Useful HTTP headers
Summary of HTTP headers useful and fundamental for securing web pages, clients, and communication from malicious activities. HSTS, CORS, CSP, HPKP and many many others.
Secure Cookie
Set-Cookie: <name>=<value>[; <Max-Age>=<age>]
[; expires=<date>]
[; domain=<domain_name>]
[; path=<some_path>]
[; secure][; HttpOnly]
- HttpOnly: any script can’t access cookie data, an empty string is returned.
- secure: the cookie will/is server only under a secure connection
Other fields are auto-esplicative
The newer SameSite cookie header is explained here.
CORS Headers
Cross-Origin-Resource-Sharing
Examples:
Origin: Server.com
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: POST,GET
Access-Control-Allow-Headers: POST, GET, OPTIONS
Access-Control-Request-Method: POST,GET
Access-Control-Request-Headers: Content-Type
When a browser send a cross-origin XMLHttpRequest to a server that doesn’t respond with these headers, no access will be given to the response.
Let’s see an example:
Suppose web content on domain http://foo.example wishes to invoke content on domain http://bar.other. Code of this sort might be used within JavaScript deployed on foo.example:
var invocation = new XMLHttpRequest();
var url = 'http://bar.other/resources/public-data/';
function callOtherDomain() {
if(invocation) {
invocation.open('GET', url, true);
invocation.onreadystatechange = handler;
invocation.send();
}
}
This will lead to a simple exchange between the client and the server, using CORS headers to handle the privileges:
Let us look at what the browser will send to the server in this case, and let’s see how the server responds:
GET /resources/public-data/ HTTP/1.1
Host: bar.other
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1b3pre) Gecko/20081130 Minefield/3.1b3pre
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Connection: keep-alive
Referer: http://foo.example/examples/access-control/simpleXSInvocation.html
Origin: http://foo.example
HTTP/1.1 200 OK
Date: Mon, 01 Dec 2008 00:23:53 GMT
Server: Apache/2.0.61
Access-Control-Allow-Origin: *
Keep-Alive: timeout=2, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: application/xml
To note:
- Origin header in the request from foo.example
- *Access-Control-Allow-Origin: ** header in the response from bar.other
Summary
The Origin
header clearly shows by whom the invocation has been done.
The domain bar.others answering with
Access-Control-Allow-Origin: *
has allowed anyone to include his content through cross-origin requests. If it would have restricted access only to foo.example then it would have sent back
Access-Control-Allow-Origin: http://foo.example
For more in depth and other cases than this “simple request”: https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS
CSP or Content Security Policy
Its aim is to mitigate XSS and data injection attacks by differentiating instructions and content.
Content-Security-Policy: <policy>
or X-Content-Security-Policy: <policy>
are sent by server to stipulate locations where scripts can be loaded. It also stipulate restrictions on which JavaScript function is allowed to use or not.
Alternatively, the <meta>
element can be used to configure a policy, for example:
<meta http-equiv="Content-Security-Policy" content="default-src 'self'; img-src https://*; child-src 'none';">
CSP permits to specify domains that browser should consider to be valid sources of executable scripts. CSP can specify also the protocol to use like the encrypted HTTPS.
Policies
Are directives each of which describes the policy for a certain resource type or area.
A policy needs to include a default-src or script-src directive to prevent inline scripts from running, as well as blocking the use of eval()
.
A policy needs to include a default-src or style-src directive to restrict inline styles from being applied from a <style>
element or a style attribute.
Content-Security-Policy:
[directive] [source-expression]
Examples
Content-Security-Policy: default-src 'self'
: All content must come from site’s own origin.Content-Security-Policy: default-src 'self' *.trusted.com
: allow a trusted domain and its subdomains.Content-Security-Policy: default-src 'self'; img-src *; media-src media1.com media2.com; script-src userscripts.example.com
: images can be included from any domain but media (audio/video) is restricted. All scripts must come from that domain.Content-Security-Policy: default-src https://onlinebanking.jumbobank.com
: if you want all content to be loaded under SSL/TLS just set the default-src domain under HTTPS.Content-Security-Policy: default-src 'self' *.mailsite.com; img-src *
: allow html and images but not Javascript. The tagscript-src
is not specified, so the default setting will followdefault-src
or “all must be loaded from the originating server”.
Other directives:
- connect‑src
- font‑src
- frame‑src
- img‑src
- media‑src
- object‑src
- script‑src
- style‑src
Source expressions:
- ‘none’ : Allows no resources.
- ‘self’: Allows resources from the host that served the page.
- ‘unsafe‑inline’: Allows resources embedded in the page, such as inline
<script>
elements,<style>
elements, and javascript: URLs - ‘unsafe‑eval’: Allows the use of the JavaScript eval function.
Further docs in ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
X-Content-Type-Options
This header is used by the server to indicate that the MIME types written in the Content-Type
header should not be changed and be followed.
X-Content-Type-Options: nosniff
When a Content-Type
is not specified, the browser take a guess on what type of content it has received. The directive nosniff
just disable this behaviour.
Example:
if the server sends a nosniff
directive in response to a script
tag, then the browser will ignore the response unless the MIME type matches application/javascript
.
X-Frame-Options
indicate if a browser should be allowed to render a page in an <iframe>
, <frame>
or <object>
. This in order to avoid clickjacking attacks (also known as “User Interface redress attack, UI redress attack,”).
Possible directives:
X-Frame-Options: DENY
X-Frame-Options: SAMEORIGIN
X-Frame-Options: ALLOW-FROM https://example.com/
- DENY : attempts to load page in a frame will fail also whed the page is loaded from the same site.
- SAMEORIGIN: only allow page from the same origin to be loaded into the page itself.
- ALLOW-FROM uri: the page can only be displayed in a frame on the specified origin.
Note: SAMEORIGIN and ALLOW-FROM doesn’t check if also their ancestors are in the same origin.
HSTS HTTP Strict Transport Security
protect websites against protocol downgrade attacks and cookie hijacking.
It tells the browser to only access the domain using secure HTTPS connections and never via HTTP. Note that the there will always be the firstconnection to a server on a standard unsecure port.
Strict-Transport-Security: max-age=31536000 ; includeSubDomains; preload
HPKP Public Key Pinning Extension
is a security mechanism which allow HTTPS websites to resist impersonation by attackers using mis-issued or fraudolent certificates.
The HTTPS web server serves a list of public key hashes and on subsequent connections clients expect the the server use one of those in the certificate chain. Its use must be wisely adopted because could easily make websites unavailable.
Example
Public-Key-Pins: pin-sha256="d6qzRu9zOECb90Uez27xWltNsj0e1Md7GkYYkVoZWmM="; pin-sha256="E9CZ9INDbd+2eRQozYqqbQ2yXLVKB9+xcprMF+44U1g="; report-uri="http://example.com/pkp-report"; max-age=10000; includeSubDomains
- pin-sha256=”
<sha256>
“: base64 encoded Subject Public Key Information fingerprint. - max-age=SECONDS: time that the browser should remember the rule.
- includeSubDomains: (optional) apply to all subdomains.
- report-uri=”
<URL>
“: (optional) pin validation failures will be reported to the given URL.
X-XSS-Protection
This header enables the Cross-site scripting (XSS) filter in your browser.
X-XSS-Protection: 1; mode=block
- 0 : filter disabled
- 1 : filter enabled, browser will sanitize tha page
- mode=block: rather than sanitize the browser will block the render of the page
- report=”
<url>
”“: sanitize + report violation
Other header examples are
Referrer-Policy: no-referrer
Expect-CT: max-age=86400, enforce, report-uri=<url>
X-Permitted-Cross-Domain-Policies: none
.