Improve your Web App’s security with HTTP Headers

Over recent years, new security standards have been set by the W3C, and implemented by browser vendors. The idea was to create a set of HTTP headers that developers could use in order to add a browser-based layer of security for their web applications.

Indeed, many security problems can (or should) be remediated on the client side (e.g. Same Origin Policy), and by improving the security of the platforms it was clear that the overall security level of web applications would increase, with little regard to the actual server-side implementation.

Let’s present a quick overview of these HTTP headers:

X-XSS-Protection

Description: Enables a Cross-Site Scripting (XSS) filter in the browser that blocks the malicious reflected XSS code.

Setting: X-XSS-Protection: 1; mode=block

Supported Browsers: IE 8+, Chrome, Safari (WebKit).

Additional Information: https://blogs.msdn.microsoft.com/ie/2008/07/02/ie8-security-part-iv-the-xss-filter/

X-Content-Type-Options

Description: Prevents the browser from MIME-sniffing (i.e. practice of inspecting the content of a byte stream in order to attempt to deduce the file format of the data within it). This reduces the risk of an attacker tricking the browser into parsing an HTTP response with a content-type that was not intended by the server, which could then enable a Cross-Site Scripting (XSS) attack.

Setting:  X-Content-Type-Options: nosniff

Supported Browsers: Support: IE 9+, Chrome, Safari.

Additional Information: https://blogs.msdn.microsoft.com/ie/2008/09/02/ie8-security-part-vi-beta-2-update/

X-Frame-Options

Description: Used as an indication to the browser whether it should allow embedding a page within a <frame>, <iframe>, or <object> HTML element. This will prevent frame-based attacks like Click-Jacking.

Setting:
X-Frame-Options: DENY
X-Frame-Options: SAMEORIGIN
X-Frame-Options: ALLOW-FROM http://trusted-origin.com

Supported Browsers: IE 8+, Chrome, Firefox, Safari, Opera.

Additional Information: https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options

Content-Security-Policy

Description: Prevents the browser from loading resources (e.g. Javascript) from external origins. This helps in mitigating many attacks, including Cross-Site Scripting (XSS) and other cross-site injections.

Setting:  Content-Security-Policy: default-src 'self'

Supported Browsers: IE 10+, Chrome, Firefox, Safari, Opera.

Additional Information: https://www.w3.org/TR/2012/WD-CSP11-20121213/,

Access-Control-Allow-Origin

Description: Specifies which origins are allowed to send non-simple cross-origin XHR requests with cookies, and more importantly, which origins are allowed to see the response of such a request. This header is the main one of the new CORS specifications, but is usually set along other CORS headers (‘Access-Control-Allow-Credentials’, ‘Access-Control-Allow-Headers’ etc.)

Setting:  Do not set, or restrict only to trusted origins, for example:
Access-Control-Allow-Origin: http://trusted.com

Supported Browsers: IE 10+, Chrome, Firefox, Safari, Opera.

Additional Information: https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS

Cache-Control

Description: Controls who can cache the response, under which conditions, and for how long. This can be set in order to prevent the caching of responses containing sensitive data.

Setting:
Cache-Control: no-store
Pragma: no-cache  (for HTTP 1.0 compatibility)
Expires: 0 (for HTTP 1.0 compatibility)

Supported Browsers: IE 6+, Chrome, Firefox, Safari, Opera.

Additional Information: https://developers.google.com/web/fundamentals/performance/optimizing-content-efficiency/http-caching?hl=en

HTTP Strict-Transport-Security (HSTS)

Description: Policy mechanism declaring that browsers should only interact with the server over a secure HTTPS connection. This helps protecting against SSL Stripping (i.e. forcing a victim into browsing over HTTP instead of HTTPS) and cookie hijacking. The value of the header is the period (in seconds) in which this policy should be enforced.

Setting: Strict-Transport-Security: max-age=<expire_time>

Supported Browsers: IE 11+, Chrome, Firefox, Safari, Opera.

Additional Information: https://www.owasp.org/index.php/HTTP_Strict_Transport_Security

Public-Key-Pins

Description: This header is used in order to enforce SSL Pinning. In other words, it tells the browser to associate a public cryptographic key with the server. This mechanism allows websites to resist impersonation and prevents Man-in-the-Middle (MitM) attacks. Please note that it is possible to pin multiple keys, so if one of them is compromised, you can still use the other ones.

Setting: 
Public-Key-Pins: pin-sha256="<base64_encode(public_key_fingerprint)>"; pin-sha256="<base64_encode(public_key2_fingerprint)>"; max-age=<expire_time>; includeSubdomains; report-uri="<report_to_this_url_in_case_of_failure>"

Supported Browsers: Chrome, Firefox.

Additional Information: https://www.owasp.org/index.php/Certificate_and_Public_Key_Pinning