Categories

Geo Maps Live Editor

Security HTTP Headers

Posted on: July 26, 2018 by Dimitar Ivanov
Overview

Last few years a bunch of new HTTP headers were added to the web platform. The purpose of this blog post is to discuss the most critical headers from a security perspective.

X-Frame-Options

This http header helps avoiding clickjacking attacks. Browser support is as follow: IE 8+, Chrome 4.1+, Firefox 3.6.9+, Opera 10.5+, Safari 4+. Posible values are:

deny
browser refuses to display requested document in a frame
sameorigin
browser refuses to display requested document in a frame, in case that origin does not match
allow-from: DOMAIN
browser displays requested document in a frame only if it loaded from DOMAIN
// Raw header
X-Frame-Options: sameorigin

// How to send the response header with PHP
header("X-Frame-Options: sameorigin");

// How to send the response header with Apache (.htaccess)
<IfModule mod_headers.c>
    Header set X-Frame-Options "sameorigin"
</IfModule>

// How to send the response header with Express.js
app.use(function(req, res, next) {
    res.header("X-Frame-Options", "sameorigin");
    next();
});

X-Frame-Options

X-XSS-Protection

Use this header to enable browser built-in XSS Filter. It prevent cross-site scripting attacks. X-XSS-Protection header is supported by IE 8+, Opera, Chrome, and Safari. Available directives:

0
disables the XSS Filter
1
enables the XSS Filter. If a cross-site scripting attack is detected, in order to stop the attack, the browser will sanitize the page.
1; mode=block
enables the XSS Filter. Rather than sanitize the page, when a XSS attack is detected, the browser will prevent rendering of the page.
1; report=<reporting-URI>
enables the XSS Filter. If a cross-site scripting attack is detected, the browser will sanitize the page and report the violation.
// Raw header
X-XSS-Protection: 1; mode=block

// How to send the response header with PHP
header("X-XSS-Protection: 1; mode=block");

// How to send the response header with Apache (.htaccess)
<IfModule mod_headers.c>
    Header set X-XSS-Protection "1; mode=block"
</IfModule>

// How to send the response header with Express.js
app.use(function(req, res, next) {
    res.header("X-XSS-Protection", "1; mode=block");
    next();
});

X-Content-Type-Options

This http header is supported by IE and Chrome, and prevents attacks based on MIME-type mismatch. The only possible value is nosniff. If your server returns X-Content-Type-Options: nosniff in the response, the browser will refuse to load the styles and scripts in case they have an incorrect MIME-type. The list with available MIME-types for styles and scripts is as follow:

Styles
  • text/css
Scripts
  • application/ecmascript
  • application/javascript
  • application/x-javascript
  • text/ecmascript
  • text/javascript
  • text/jscript
  • text/x-javascript
  • text/vbs
  • text/vbscript
// Raw header
X-Content-Type-Options: nosniff

// How to send the response header with PHP
header("X-Content-Type-Options: nosniff");

// How to send the response header with Apache (.htaccess)
<IfModule mod_headers.c>
    Header set X-Content-Type-Options "nosniff"
</IfModule>

// How to send the response header with Express.js
app.use(function(req, res, next) {
    res.header("X-Content-Type-Options", "nosniff");
    next();
});

So if you try to load for example a HTML document as external script resource (the src attribute of HTMLScriptElement), the browser will refuse it.

X-Content-Type-Options

Strict-Transport-Security

To take advantage of this security header, the current webpage must be accessed over HTTPS. In this case the Strict-Transport-Security header force secure connections to the server. This prevents losing session data stored in cookies. Also prevents users to access website in case the server's TLS certificate is not trusted. Browser support: IE 11+, Chrome 4+, Firefox 4+, Opera 12+, Safari 7+. Accepts following directives:

max-age
Required. The number of seconds that browser should force the connection over HTTPS.
includeSubDomains
Optional. If present, tells to the browser that the policy applies to current host and to all host's subdomains.
preload
Optional. Not part of the specification.
// Raw header
Strict-Transport-Security: max-age=31536000
// or
Strict-Transport-Security: max-age=31536000; includeSubDomains

// How to send the response header with PHP
header("Strict-Transport-Security: max-age=31536000");

// How to send the response header with Apache (.htaccess)
<IfModule mod_headers.c>
    Header set Strict-Transport-Security "max-age=31536000"
</IfModule>

// How to send the response header with Express.js
app.use(function(req, res, next) {
    res.header("Strict-Transport-Security", "max-age=31536000");
    next();
});

Content-Security-Policy

This header could affect your website in many ways, so be careful when using it. The configuration below allows loading scripts, XMLHttpRequest (AJAX), images and styles from same domain and nothing else. Browser support: Edge 12+, Firefox 4+, Chrome 14+, Safari 6+, Opera 15+

Few notes: IE 10 and 11 supports CSP through the X-Content-Security-Policy header; Safari 5.1 supported through the X-Webkit-CSP header.

// Raw header
Content-Security-Policy: default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self';

// How to send the response header with PHP
header("Content-Security-Policy: default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self';");

// How to send the response header with Apache (.htaccess)
<IfModule mod_headers.c>
    Header set Content-Security-Policy "default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self';"
</IfModule>

// How to send the response header with Express.js
app.use(function(req, res, next) {
    res.header("Content-Security-Policy", "default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self';");
    next();
});

Access-Control-Allow-Origin

The Access-Control-Allow-Origin is part of the cross-origin resource sharing specification which we discussed recently.

Public-Key-Pins

The Public Key Pinning Extension for HTTP (HPKP) is a security feature that tells a web client to associate a specific cryptographic public key with a certain web server to prevent man-in-the-middle attacks with forged certificates. Available directives are:

pin-sha256
A Base64 encoded Subject Public Key Information (SPKI) fingerprint.
max-age
The time, in seconds, that the user-agent should remember the host as a Known Pinned Host.
includeSubDomains
An optional directive that signals to the user-agent that the Pinning Policy applies to this Pinned Host as well as any subdomains of the host's domain name.
report-uri
An optional directive that indicates the URI to which the user-agent should report Pin Validation failures.
// Raw
Public-Key-Pins: pin-sha256="d6qzRu9zOECb90Uez27xWltNsj0e1Md7GkYYkVoZWmM="; pin-sha256="E9CZ9INDbd+2eRQozYqqbQ2yXLVKB9+xcprMF+44U1g="; max-age=604800; includeSubDomains; report-uri="https://example.net/pkp-report"

// PHP
header('Public-Key-Pins: pin-sha256="d6qzRu9zOECb90Uez27xWltNsj0e1Md7GkYYkVoZWmM="; pin-sha256="E9CZ9INDbd+2eRQozYqqbQ2yXLVKB9+xcprMF+44U1g="; max-age=604800; includeSubDomains; report-uri="https://example.net/pkp-report"');

// Apache
<IfModule mod_headers.c>
    Header set Public-Key-Pins "pin-sha256=\"d6qzRu9zOECb90Uez27xWltNsj0e1Md7GkYYkVoZWmM=\"; pin-sha256=\"E9CZ9INDbd+2eRQozYqqbQ2yXLVKB9+xcprMF+44U1g=\"; max-age=604800; report-uri=\"https://example.net/pkp-report\""
</IfModule>

// nginx
add_header Public-Key-Pins "pin-sha256=\"d6qzRu9zOECb90Uez27xWltNsj0e1Md7GkYYkVoZWmM=\"; pin-sha256=\"E9CZ9INDbd+2eRQozYqqbQ2yXLVKB9+xcprMF+44U1g=\"; max-age=604800";

// Express.js
app.use(function(req, res, next) {
    res.header("Public-Key-Pins", 'pin-sha256="d6qzRu9zOECb90Uez27xWltNsj0e1Md7GkYYkVoZWmM="; pin-sha256="E9CZ9INDbd+2eRQozYqqbQ2yXLVKB9+xcprMF+44U1g="; max-age=604800; includeSubDomains');
    next();
});

Referrer-Policy

Controls the value of Referer header sent with the additional requests for resources from a web page. Firefox 36+ and Opera 15+ had a full support of the specification. Edge 12+ and Safari 7.1+ supports the older draft of the spec with never, always, origin and default values. Chrome 21+ does not support same-origin, strict-origin and strict-origin-when-cross-origin values. Valid values are as follow:

""
An empty string is considered to no referrer policy, i.e. referrer fallbacks to policy defined elsewhere.
no-referrer
Means that no referrer information is sent along the requests.
no-referrer-when-downgrade
The referrer is sent to requests with better or same security (HTTP to HTTPS, HTTPS to HTTPS, HTTP to HTTP), but not less (HTTPS to HTTP). This is the default policy.
same-origin
The referrer header is sent only to same-origin requests. A request is with same-origin when the URL scheme, hostname and port of the source and destination matches.
origin
Browsers will always send the referrer header, but it will contain only the origin. The pathname and query string will be stripped-off.
strict-origin
The referrer header consists of only the origin and is sent to requests with better or same but not less security.
origin-when-cross-origin
The referrer is always sent, but contain only the origin if a request is cross-origin. Otherwise, the full URL is sent.
strict-origin-when-cross-origin
Browsers send only the origin as a referrer to cross-origin requests and the full URL to those with same-origin, but no referrer is sent to less secure destinations.
unsafe-url
A full URL, without parameters, is sent along both the same-origin and cross-origin requests.
// Raw header
Referrer-Policy: origin-when-cross-origin

// PHP
header("Referrer-Policy: origin-when-cross-origin");

// Apache
<IfModule mod_headers.c>
    Header set Referrer-Policy "origin-when-cross-origin"
</IfModule>

// nginx
add_header Referrer-Policy "origin-when-cross-origin"

// Express.js
app.use(function(req, res, next) {
    res.header("Referrer-Policy", "origin-when-cross-origin");
    next();
});

Expect-CT

Certificate Transparency policy means that user-agents, e.g. browsers should block an access to a website with a certificate that is not registered in public CT logs (after October 2017). Omitting the enforce directive will make it work only in report-only mode. In the other side, the report-uri directive is meaningless when used together with the enforce directive.

max-age
The time, in seconds, that the user-agent should regard the host received as an Expect-CT Host.
report-uri
An optional directive that indicates the URI to which the user-agent should report Expect-CT failures.
enforce
An optional, valueless directive that, if present, signals to the user-agent to block future requests that violate the CT policy.
// Raw header
Expect-CT: max-age=7776000, enforce, report-uri="http://domain.com/ct-report"

// PHP
header("Expect-CT: max-age=7776000, enforce");

// Apache
<IfModule mod_headers.c>
    Header set Expect-CT "max-age=7776000, enforce"
</IfModule>

// nginx
add_header Expect-CT "max-age=7776000, enforce"

// Express.js
app.use(function(req, res, next) {
    res.header("Expect-CT", "max-age=7776000, enforce");
    next();
});

Feature-Policy

The Feature-Policy header gives a site owners an opportunity to enable and disable specific browser features and APIs. This is a list of currently supported features:

  • accelerometer
  • ambient-light-sensor
  • autoplay
  • camera
  • cookie
  • docwrite
  • domain
  • encrypted-media
  • fullscreen
  • geolocation
  • gyroscope
  • magnetometer
  • microphone
  • midi
  • payment
  • picture-in-picture
  • speaker
  • sync-script
  • sync-xhr
  • unsized-media
  • usb
  • vertical-scroll
  • vibrate
  • vr

To control the origins use the following values:

*
Any origin have an access to this feature.
'self'
Only the same-origin have an access to this feature. This is the default behavior.
'none'
None origin have an access to this feature.
<origin(s)>
Only the specified origins have an access to this feature.
Feature-Policy: camera 'none'; fullscreen 'self'; geolocation *; microphone 'self' https://example.com
Conclusion

Big players as Google+, Facebook, Twitter, LinkedIn use the above HTTP headers as an additional layer on a defence of their architecture. So it's strongly recommended the use of security HTTP headers to make your website safer and resist of attacks.

HTTP Headers for Wordpress
Make your website more secure by using the HTTP Headers for Wordpress, and never face a cross-origin issue again. Oh yes, it's FREE.
Download HTTP Headers v1.9.2
See also
References
Share this post

Thanks so much for reading! If you have questions about HTTP security please drop a comment below. Don't forget to share too.


14 Comments

Aditya
Aditya January 16, 2016 at 23:53 pm
Thanks to this blog entry. You solve all the query my mind about header security about most successful companies use this type of security.
Dimitar Ivanov
Dimitar Ivanov January 17, 2016 at 06:45 am
Thanks, Aditya. It's great to know you find my article about HTTP security useful.
Raj
Raj February 4, 2016 at 01:43 am
Hi Dimitar,

Thanks for such expert blog post. I need to implement all these headers in one of my PHP website. Can you please let me know how I can do this? If I send response header only via apache (.htacces) then would it be sufficient ? Or I need to implement other options as well.

Thanks.
Dimitar Ivanov
Dimitar Ivanov February 4, 2016 at 12:41 pm
Hi Raj,

The server has to send these headers, so there is no matter what you have used, e.g. server-side language (PHP, Ruby, Python) or server configuration file (.htaccess)
Raj
Raj February 6, 2016 at 01:26 am
Thanks, Dimitar.

It means the examples above are showing different ways of doing this and we only need to integrate only one way.

Thanks again.
sanju
sanju August 18, 2016 at 07:08 am
Hi
but how to use this for java script and jsp
Dimitar Ivanov
Dimitar Ivanov August 18, 2016 at 13:23 pm
Hi Sanju,

To sent a header In JSP you can use the setHeader method:

response.setHeader("X-XSS-Protection", "1; mode=block");
response.setHeader("X-Content-Type-Options", "nosniff");
khaleel
khaleel September 7, 2016 at 04:54 am
Hi Dimitar,
My application is in IIS,coldfusion,javascript ,jquery and sql server when i ran IBM app scan tool following issues reported
1. Missing "Content-Security-Policy" header
2. Missing "X-Content-Type-Options" header
3. Missing "X-XSS-Protection" header
4. Missing HTTP Strict-Transport-Security Header
Can you please let me know how to resolve in html,Javascript and iis
Craig
Craig September 9, 2016 at 03:44 am
Hi Dimitar, thanks for the article. I have been using these headers for a while, but something completely passed me by - My apps use https and one day using fiddler I was initially surprised not to see my headers, but of course they are http. Does this mean I cannot have the same protection using https, or in some way do they still work in https?
Dimitar Ivanov
Dimitar Ivanov September 9, 2016 at 13:40 pm
Hi @Craig,
Fiddler disabled the HTTPS decryption by default. To enable it, do following:

1. Click Tools > Fiddler Options.
2. Click the HTTPS tab. Ensure the Decrypt HTTPS traffic checkbox is checked.
Craig
Craig September 9, 2016 at 19:37 pm
Hi Dimitar, many thanks for your help. After setting Fiddler to decrypt, I can now see my security headers. Many thanks for your help. Best Regards Craig
i-Awcs.com
i-Awcs.com June 29, 2017 at 01:13 am
Good article we shared it on our page :www.facebook.com/HWEnterprise/posts/1634213703287879
Rajesh
Rajesh July 4, 2017 at 01:49 am
Thanks for the blog post Dimitar Ivanov. It helped me a lot.
JyotiC
JyotiC January 12, 2018 at 04:37 am
Thanks for sharing this blog, so clear and descriptive example of each and every security http headers. It helps me a lot.

Leave a comment

Captcha