|
|
(25 intermediate revisions by 7 users not shown) |
Line 1: |
Line 1: |
− | This page lists useful security-related HTTP headers. In most architectures these headers can be set in web server configuration ([http://httpd.apache.org/docs/2.0/mod/mod_headers.html Apache], [http://technet.microsoft.com/pl-pl/library/cc753133(v=ws.10).aspx IIS]), without changing actual application's code. This offers significantly faster and cheaper method for at least partial mitigation of existing issues, and an additional layer of defense for new applications.
| + | #redirect [[OWASP_Secure_Headers_Project]] |
− | | |
− | {| border="1"
| |
− | |-
| |
− | ! Field name
| |
− | ! Description
| |
− | ! Example
| |
− | |-
| |
− | |[http://tools.ietf.org/html/rfc6797 Strict-Transport-Security]
| |
− | |Enforces secure (HTTP over SSL/TLS) connections to the server. This reduces impact of bugs in web applications leaking session data through cookies and external links.
| |
− | |<code>Strict-Transport-Security: max-age=16070400; includeSubDomains</code>
| |
− | |-
| |
− | | [http://tools.ietf.org/html/draft-ietf-websec-x-frame-options-01 X-Frame-Options], [http://tools.ietf.org/html/draft-ietf-websec-frame-options-00 Frame-Options]
| |
− | | [[Clickjacking]] protection. Values: ''deny'' - no rendering within a frame, ''sameorigin'' - no rendering if origin mismatch, ''allow-from: URL'' - allow rendering frame if loaded from ''URL''
| |
− | | <code> X-Frame-Options: deny</code>
| |
− | |-
| |
− | | [http://blogs.msdn.com/b/ie/archive/2008/07/02/ie8-security-part-iv-the-xss-filter.aspx X-XSS-Protection]
| |
− | | This header enables [[Cross-site scripting]] (XSS) filter built into most recent web browsers. It's usually enabled by default anyway, so role of this headers is to re-enable for this particular website if it was disabled by the user.
| |
− | | <code>X-XSS-Protection: 1; mode=block</code>
| |
− | |-
| |
− | | [http://blogs.msdn.com/b/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx X-Content-Type-Options]
| |
− | | The only defined value, "nosniff", prevents Internet Explorer and Google Chrom from MIME-sniffing a response away from the declared content-type. This also applies to [http://code.google.com/chrome/extensions/hosting.html Google Chrome], when downloading extensions. This reduces exposure to drive-by download attacks and sites serving user uploaded content that, by clever naming, could be treated by MSIE as executable or dynamic HTML files.
| |
− | | <code> X-Content-Type-Options: nosniff </code>
| |
− | |-
| |
− | |[http://www.w3.org/TR/CSP/ X-Content-Security-Policy, X-WebKit-CSP]
| |
− | |[[Content Security Policy]] definition. Requires careful tuning and precise definition of the policy. If enabled CSP has significant impact on the way browser renders pages (e.g. inline JavaScript disabled by default and must be explicitly allowed in policy). CSP prevents a wide range of attacks, including [[Cross-site Scripting]] and other cross-site injections.
| |
− | |<code>X-WebKit-CSP: default-src 'self'</code>
| |
− | |}
| |
− | | |
− | | |
− | ==Real life examples==
| |
− | Below examples present selected HTTP headers as set by popular websites to demonstrate that they are indeed being used in production services:
| |
− | | |
− | ===Facebook===
| |
− | As of January 2013 [https://www.facebook.com/ Facebook] main page was setting these security related HTTP headers.
| |
− | | |
− | '''Strict-Transport-Security:''' max-age=60
| |
− | '''X-Content-Type-Options:''' nosniff
| |
− | '''X-Frame-Options:''' DENY
| |
− | '''X-WebKit-CSP:''' <small>default-src *; script-src https://*.facebook.com
| |
− | http://*.facebook.com https://*.fbcdn.net http://*.fbcdn.net *.facebook.net
| |
− | *.google-analytics.com *.virtualearth.net *.google.com 127.0.0.1:* *.spotilocal.com:*
| |
− | 'unsafe-inline' 'unsafe-eval' https://*.akamaihd.net http://*.akamaihd.net;
| |
− | style-src * 'unsafe-inline'; connect-src https://*.facebook.com http://*.facebook.com
| |
− | https://*.fbcdn.net http://*.fbcdn.net *.facebook.net *.spotilocal.com:*
| |
− | https://*.akamaihd.net ws://*.facebook.com:* http://*.akamaihd.net;</small>
| |
− | '''X-XSS-Protection:''' 1; mode=block
| |
− | | |
− | Especially interesting is Facebook's use of [http://www.w3.org/TR/CSP/ Content Security Policy] (using Google Chrome syntax), whose implementation can be [http://www.html5rocks.com/en/tutorials/security/content-security-policy/ challenging] for large sites with heavy usage of JavaScript.
| |
− | | |
− | ===Google+===
| |
− | As of January 2013 [https://plus.google.com/ Google+] main page was setting these security related HTTP headers:
| |
− | | |
− | '''x-content-type-options:''' nosniff
| |
− | '''x-frame-options:''' SAMEORIGIN
| |
− | '''x-xss-protection:''' 1; mode=block
| |