This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "List of useful HTTP headers"

From OWASP
Jump to: navigation, search
(clarity on https)
(Redirected page to OWASP Secure Headers Project)
 
(8 intermediate revisions by the same user not shown)
Line 1: Line 1:
This page lists useful security-related HTTP headers. In most architectures these headers can be set in web server configuration ([http://httpd.apache.org/docs/2.2/mod/mod_headers.html Apache], [http://technet.microsoft.com/pl-pl/library/cc753133(v=ws.10).aspx IIS], [http://nginx.org/en/docs/http/ngx_http_headers_module.html nginx]), without changing actual application's code. This offers significantly faster and cheaper method for at least partial mitigation of existing issues, and an additional layer of defense for new applications.
+
#redirect [[OWASP_Secure_Headers_Project]]
 
 
{| border="1"
 
|-
 
! Header name
 
! Description
 
! Example
 
|-
 
|[https://developer.mozilla.org/en-US/docs/Web/Security/Public_Key_Pinning Public Key Pinning Extension for HTTP]
 
|The Public Key Pinning Extension for HTTP (HPKP) is a security header that tells a web client to associate a specific cryptographic public key with a certain web server to prevent MITM attacks with forged certificates. This is meant to help (only) HTTPS sites resist man-in-the middle via impersonation.
 
|<code>Public-Key-Pins: pin-sha256="<sha256>"; pin-sha256="<sha256>"; max-age=15768000; includeSubDomains </code>
 
|-
 
|[http://tools.ietf.org/html/rfc6797 Strict-Transport-Security]
 
|HTTP Strict-Transport-Security (HSTS) enforces secure (HTTP over SSL/TLS) connections to the server. This reduces impact of bugs in web applications leaking session data through cookies and external links and defends against Man-in-the-middle attacks. HSTS also disables the ability for user's to ignore SSL negotiation warnings.
 
|<code>Strict-Transport-Security: max-age=16070400; includeSubDomains</code>
 
|-
 
| [http://tools.ietf.org/html/draft-ietf-websec-x-frame-options-01 X-Frame-Options], [http://tools.ietf.org/html/draft-ietf-websec-frame-options-00 Frame-Options]
 
| Provides [[Clickjacking]] protection. Values: ''deny'' - no rendering within a frame, ''sameorigin'' - no rendering if origin mismatch, ''allow-from: DOMAIN'' - allow rendering if framed by frame loaded from ''DOMAIN''
 
| <code> X-Frame-Options: deny</code>
 
|-
 
| [http://blogs.msdn.com/b/ie/archive/2008/07/02/ie8-security-part-iv-the-xss-filter.aspx X-XSS-Protection]
 
| This header enables the [[Cross-site scripting]] (XSS) filter built into most recent web browsers. It's usually enabled by default anyway, so the role of this header is to re-enable the filter for this particular website if it was disabled by the user. This header is supported in IE 8+, and in Chrome (not sure which versions). The anti-XSS filter was added in Chrome 4. Its unknown if that version honored this header.
 
| <code>X-XSS-Protection: 1; mode=block</code>
 
|-
 
| [http://blogs.msdn.com/b/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx X-Content-Type-Options]
 
| The only defined value, "nosniff", prevents Internet Explorer and Google Chrome from MIME-sniffing a response away from the declared content-type. This also applies to [http://code.google.com/chrome/extensions/hosting.html Google Chrome], when downloading extensions. This reduces exposure to drive-by download attacks and sites serving user uploaded content that, by clever naming, could be treated by MSIE as executable or dynamic HTML files.
 
| <code> X-Content-Type-Options: nosniff </code>
 
|-
 
|[http://www.w3.org/TR/CSP/ Content-Security-Policy, X-Content-Security-Policy, X-WebKit-CSP]
 
|[[Content Security Policy]] requires careful tuning and precise definition of the policy. If enabled, CSP has significant impact on the way browser renders pages (e.g., inline JavaScript disabled by default and must be explicitly allowed in policy). CSP prevents a wide range of attacks, including [[Cross-site scripting]] and other cross-site injections.
 
|<code>Content-Security-Policy: default-src 'self'</code>
 
|-
 
| [http://www.w3.org/TR/CSP/ Content-Security-Policy-Report-Only]
 
| Like Content-Security-Policy, but only reports.  Useful during implementation, tuning and testing efforts.
 
| <code>Content-Security-Policy-Report-Only: default-src 'self'; report-uri http://loghost.example.com/reports.jsp</code>
 
|}
 
 
 
 
 
==Check Your Headers==
 
 
 
Visit Check Your Headers to view and evaluate any website's security headers.  http://cyh.herokuapp.com/cyh
 
 
 
For Chrome, the Recx Security Analyser extension checks a number of security relevant headers and gives a nice report on the findings.
 
[https://chrome.google.com/webstore/detail/recx-security-analyser/ljafjhbjenhgcgnikniijchkngljgjda Recx Security Analyser]
 
 
 
 
==Real life examples==
 
Below examples present selected HTTP headers as set by popular websites to demonstrate that they are indeed being used in production services:
 
 
 
===Facebook===
 
As of January 2013 [https://www.facebook.com/ Facebook] main page was setting these security related HTTP headers.
 
 
 
'''Strict-Transport-Security:''' max-age=60
 
'''X-Content-Type-Options:''' nosniff
 
'''X-Frame-Options:''' DENY
 
'''X-WebKit-CSP:''' <small><nowiki>default-src *; script-src https://*.facebook.com
 
  http://*.facebook.com https://*.fbcdn.net http://*.fbcdn.net *.facebook.net
 
  *.google-analytics.com *.virtualearth.net *.google.com 127.0.0.1:* *.spotilocal.com:*
 
  'unsafe-inline' 'unsafe-eval' https://*.akamaihd.net http://*.akamaihd.net;
 
  style-src * 'unsafe-inline'; connect-src https://*.facebook.com http://*.facebook.com
 
  https://*.fbcdn.net http://*.fbcdn.net *.facebook.net *.spotilocal.com:*
 
  https://*.akamaihd.net ws://*.facebook.com:* http://*.akamaihd.net;</nowiki></small>
 
'''X-XSS-Protection:''' 1; mode=block
 
 
 
Especially interesting is Facebook's use of [http://www.w3.org/TR/CSP/ Content Security Policy] (using Google Chrome syntax), whose implementation can be [http://www.html5rocks.com/en/tutorials/security/content-security-policy/ challenging] for large sites with heavy usage of JavaScript.
 
 
 
As of July 2014, the following headers were set:
 
 
 
'''strict-transport-security: max-age=7776000'''
 
'''x-content-type-options: nosniff'''
 
'''x-frame-options: DENY'''
 
'''content-security-policy: <small><nowiki> default-src *;script-src https://*.facebook.com http://*.facebook.com https://*.fbcdn.net http://*.fbcdn.net *.facebook.net
 
*.google-analytics.com *.virtualearth.net *.google.com 127.0.0.1:* *.spotilocal.com:* 'unsafe-inline' 'unsafe-eval' https://*.akamaihd.net http://*.akamaihd.net
 
*.atlassolutions.com chrome-extension://lifbcibllhkdhoafpjfnlhfpfgnpldfl;style-src * 'unsafe-inline';connect-src https://*.facebook.com http://*.facebook.com
 
https://*.fbcdn.net http://*.fbcdn.net *.facebook.net *.spotilocal.com:* https://*.akamaihd.net wss://*.facebook.com:* ws://*.facebook.com:* http://*.akamaihd.net
 
https://fb.scanandcleanlocal.com:* *.atlassolutions.com http://attachment.fbsbx.com https://attachment.fbsbx.com;</nowiki></small>'''
 
'''x-xss-protection:0'''
 
 
 
===Google+===
 
As of January 2013 [https://plus.google.com/ Google+] main page was setting these security related HTTP headers:
 
 
 
'''x-content-type-options:''' nosniff
 
'''x-frame-options:''' SAMEORIGIN
 
'''x-xss-protection:''' 1; mode=block
 
 
 
===Twitter===
 
As of May 2013 [https://twitter.com/ Twitter] main page was setting these security related HTTP headers:
 
 
 
'''strict-transport-security:''' max-age=631138519
 
'''x-frame-options:''' SAMEORIGIN
 
'''x-xss-protection:''' 1; mode=block
 
 
 
As of July 2014 we can see the implementation of CSP added:
 
'''<nowiki>content-security-policy-report-only: default-src https:; connect-src https:; font-src https: data:; frame-src https:
 
http://*.twimg.com http://itunes.apple.com about: javascript:; img-src https: data:; media-src https:; object-src https:;
 
script-src 'unsafe-inline' 'unsafe-eval' about: https:; style-src 'unsafe-inline' https:; report-uri
 
https://twitter.com/i/csp_report?a=NVQWGBBBFVZXO2LAAA%3D%3D%3D%3D%3D%3D&ro=true;</nowiki>'''
 
 
 
As of February 2016 we see a wide variety of security headers in play:
 
'''<nowiki>Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0
 
content-security-policy: script-src https://connect.facebook.net https://cm.g.doubleclick.net https://ssl.google-analytics.com https://graph.facebook.com https://twitter.com 'unsafe-eval' https://*.twimg.com https://api.twitter.com 'nonce-PfW2vyB3Oopip9AMkcOLpw==' https://analytics.twitter.com https://ton.twitter.com https://syndication.twitter.com https://www.google.com https://t.tellapart.com https://platform.twitter.com https://www.google-analytics.com 'self'; frame-ancestors 'self'; font-src https://twitter.com https://*.twimg.com data: https://ton.twitter.com https://fonts.gstatic.com https://maxcdn.bootstrapcdn.com https://netdna.bootstrapcdn.com 'self'; media-src https://twitter.com https://*.twimg.com https://ton.twitter.com blob: 'self'; connect-src https://graph.facebook.com https://media4.giphy.com https://media0.giphy.com https://pay.twitter.com https://analytics.twitter.com https://media.riffsy.com https://media.giphy.com https://media3.giphy.com https://upload.twitter.com https://media2.giphy.com https://media1.giphy.com 'self'; style-src https://fonts.googleapis.com https://twitter.com https://*.twimg.com https://translate.googleapis.com https://ton.twitter.com 'unsafe-inline' https://platform.twitter.com https://maxcdn.bootstrapcdn.com https://netdna.bootstrapcdn.com 'self'; object-src https://twitter.com https://pbs.twimg.com; default-src 'self'; frame-src https://staticxx.facebook.com https://twitter.com https://*.twimg.com https://player.vimeo.com https://pay.twitter.com https://www.facebook.com https://ton.twitter.com https://syndication.twitter.com https://vine.co twitter: https://www.youtube.com https://platform.twitter.com https://upload.twitter.com https://s-static.ak.facebook.com 'self' https://donate.twitter.com; img-src https://graph.facebook.com https://twitter.com https://*.twimg.com https://media4.giphy.com data: https://media0.giphy.com https://fbcdn-profile-a.akamaihd.net https://www.facebook.com https://ton.twitter.com https://*.fbcdn.net https://syndication.twitter.com https://media.riffsy.com https://www.google.com https://media.giphy.com https://stats.g.doubleclick.net https://media3.giphy.com https://www.google-analytics.com blob: https://media2.giphy.com https://media1.giphy.com 'self'; report-uri https://twitter.com/i/csp_report?a=NVQWGYLXFVZXO2LGOQ%3D%3D%3D%3D%3D%3D&ro=false;</nowiki>'''
 
'''<nowiki>Content-Type: text/html;charset=utf-8</nowiki>'''
 
'''<nowiki>Expires: Tue, 31 Mar 1981 05:00:00 GMT</nowiki>'''
 
'''<nowiki>Pragma: no-cache</nowiki>'''
 
'''<nowiki>Set-Cookie: _twitter_sess=BAh7...(lots more here)...3a3; Path=/; Domain=.twitter.com; Secure; HTTPOnly</nowiki>'''
 
'''<nowiki>strict-transport-security: max-age=631138519</nowiki>'''
 
'''<nowiki>x-content-type-options: nosniff</nowiki>'''
 
'''<nowiki>x-frame-options: SAMEORIGIN</nowiki>'''
 
'''<nowiki>x-xss-protection: 1; mode=block</nowiki>''''
 

Latest revision as of 16:09, 26 May 2016