Introduction
Managing HTTP response header properly increases the security of your web site, and makes it hard to breach. Typically, HTTP header contains name-value pair of strings which are sent back from server with the web page content. These headers are security policies to client browser which enable safer browsing with the policies imposed on header.
Content Security Policy (CSP)
CSP allows you to restrict the resource loading on a particular site. Applying proper header value decreases the chance of injecting malicious code from different domains. Below are some of common name/value for CSP header.
Content-Security-Policy : default-src 'self';
(Allow everything but only from the same origin)
Content-Security-Policy : script-src 'self'; (Only Allow Scripts from the same origin)
Content-Security-Policy : script-src 'self'
www.google-analytics.com ajax.googleapis.com;
(Allow Google Analytics, Google AJAX CDN and Same Origin)
Content-Security-Policy : default-src https:
(Allow any assets to be loaded over https from any origin)
Further references:
Let’s see how to add the name-value pair on IIS.
Add the desired name value pair.
X-Frame Options
X-Frame option can be used to indicate browser should be allowed /or not an iframe. Simply, attacker can use your site on a iframe host on their site. This can be prevented by XFO header.
X-Frame-Options: DENY (Site can be iframed)
X-Frame-Options: SAMEORIGIN
(The page can only be displayed in a frame on the same origin as the page itself)
X-Frame-Options: ALLOW-FROM https://example.com/
(The page can only be displayed in a frame on the example.com)
Further reference:
Strict-Transport-Security
HTTP Strict-Transport-Security (HSTS) enforce browser to communicate only via https instead of http. Let’s say when you previously had a http bookmark which needs to be forced to use https.
Strict-Transport-Security: max-age=31536000; includeSubDomains
(Policy will enforce TLS on your site for one year, including subdomains)
X-XSS-Protection
This Header is used to prevent XSS attacks which remove unsafe parts from cross site script injections.
X-XSS-Protection: 0; (Disable the protection)
X-XSS-Protection: 1;mode=block (Enable the protection)
Further reference:
Public-Key-Pins
HPKP is security feature which can be configured on HTTP response and prevent from forged certificates. After creating Base64 key, it will look like below (keys are samples).
Public-Key-Pins : 'pin-sha256="X3pGTSOuJeEVw989IJ/cEtXUEmy52zs1TZQrU06KUKg=";
\ pin-sha256="MHJYVThihUrJcxW6wcqyOISTXIsInsdj3xK8QrZbHec=";
\ pin-sha256="isi41AizREkLvvft0IRW4u3XMFR2Yg7bvrF7padyCJg=";
\ max-age=10; includeSubdomains';
Note
If wrongly defined, your site will be inaccessible. Use less max-age for live tests. Make sure to include backup keys. Never use a single key.
The below article describes to generate the keys from installed certificate:
When renewing the certificate, extract a public key using Base64, remove a one key from the previous header and include the new one.
Referrer-Policy
When someone clicks on a links and landed on target,
target can determine where is origin. Referrer policy enables control this behavior.
Find available options.
Referrer-Policy: no-referrer (No referrer information sent over with the request)
Referrer-Policy: no-referrer-when-downgrade
(The browser will not send the referrer header when navigating from HTTPS to HTTP)
Referrer-Policy: origin
(Only send the origin of the document as the referrer in all cases.)
Referrer-Policy: origin-when-cross-origin
(Send a full URL when performing a same-origin request)
Referrer-Policy: same-origin
(The browser will only set the referrer header on requests to the same origin.
If the destination is another origin then no referrer information will be sent.)
Referrer-Policy: strict-origin
(Similar to origin above but will not allow the secure origin to be sent
on a HTTP request, only HTTPS.)
Referrer-Policy: strict-origin-when-cross-origin
(The browser will send the full URL to requests to the same origin but only
send the origin when requests are cross-origin.)
Referrer-Policy: unsafe-url
(Browser will always send the full URL with any request to any origin.)
X-Content-Type-Options
It prevents browser from sniffing mime type away from the server.
X-Content-Type-Options : nosniff
Once you have configured HTTP response, use a online scanner/security tester to test the site.
Below is a snapshot of a site scanned using https://securityheaders.io.
History
- 2nd January, 2018: Initial version
