Signup and view all the flashcards

SameSite Cookie Attribute

Only to same site (CSRF prevention).

Signup and view all the flashcards

Study Notes

  • HTTP security headers are used in web projects to enhance security.
  • Carles Mateu from Universitat de Lleida created a web project related to HTTP security headers.

HTTP Security Headers

  • X-XSS-Protection
  • Content Security Policy
  • HTTP Strict Transport Security (HSTS)
  • HTTP Public Key Pinning (HPKP)
  • X-Frame-Options
  • X-Content-Type-Options
  • Referrer-Policy
  • Cookie Options

X-XSS-Protection

  • Cross-Site Scripting (XSS) involves attacking by loading malicious JavaScript.
  • X-XSS-Protection is available in Chrome (CH), Mozilla (MZ), and Internet Explorer (IE).
  • Reflected JS code sent by an attacker can be blocked using X-XSS-Protection.
  • X-XSS-Protection: 0; this turns protection off.
  • X-XSS-Protection: 1; discards scripts that may be malicious.
  • X-XSS-Protection: 1; mode=block blocks the entire page if malicious scripts are suspected.
  • It's recommended setting X-XSS-Protection: 1; mode=block.
  • In Rails 4 and 5, XSS protection is on by default.
  • Django has a setting SECURE_BROWSER_XSS_FILTER = True.
  • Nginx configuration: add_header X-XSS-Protection "1; mode=block";
  • Apache configuration: Header always set X-XSS-Protection "1; mode=block"

Content Security Policy

  • X-XSS-Protection may not be enough to protect against complex XSS attacks.
  • "hacked" scripts or those on the server may bypass X-XSS-Protection.
  • Content Security Policy (CSP) header adds whitelisting of origins and supports hashing and signatures.
  • Implement CSP, though activation can be complex.
  • Rails uses secureheaders, while Django uses django-csp to implement CSP.
  • Nginx configuration: add_header Content-Security-Policy "";
  • Apache configuration: Header always set Content-Security-Policy ""
  • Content-Security-Policy: default-src 'self'; allows content from the same origin but not subdomains.
  • Content-Security-Policy: default-src 'self' *.mysite.com; allows content from the same origin, including subdomains.
  • Content-Security-Policy: default-src 'self'; img-src *; media-src youtube.com other.com; script-src scripts.mysite.com allows default content from the same origin, images from anywhere, media from YouTube and other.com, and scripts from scripts.mysite.com.

HTTP Strict Transport Security (HSTS)

  • HTTPS provides cryptographic protection for communications.
  • HTTPS can be vulnerable to Man-In-The-Middle attacks (sslstrip) which HSTS addresses.
  • Strict-Transport-Security: max-age=; defines the duration the browser should remember to access the site via HTTPS.
  • Strict-Transport-Security: max-age=; includeSubDomains enables HSTS for all subdomains.
  • Strict-Transport-Security: max-age=; preload allows preloading to be enabled for the domain.
  • It's recommended to activate HSTS if the certificate is valid, consider using letsencrypt if there are issues.
  • In Rails, configure config.force_ssl = true.
  • Django settings include SECURE_HSTS_SECONDS = 31536000 and SECURE_HSTS_INCLUDE_SUBDOMAINS = True.
  • Nginx configuration: add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; ";
  • Apache configuration: Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains;"

HTTP Public Key Pinning (HPKP)

  • HSTS doesn't define which certificates or keys to use, which can cause problems with dual Certificate Authority issued certificates.
  • HPKP "pins" a specific certificate to a site to mitigate potential certificate-related issues.
  • Public-Key-Pins: pin-sha256=<base64==>; max-age=<expireTime>; specifies the pinned certificate's SHA256 hash and maximum age.
  • Public-Key-Pins: pin-sha256=<base64==>; max-age=<expireTime>; includeSubDomains enables pinning for all subdomains.
  • Public-Key-Pins: pin-sha256=<base64==>; max-age=<expireTime>; report-uri=<reportURI> informs where to report pinning failures.
  • It's recommended not to activate unless absolutely certain, as incorrect configuration can lock users out.
  • Rails utilizes secureheaders for HPKP.
  • Django requires custom middleware for HPKP.
  • Nginx configuration: add_header Public-Key-Pins 'pin-sha256=""; pin-sha256=""; max-age=5184000; includeSubDomains';
  • Apache configuration: Header always set Public-Key-Pins 'pin-sha256=""; pin-sha256=""; max-age=5184000; includeSubDomains';

X-Frame-Options

  • Small (1-pixel) iframes can be used for clickjacking attacks.
  • X-Frame-Options controls whether or not a site can be iframed.
  • X-Frame-Options: DENY prevents any iframing.
  • X-Frame-Options: SAMEORIGIN allows iframing only on the same origin.
  • X-Frame-Options: ALLOW-FROM https://mysite.com/ allows iframing only from the specified URL.
  • DENY completely disallows iframing.
  • SAMEORIGIN allows iframing only from the same origin.
  • ALLOW-FROM allows iframing from specified URLs.
  • Undefined behavior may occur with nested frames when using X-Frame-Options.
  • Its recommended to activate X-Frame-options and the SAMEORIGIN default is usually best.
  • In Rails DENY can be configured using config.action_dispatch.default_headers['X-Frame-Options'] = "DENY".
  • Django sets SAMEORIGIN as the default using MIDDLEWARE or setting DENY: X_FRAME_OPTIONS = 'DENY'.
  • Nginx configuration: add_header X-Frame-Options "deny";
  • Apache configuration: Header always set X-Frame-Options "deny"

X-Content-Type-Options

  • Browsers may attempt to determine content-type, ignoring HTTP headers.
  • Ignoring HTTP headers allows "stored" XSS attacks.
  • X-Content-Type-Options controls snooping and can disable it.
  • X-Content-Type-Options: nosniff; this disables content-type snooping.
  • It's recommended activating, but be careful with content-types served.
  • Rails is on by default for this option.
  • Django sets SECURE_CONTENT_TYPE_NOSNIFF = True.
  • Nginx configuration: add_header X-Content-Type-Options nosniff;
  • Apache configuration: Header always set X-Content-Type-Options nosniff
  • Cookie options can be added for safer web browsing.
  • Setting a Cookie: Set-Cookie: =; Expires=<expiryDate>; Secure; HttpOnly; SameSite=strict
  • Secure: allows cookies to be sent only over HTTPS.
  • HttpOnly: prevents JavaScript access to the cookie.
  • SameSite: restricts the cookie to only the same site, preventing CSRF attacks, which is best supported in Chrome/Opera.
  • Activate this option. SameSite is supported only in Chrome/Opera.
  • Rails has SameSite defaulting to secureheaders.
  • Django has HttpOnly on by default and Secure configured by setting SESSION_COOKIE_SECURE = True.
  • Don't set cookies in Nginx configuration.
  • Don't set cookies in Apache configuration.

Testing

Studying That Suits You

Use AI to generate personalized quizzes and flashcards to suit your learning preferences.

Quiz Team

Related Documents

More Like This

Use Quizgecko on...
Browser
Open
Browser
Browser