This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "OWASP Secure Headers Project"
(→Quick Links) |
(→Classifications) |
||
Line 4: | Line 4: | ||
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |- | {| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |- | ||
− | | valign="top" | + | | valign="top" style="border-right: 1px dotted gray;padding-right:25px;" | |
==OWASP Secure Headers Project== | ==OWASP Secure Headers Project== | ||
Line 22: | Line 22: | ||
{{Social Media Links}} | {{Social Media Links}} | ||
− | | valign="top" | + | | valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" | |
== Project Leader == | == Project Leader == | ||
Line 46: | Line 46: | ||
* [https://lists.owasp.org/mailman/listinfo/owasp_secure_headers_project Project Email List] | * [https://lists.owasp.org/mailman/listinfo/owasp_secure_headers_project Project Email List] | ||
− | | valign="top" | + | | valign="top" style="padding-left:25px;width:200px;" | |
== News and Events == | == News and Events == | ||
Line 60: | Line 60: | ||
{| width="200" cellpadding="2" | {| width="200" cellpadding="2" | ||
|- | |- | ||
− | | align="center" valign="top" width="50% | + | | rowspan="2" align="center" valign="top" width="50%" | [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]] |
− | | align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] | + | | align="center" valign="top" width="50%" | [[File:Owasp-builders-small.png|link=]] |
|- | |- | ||
− | | align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]] | + | | align="center" valign="top" width="50%" | [[File:Owasp-defenders-small.png|link=]] |
|- | |- | ||
− | | colspan="2" align="center" | + | | colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]] |
|- | |- | ||
− | | colspan="2" align="center" | + | | colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]] |
|} | |} | ||
Line 85: | Line 85: | ||
* [[#csp | Content-Security-Policy]] | * [[#csp | Content-Security-Policy]] | ||
* [[#xpcdp | X-Permitted-Cross-Domain-Policies]] | * [[#xpcdp | X-Permitted-Cross-Domain-Policies]] | ||
+ | * [[#rp | Referrer-Policy]] | ||
==<div id="hsts">HTTP Strict Transport Security (HSTS)</div>== | ==<div id="hsts">HTTP Strict Transport Security (HSTS)</div>== | ||
Line 475: | Line 476: | ||
This section cover a list of tools to analyze, develop and administrate HTTP secure headers in order to help achieve more secure and trustworthy web systems. | This section cover a list of tools to analyze, develop and administrate HTTP secure headers in order to help achieve more secure and trustworthy web systems. | ||
− | {| width="100%" cellpadding="7" cellspacing="0"<col width="325"><col width="316"> | + | {| width="100%" cellpadding="7" cellspacing="0" <col width="325"><col width="316"> |
! ead | | ! ead | | ||
|- valign="top" | |- valign="top" | ||
| width="50%" bgcolor="#d9d9d9" style="border: 1.00pt solid #000001; padding: 0.18cm" | '''Analysis Tools''' | | width="50%" bgcolor="#d9d9d9" style="border: 1.00pt solid #000001; padding: 0.18cm" | '''Analysis Tools''' | ||
− | | width=“50%” bgcolor="#d9d9d9" style="border: 1.00pt solid #000001; padding: 0.18cm" | '''Reference''' | + | | width="“50%”" bgcolor="#d9d9d9" style="border: 1.00pt solid #000001; padding: 0.18cm" | '''Reference''' |
− | |||
|- valign="top" | |- valign="top" | ||
− | | width=“50%” style="border: 1.00pt solid #000001; padding: 0.18cm" | | + | | width="“50%”" style="border: 1.00pt solid #000001; padding: 0.18cm" | |
'''hsecscan''' | '''hsecscan''' | ||
− | <font size="2" style="font-size: 9pt”> | + | <font size="2" style="font-size: 9pt”"> |
A security scanner for HTTP response headers. | A security scanner for HTTP response headers. | ||
</font> | </font> | ||
− | | width=“50%” style="border: 1.00pt solid #000001; padding: 0.18cm" | | + | | width="“50%”" style="border: 1.00pt solid #000001; padding: 0.18cm" | |
<font size="2" style="font-size: 9pt"> | <font size="2" style="font-size: 9pt"> | ||
* Github: https://github.com/riramar/hsecscan | * Github: https://github.com/riramar/hsecscan | ||
Line 496: | Line 496: | ||
|- valign="top" | |- valign="top" | ||
− | | width=“50%” style="border: 1.00pt solid #000001; padding: 0.18cm" | | + | | width="“50%”" style="border: 1.00pt solid #000001; padding: 0.18cm" | |
'''headers''' | '''headers''' | ||
− | <font size="2" style="font-size: 9pt”> | + | <font size="2" style="font-size: 9pt”"> |
Python script to get some response headers from Alexa top sites file and store in a MySQL database. | Python script to get some response headers from Alexa top sites file and store in a MySQL database. | ||
</font> | </font> | ||
− | | width=“50%” style="border: 1.00pt solid #000001; padding: 0.18cm" | | + | | width="“50%”" style="border: 1.00pt solid #000001; padding: 0.18cm" | |
<font size="2" style="font-size: 9pt"> | <font size="2" style="font-size: 9pt"> | ||
* Github: https://github.com/oshp/headers/ | * Github: https://github.com/oshp/headers/ | ||
Line 509: | Line 509: | ||
|- valign="top" | |- valign="top" | ||
− | | width=“50%” style="border: 1.00pt solid #000001; padding: 0.18cm" | | + | | width="“50%”" style="border: 1.00pt solid #000001; padding: 0.18cm" | |
'''securityheaders.io''' | '''securityheaders.io''' | ||
Line 516: | Line 516: | ||
</font> | </font> | ||
− | | width=“50%” style="border: 1.00pt solid #000001; padding: 0.18cm" | | + | | width="“50%”" style="border: 1.00pt solid #000001; padding: 0.18cm" | |
<font size="2" style="font-size: 9pt"> | <font size="2" style="font-size: 9pt"> | ||
* Site: https://securityheaders.io/ | * Site: https://securityheaders.io/ | ||
Line 522: | Line 522: | ||
|- valign="top" | |- valign="top" | ||
− | | width=“50%” style="border: 1.00pt solid #000001; padding: 0.18cm" | | + | | width="“50%”" style="border: 1.00pt solid #000001; padding: 0.18cm" | |
'''Mozilla Observatory''' | '''Mozilla Observatory''' | ||
Line 529: | Line 529: | ||
</font> | </font> | ||
− | | width=“50%” style="border: 1.00pt solid #000001; padding: 0.18cm" | | + | | width="“50%”" style="border: 1.00pt solid #000001; padding: 0.18cm" | |
<font size="2" style="font-size: 9pt"> | <font size="2" style="font-size: 9pt"> | ||
* Site: https://mozilla.github.io/http-observatory-website/ | * Site: https://mozilla.github.io/http-observatory-website/ | ||
Line 535: | Line 535: | ||
|- valign="top" | |- valign="top" | ||
− | | width=“50%” style="border: 1.00pt solid #000001; padding: 0.18cm" | | + | | width="“50%”" style="border: 1.00pt solid #000001; padding: 0.18cm" | |
'''High-Tech Bridge Web Security Scanner''' | '''High-Tech Bridge Web Security Scanner''' | ||
Line 542: | Line 542: | ||
</font> | </font> | ||
− | | width=“50%” style="border: 1.00pt solid #000001; padding: 0.18cm" | | + | | width="“50%”" style="border: 1.00pt solid #000001; padding: 0.18cm" | |
− | <font size="2" style="font-size: 9pt”> | + | <font size="2" style="font-size: 9pt”"> |
* Site: https://www.htbridge.com/websec/ | * Site: https://www.htbridge.com/websec/ | ||
</font> | </font> | ||
|- valign="top" | |- valign="top" | ||
− | | width=“50%” style="border: 1.00pt solid #000001; padding: 0.18cm" | | + | | width="“50%”" style="border: 1.00pt solid #000001; padding: 0.18cm" | |
'''Check Your Headers''' | '''Check Your Headers''' | ||
Line 555: | Line 555: | ||
</font> | </font> | ||
− | | width=“50%” style="border: 1.00pt solid #000001; padding: 0.18cm" | | + | | width="“50%”" style="border: 1.00pt solid #000001; padding: 0.18cm" | |
− | <font size="2" style="font-size: 9pt”> | + | <font size="2" style="font-size: 9pt”"> |
* Site: https://cyh.herokuapp.com/cyh | * Site: https://cyh.herokuapp.com/cyh | ||
</font> | </font> | ||
− | |||
|- valign="top" | |- valign="top" | ||
− | | width=“50%” style="border: 1.00pt solid #000001; padding: 0.18cm" | | + | | width="“50%”" style="border: 1.00pt solid #000001; padding: 0.18cm" | |
'''Recx Security Analyser''' | '''Recx Security Analyser''' | ||
Line 569: | Line 568: | ||
</font> | </font> | ||
− | | width=“50%” style="border: 1.00pt solid #000001; padding: 0.18cm" | | + | | width="“50%”" style="border: 1.00pt solid #000001; padding: 0.18cm" | |
− | <font size="2" style="font-size: 9pt”> | + | <font size="2" style="font-size: 9pt”"> |
* Site: https://chrome.google.com/webstore/detail/recx-security-analyser/ljafjhbjenhgcgnikniijchkngljgjda | * Site: https://chrome.google.com/webstore/detail/recx-security-analyser/ljafjhbjenhgcgnikniijchkngljgjda | ||
</font> | </font> | ||
|- valign="top" | |- valign="top" | ||
− | | width=“50%” style="border: 1.00pt solid #000001; padding: 0.18cm" | | + | | width="“50%”" style="border: 1.00pt solid #000001; padding: 0.18cm" | |
'''KickOff''' | '''KickOff''' | ||
Line 582: | Line 581: | ||
</font> | </font> | ||
− | | width=“50%” style="border: 1.00pt solid #000001; padding: 0.18cm" | | + | | width="“50%”" style="border: 1.00pt solid #000001; padding: 0.18cm" | |
− | <font size="2" style="font-size: 9pt”> | + | <font size="2" style="font-size: 9pt”"> |
* Site: https://github.com/frickelbruder/kickoff | * Site: https://github.com/frickelbruder/kickoff | ||
</font> | </font> | ||
Line 589: | Line 588: | ||
|} | |} | ||
− | {| width="100%" cellpadding="7" cellspacing="0"<col width="325"><col width="316"> | + | {| width="100%" cellpadding="7" cellspacing="0" <col width="325"><col width="316"> |
! ead | | ! ead | | ||
|- valign="top" | |- valign="top" | ||
| width="50%" bgcolor="#d9d9d9" style="border: 1.00pt solid #000001; padding: 0.18cm" | '''Development Libraries''' | | width="50%" bgcolor="#d9d9d9" style="border: 1.00pt solid #000001; padding: 0.18cm" | '''Development Libraries''' | ||
− | | width=“50%” bgcolor="#d9d9d9" style="border: 1.00pt solid #000001; padding: 0.18cm" | '''Language''' | + | | width="“50%”" bgcolor="#d9d9d9" style="border: 1.00pt solid #000001; padding: 0.18cm" | '''Language''' |
− | | width=“50%” bgcolor="#d9d9d9" style="border: 1.00pt solid #000001; padding: 0.18cm" | '''Reference''' | + | | width="“50%”" bgcolor="#d9d9d9" style="border: 1.00pt solid #000001; padding: 0.18cm" | '''Reference''' |
|- valign="top" | |- valign="top" | ||
− | | width=“50%” style="border: 1.00pt solid #000001; padding: 0.18cm" | | + | | width="“50%”" style="border: 1.00pt solid #000001; padding: 0.18cm" | |
'''secureheaders''' | '''secureheaders''' | ||
Line 604: | Line 603: | ||
</font> | </font> | ||
− | | width=“50%” style="border: 1.00pt solid #000001; padding: 0.18cm" | | + | | width="“50%”" style="border: 1.00pt solid #000001; padding: 0.18cm" | |
− | <font size="2" style="font-size: 9pt”> | + | <font size="2" style="font-size: 9pt”"> |
* Ruby | * Ruby | ||
</font> | </font> | ||
− | | width=“50%” style="border: 1.00pt solid #000001; padding: 0.18cm" | | + | | width="“50%”" style="border: 1.00pt solid #000001; padding: 0.18cm" | |
− | <font size="2" style="font-size: 9pt”> | + | <font size="2" style="font-size: 9pt”"> |
* Github: https://github.com/twitter/secureheaders | * Github: https://github.com/twitter/secureheaders | ||
</font> | </font> | ||
|- valign="top" | |- valign="top" | ||
− | | width=“50%” style="border: 1.00pt solid #000001; padding: 0.18cm" | | + | | width="“50%”" style="border: 1.00pt solid #000001; padding: 0.18cm" | |
'''Security Header Injection Module (SHIM)''' | '''Security Header Injection Module (SHIM)''' | ||
− | <font size="2" style="font-size: 9pt”> | + | <font size="2" style="font-size: 9pt”"> |
SHIM is a HTTP module that provides protection for many vulnerabilities by injecting security-specific HTTP headers into ASP.NET web applications. | SHIM is a HTTP module that provides protection for many vulnerabilities by injecting security-specific HTTP headers into ASP.NET web applications. | ||
</font> | </font> | ||
− | | width=“50%” style="border: 1.00pt solid #000001; padding: 0.18cm" | | + | | width="“50%”" style="border: 1.00pt solid #000001; padding: 0.18cm" | |
− | <font size="2" style="font-size: 9pt”> | + | <font size="2" style="font-size: 9pt”"> |
* ASP.NET | * ASP.NET | ||
</font> | </font> | ||
− | | width=“50%” style="border: 1.00pt solid #000001; padding: 0.18cm" | | + | | width="“50%”" style="border: 1.00pt solid #000001; padding: 0.18cm" | |
<font size="2" style="font-size: 9pt"> | <font size="2" style="font-size: 9pt"> | ||
Line 634: | Line 633: | ||
|- valign="top" | |- valign="top" | ||
− | | width=“50%” style="border: 1.00pt solid #000001; padding: 0.18cm" | | + | | width="“50%”" style="border: 1.00pt solid #000001; padding: 0.18cm" | |
'''Spring Security''' | '''Spring Security''' | ||
− | <font size="2" style="font-size: 9pt”> | + | <font size="2" style="font-size: 9pt”"> |
Spring Security’s support for adding various security headers to the response. | Spring Security’s support for adding various security headers to the response. | ||
</font> | </font> | ||
− | | width=“50%” style="border: 1.00pt solid #000001; padding: 0.18cm" | | + | | width="“50%”" style="border: 1.00pt solid #000001; padding: 0.18cm" | |
− | <font size="2" style="font-size: 9pt”> | + | <font size="2" style="font-size: 9pt”"> |
* Java | * Java | ||
</font> | </font> | ||
− | | width=“50%” style="border: 1.00pt solid #000001; padding: 0.18cm" | | + | | width="“50%”" style="border: 1.00pt solid #000001; padding: 0.18cm" | |
<font size="2" style="font-size: 9pt"> | <font size="2" style="font-size: 9pt"> | ||
Line 653: | Line 652: | ||
|- valign="top" | |- valign="top" | ||
− | | width=“50%” style="border: 1.00pt solid #000001; padding: 0.18cm" | | + | | width="“50%”" style="border: 1.00pt solid #000001; padding: 0.18cm" | |
'''rack-secure_headers''' | '''rack-secure_headers''' | ||
− | <font size="2" style="font-size: 9pt”> | + | <font size="2" style="font-size: 9pt”"> |
Security related HTTP headers for Rack applications. | Security related HTTP headers for Rack applications. | ||
</font> | </font> | ||
− | | width=“50%” style="border: 1.00pt solid #000001; padding: 0.18cm" | | + | | width="“50%”" style="border: 1.00pt solid #000001; padding: 0.18cm" | |
− | <font size="2" style="font-size: 9pt”> | + | <font size="2" style="font-size: 9pt”"> |
* Rack | * Rack | ||
</font> | </font> | ||
− | | width=“50%” style="border: 1.00pt solid #000001; padding: 0.18cm" | | + | | width="“50%”" style="border: 1.00pt solid #000001; padding: 0.18cm" | |
<font size="2" style="font-size: 9pt"> | <font size="2" style="font-size: 9pt"> | ||
Line 672: | Line 671: | ||
|- valign="top" | |- valign="top" | ||
− | | width=“50%” style="border: 1.00pt solid #000001; padding: 0.18cm" | | + | | width="“50%”" style="border: 1.00pt solid #000001; padding: 0.18cm" | |
'''helmet and hood''' | '''helmet and hood''' | ||
− | <font size="2" style="font-size: 9pt”> | + | <font size="2" style="font-size: 9pt”"> |
Node.js (express). | Node.js (express). | ||
</font> | </font> | ||
− | | width=“50%” style="border: 1.00pt solid #000001; padding: 0.18cm" | | + | | width="“50%”" style="border: 1.00pt solid #000001; padding: 0.18cm" | |
− | <font size="2" style="font-size: 9pt”> | + | <font size="2" style="font-size: 9pt”"> |
* Node.js (express) | * Node.js (express) | ||
</font> | </font> | ||
− | | width=“50%” style="border: 1.00pt solid #000001; padding: 0.18cm" | | + | | width="“50%”" style="border: 1.00pt solid #000001; padding: 0.18cm" | |
<font size="2" style="font-size: 9pt"> | <font size="2" style="font-size: 9pt"> | ||
Line 692: | Line 691: | ||
|- valign="top" | |- valign="top" | ||
− | | width=“50%” style="border: 1.00pt solid #000001; padding: 0.18cm" | | + | | width="“50%”" style="border: 1.00pt solid #000001; padding: 0.18cm" | |
'''blankie''' | '''blankie''' | ||
− | <font size="2" style="font-size: 9pt”> | + | <font size="2" style="font-size: 9pt”"> |
A CSP plugin for hapi. | A CSP plugin for hapi. | ||
</font> | </font> | ||
− | | width=“50%” style="border: 1.00pt solid #000001; padding: 0.18cm" | | + | | width="“50%”" style="border: 1.00pt solid #000001; padding: 0.18cm" | |
− | <font size="2" style="font-size: 9pt”> | + | <font size="2" style="font-size: 9pt”"> |
* Node.js (hapi) | * Node.js (hapi) | ||
</font> | </font> | ||
− | | width=“50%” style="border: 1.00pt solid #000001; padding: 0.18cm" | | + | | width="“50%”" style="border: 1.00pt solid #000001; padding: 0.18cm" | |
<font size="2" style="font-size: 9pt"> | <font size="2" style="font-size: 9pt"> | ||
Line 711: | Line 710: | ||
|- valign="top" | |- valign="top" | ||
− | | width=“50%” style="border: 1.00pt solid #000001; padding: 0.18cm" | | + | | width="“50%”" style="border: 1.00pt solid #000001; padding: 0.18cm" | |
'''NWebsec''' | '''NWebsec''' | ||
− | <font size="2" style="font-size: 9pt”> | + | <font size="2" style="font-size: 9pt”"> |
NWebsec consists of several security libraries for ASP.NET applications. | NWebsec consists of several security libraries for ASP.NET applications. | ||
</font> | </font> | ||
− | | width=“50%” style="border: 1.00pt solid #000001; padding: 0.18cm" | | + | | width="“50%”" style="border: 1.00pt solid #000001; padding: 0.18cm" | |
− | <font size="2" style="font-size: 9pt”> | + | <font size="2" style="font-size: 9pt”"> |
* ASP.NET | * ASP.NET | ||
</font> | </font> | ||
− | | width=“50%” style="border: 1.00pt solid #000001; padding: 0.18cm" | | + | | width="“50%”" style="border: 1.00pt solid #000001; padding: 0.18cm" | |
<font size="2" style="font-size: 9pt"> | <font size="2" style="font-size: 9pt"> | ||
Line 730: | Line 729: | ||
|- valign="top" | |- valign="top" | ||
− | | width=“50%” style="border: 1.00pt solid #000001; padding: 0.18cm" | | + | | width="“50%”" style="border: 1.00pt solid #000001; padding: 0.18cm" | |
'''django-csp + commonware; django-security''' | '''django-csp + commonware; django-security''' | ||
− | <font size="2" style="font-size: 9pt”> | + | <font size="2" style="font-size: 9pt”"> |
django-csp + commonware; django-security. | django-csp + commonware; django-security. | ||
</font> | </font> | ||
− | | width=“50%” style="border: 1.00pt solid #000001; padding: 0.18cm" | | + | | width="“50%”" style="border: 1.00pt solid #000001; padding: 0.18cm" | |
− | <font size="2" style="font-size: 9pt”> | + | <font size="2" style="font-size: 9pt”"> |
* Python | * Python | ||
</font> | </font> | ||
− | | width=“50%” style="border: 1.00pt solid #000001; padding: 0.18cm" | | + | | width="“50%”" style="border: 1.00pt solid #000001; padding: 0.18cm" | |
<font size="2" style="font-size: 9pt"> | <font size="2" style="font-size: 9pt"> | ||
Line 751: | Line 750: | ||
|- valign="top" | |- valign="top" | ||
− | | width=“50%” style="border: 1.00pt solid #000001; padding: 0.18cm" | | + | | width="“50%”" style="border: 1.00pt solid #000001; padding: 0.18cm" | |
'''secureheader''' | '''secureheader''' | ||
− | <font size="2" style="font-size: 9pt”> | + | <font size="2" style="font-size: 9pt”"> |
Package secureheader adds some HTTP header fields widely considered to improve safety of HTTP requests. | Package secureheader adds some HTTP header fields widely considered to improve safety of HTTP requests. | ||
</font> | </font> | ||
− | | width=“50%” style="border: 1.00pt solid #000001; padding: 0.18cm" | | + | | width="“50%”" style="border: 1.00pt solid #000001; padding: 0.18cm" | |
− | <font size="2" style="font-size: 9pt”> | + | <font size="2" style="font-size: 9pt”"> |
* Go | * Go | ||
</font> | </font> | ||
− | | width=“50%” style="border: 1.00pt solid #000001; padding: 0.18cm" | | + | | width="“50%”" style="border: 1.00pt solid #000001; padding: 0.18cm" | |
<font size="2" style="font-size: 9pt"> | <font size="2" style="font-size: 9pt"> | ||
Line 770: | Line 769: | ||
|- valign="top" | |- valign="top" | ||
− | | width=“50%” style="border: 1.00pt solid #000001; padding: 0.18cm" | | + | | width="“50%”" style="border: 1.00pt solid #000001; padding: 0.18cm" | |
'''secure_headers''' | '''secure_headers''' | ||
− | <font size="2" style="font-size: 9pt”> | + | <font size="2" style="font-size: 9pt”"> |
This Plug will automatically apply several security headers to the Plug.Conn response. By design SecureHeaders will attempt to apply the most strict security policy. Although, security headers are configurable and are validated to avoid misconfiguration. | This Plug will automatically apply several security headers to the Plug.Conn response. By design SecureHeaders will attempt to apply the most strict security policy. Although, security headers are configurable and are validated to avoid misconfiguration. | ||
</font> | </font> | ||
− | | width=“50%” style="border: 1.00pt solid #000001; padding: 0.18cm" | | + | | width="“50%”" style="border: 1.00pt solid #000001; padding: 0.18cm" | |
− | <font size="2" style="font-size: 9pt”> | + | <font size="2" style="font-size: 9pt”"> |
* Elixir | * Elixir | ||
</font> | </font> | ||
− | | width=“50%” style="border: 1.00pt solid #000001; padding: 0.18cm" | | + | | width="“50%”" style="border: 1.00pt solid #000001; padding: 0.18cm" | |
<font size="2" style="font-size: 9pt"> | <font size="2" style="font-size: 9pt"> | ||
Line 789: | Line 788: | ||
|- valign="top" | |- valign="top" | ||
− | | width=“50%” style="border: 1.00pt solid #000001; padding: 0.18cm" | | + | | width="“50%”" style="border: 1.00pt solid #000001; padding: 0.18cm" | |
'''dropwizard-web-security''' | '''dropwizard-web-security''' | ||
− | <font size="2" style="font-size: 9pt”> | + | <font size="2" style="font-size: 9pt”"> |
A bundle for applying default web security functionality to a dropwizard application. | A bundle for applying default web security functionality to a dropwizard application. | ||
</font> | </font> | ||
− | | width=“50%” style="border: 1.00pt solid #000001; padding: 0.18cm" | | + | | width="“50%”" style="border: 1.00pt solid #000001; padding: 0.18cm" | |
− | <font size="2" style="font-size: 9pt”> | + | <font size="2" style="font-size: 9pt”"> |
* Dropwizard | * Dropwizard | ||
</font> | </font> | ||
− | | width=“50%” style="border: 1.00pt solid #000001; padding: 0.18cm" | | + | | width="“50%”" style="border: 1.00pt solid #000001; padding: 0.18cm" | |
<font size="2" style="font-size: 9pt"> | <font size="2" style="font-size: 9pt"> | ||
Line 808: | Line 807: | ||
|- valign="top" | |- valign="top" | ||
− | | width=“50%” style="border: 1.00pt solid #000001; padding: 0.18cm" | | + | | width="“50%”" style="border: 1.00pt solid #000001; padding: 0.18cm" | |
'''ember-cli-content-security-policy''' | '''ember-cli-content-security-policy''' | ||
− | <font size="2" style="font-size: 9pt”> | + | <font size="2" style="font-size: 9pt”"> |
This addon makes it easy to use Content Security Policy (CSP) in your project. It can be deployed either via a Content-Security-Policy header sent from the Ember CLI Express server, or as a meta tag in the index.html file. | This addon makes it easy to use Content Security Policy (CSP) in your project. It can be deployed either via a Content-Security-Policy header sent from the Ember CLI Express server, or as a meta tag in the index.html file. | ||
</font> | </font> | ||
− | | width=“50%” style="border: 1.00pt solid #000001; padding: 0.18cm" | | + | | width="“50%”" style="border: 1.00pt solid #000001; padding: 0.18cm" | |
− | <font size="2" style="font-size: 9pt”> | + | <font size="2" style="font-size: 9pt”"> |
* Ember.js | * Ember.js | ||
</font> | </font> | ||
− | | width=“50%” style="border: 1.00pt solid #000001; padding: 0.18cm" | | + | | width="“50%”" style="border: 1.00pt solid #000001; padding: 0.18cm" | |
<font size="2" style="font-size: 9pt"> | <font size="2" style="font-size: 9pt"> | ||
Line 828: | Line 827: | ||
|} | |} | ||
− | {| width="100%" cellpadding="7" cellspacing="0"<col width="325"><col width="316"> | + | {| width="100%" cellpadding="7" cellspacing="0" <col width="325"><col width="316"> |
! ead | | ! ead | | ||
|- valign="top" | |- valign="top" | ||
| width="50%" bgcolor="#d9d9d9" style="border: 1.00pt solid #000001; padding: 0.18cm" | '''Operation Tools''' | | width="50%" bgcolor="#d9d9d9" style="border: 1.00pt solid #000001; padding: 0.18cm" | '''Operation Tools''' | ||
− | | width=“50%” bgcolor="#d9d9d9" style="border: 1.00pt solid #000001; padding: 0.18cm" | '''Web Servers Supported''' | + | | width="“50%”" bgcolor="#d9d9d9" style="border: 1.00pt solid #000001; padding: 0.18cm" | '''Web Servers Supported''' |
− | | width=“50%” bgcolor="#d9d9d9" style="border: 1.00pt solid #000001; padding: 0.18cm" | '''Reference''' | + | | width="“50%”" bgcolor="#d9d9d9" style="border: 1.00pt solid #000001; padding: 0.18cm" | '''Reference''' |
|- valign="top" | |- valign="top" | ||
− | | width=“50%” style="border: 1.00pt solid #000001; padding: 0.18cm" | | + | | width="“50%”" style="border: 1.00pt solid #000001; padding: 0.18cm" | |
'''http_hardening''' | '''http_hardening''' | ||
− | <font size="2" style=“font-size:9pt"> | + | <font size="2" style="“font-size:9pt""> |
Puppet module to enable, configure and manage secure http headers on web servers. | Puppet module to enable, configure and manage secure http headers on web servers. | ||
</font> | </font> | ||
− | | width=“50%” style="border: 1.00pt solid #000001; padding: 0.18cm" | | + | | width="“50%”" style="border: 1.00pt solid #000001; padding: 0.18cm" | |
− | <font size="2" style="font-size: 9pt”> | + | <font size="2" style="font-size: 9pt”"> |
* Apache HTTP Server | * Apache HTTP Server | ||
* NGINX | * NGINX | ||
Line 850: | Line 849: | ||
</font> | </font> | ||
− | | width=“50%” style="border: 1.00pt solid #000001; padding: 0.18cm" | | + | | width="“50%”" style="border: 1.00pt solid #000001; padding: 0.18cm" | |
− | <font size="2" style="font-size: 9pt”> | + | <font size="2" style="font-size: 9pt”"> |
* Github: https://github.com/amenezes/http_hardening | * Github: https://github.com/amenezes/http_hardening | ||
* Puppet Forge: https://forge.puppet.com/amenezes/http_hardening | * Puppet Forge: https://forge.puppet.com/amenezes/http_hardening | ||
</font> | </font> | ||
− | |||
|} | |} | ||
Line 1,193: | Line 1,191: | ||
* Include X-Permitted-Cross-Domain-Policies under Headers and Best Practices tab. | * Include X-Permitted-Cross-Domain-Policies under Headers and Best Practices tab. | ||
− | __NOTOC__ <headertabs /> | + | __NOTOC__ <headertabs></headertabs> |
[[Category:OWASP Project]] | [[Category:OWASP Project]] |
Revision as of 15:34, 26 March 2017
- Main
- Headers
- Compatibility Matrix
- Stats
- Technical Resources
- Top Websites Examples
- Best Practices
- FAQs
- Acknowledgements
- Road Map and Getting Involved
OWASP Secure Headers ProjectOWASP Secure Headers Project involves setting headers from the server is easy and often doesn't require any code changes. Once set, they can restrict modern browsers from running into easily preventable vulnerabilities. OWASP Secure Headers Project intends to raise awareness and use of these headers. IntroductionHTTP headers are well known and also despised. Seeking the balance between usability and security developers implement functionality through the headers that can make your more versatile or secure application. But in practice how the headers are being implemented? What sites follow the best implementation practices? Big companies, small, all or none? DescriptionWe aim to publish reports on header usage stats, developments and changes. Code libraries that make these headers easily accessible to developers on a range of platforms. Data sets concerning the general usage of these headers. LicensingOWASP Secure Headers is free to use. It is licensed under the Apache 2.0 License.
|
Project LeaderProject ContributorsRelated ProjectsQuick Links |
News and Events
Classifications |
The following contains a list of HTTP response headers related to security.
Response Headers
- HTTP Strict Transport Security (HSTS)
- Public Key Pinning Extension for HTTP (HPKP)
- X-Frame-Options
- X-XSS-Protection
- X-Content-Type-Options
- Content-Security-Policy
- X-Permitted-Cross-Domain-Policies
- Referrer-Policy
HTTP Strict Transport Security (HSTS)
HTTP Strict Transport Security (HSTS) is a web security policy mechanism which helps to protect websites against protocol downgrade attacks and cookie hijacking. It allows web servers to declare that web browsers (or other complying user agents) should only interact with it using secure HTTPS connections, and never via the insecure HTTP protocol. HSTS is an IETF standards track protocol and is specified in RFC 6797. A server implements an HSTS policy by supplying a header (Strict-Transport-Security) over an HTTPS connection (HSTS headers over HTTP are ignored).
Values
Value | Description |
---|---|
max-age=SECONDS | The time, in seconds, that the browser should remember that this site is only to be accessed using HTTPS. |
includeSubDomains | If this optional parameter is specified, this rule applies to all of the site's subdomains as well. |
Example
Strict-Transport-Security: max-age=31536000 ; includeSubDomains
References
- https://tools.ietf.org/html/rfc6797
- https://www.owasp.org/index.php/HTTP_Strict_Transport_Security
- https://www.owasp.org/index.php/Test_HTTP_Strict_Transport_Security_(OTG-CONFIG-007)
- https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
- https://www.chromium.org/hsts
- https://developer.mozilla.org/en-US/docs/Web/Security/HTTP_strict_transport_security
- https://raymii.org/s/tutorials/HTTP_Strict_Transport_Security_for_Apache_NGINX_and_Lighttpd.html
Public Key Pinning Extension for HTTP (HPKP)
HTTP Public Key Pinning (HPKP) is a security mechanism which allows HTTPS websites to resist impersonation by attackers using mis-issued or otherwise fraudulent certificates. (For example, sometimes attackers can compromise certificate authorities, and then can mis-issue certificates for a web origin.).
The HTTPS web server serves a list of public key hashes, and on subsequent connections clients expect that server to use one or more of those public keys in its certificate chain. Deploying HPKP safely will require operational and organizational maturity due to the risk that hosts may make themselves unavailable by pinning to a set of public key hashes that becomes invalid. With care, host operators can greatly reduce the risk of man-in-the-middle (MITM) attacks and other false authentication problems for their users without incurring undue risk.
Values
Value | Description |
---|---|
pin-sha256="<sha256>" | The quoted string is the Base64 encoded Subject Public Key Information (SPKI) fingerprint. It is possible to specify multiple pins for different public keys. Some browsers might allow other hashing algorithms than SHA-256 in the future. |
max-age=SECONDS | The time, in seconds, that the browser should remember that this site is only to be accessed using one of the pinned keys. |
includeSubDomains | If this optional parameter is specified, this rule applies to all of the site's subdomains as well. |
report-uri="<URL>" | If this optional parameter is specified, pin validation failures are reported to the given URL. |
Example
Public-Key-Pins: pin-sha256="d6qzRu9zOECb90Uez27xWltNsj0e1Md7GkYYkVoZWmM="; pin-sha256="E9CZ9INDbd+2eRQozYqqbQ2yXLVKB9+xcprMF+44U1g="; report-uri="http://example.com/pkp-report"; max-age=10000; includeSubDomains
References
- https://tools.ietf.org/html/rfc7469
- https://www.owasp.org/index.php/Certificate_and_Public_Key_Pinning#HTTP_pinning
- https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning
- https://developer.mozilla.org/en-US/docs/Web/Security/Public_Key_Pinning
- https://raymii.org/s/articles/HTTP_Public_Key_Pinning_Extension_HPKP.html
- https://labs.detectify.com/2016/07/05/what-hpkp-is-but-isnt/
- https://blog.qualys.com/ssllabs/2016/09/06/is-http-public-key-pinning-dead
X-Frame-Options
X-Frame-Options response header improve the protection of web applications against Clickjacking. It declares a policy communicated from a host to the client browser on whether the browser must not display the transmitted content in frames of other web pages.
Values
Value | Description |
---|---|
deny | No rendering within a frame. |
sameorigin | No rendering if origin mismatch. |
allow-from: DOMAIN | Allows rendering if framed by frame loaded from DOMAIN. |
Example
X-Frame-Options: deny
References
- https://tools.ietf.org/html/rfc7034
- https://tools.ietf.org/html/draft-ietf-websec-x-frame-options-01
- https://tools.ietf.org/html/draft-ietf-websec-frame-options-00
- https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options
- https://www.owasp.org/index.php/Clickjacking
- https://blogs.msdn.microsoft.com/ieinternals/2010/03/30/combating-clickjacking-with-x-frame-options/
X-XSS-Protection
This header enables the Cross-site scripting (XSS) filter in your browser.
Values
Value | Description |
---|---|
0 | Filter disabled. |
1 | Filter enabled. If a cross-site scripting attack is detected, in order to stop the attack, the browser will sanitize the page. |
1; mode=block | Filter enabled. Rather than sanitize the page, when a XSS attack is detected, the browser will prevent rendering of the page. |
1; report=http://[YOURDOMAIN]/your_report_URI | Filter enabled. The browser will sanitize the page and report the violation. This is a Chromium function utilizing CSP violation reports to send details to a URI of your choice. |
Example
X-XSS-Protection: 1; mode=block
References
- https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
- https://www.virtuesecurity.com/blog/understanding-xss-auditor/
- https://www.veracode.com/blog/2014/03/guidelines-for-setting-security-headers
- http://zinoui.com/blog/security-http-headers#x-xss-protection
X-Content-Type-Options
Setting this header will prevent the browser from interpreting files as something else than declared by the content type in the HTTP headers.
Values
Value | Description |
---|---|
nosniff | Will prevent the browser from MIME-sniffing a response away from the declared content-type. |
Example
X-Content-Type-Options: nosniff
References
- https://msdn.microsoft.com/en-us/library/gg622941%28v=vs.85%29.aspx
- https://blogs.msdn.microsoft.com/ie/2008/09/02/ie8-security-part-vi-beta-2-update/
Content-Security-Policy
Content Security Policy (CSP) requires careful tuning and precise definition of the policy. If enabled, CSP has significant impact on the way browser renders pages (e.g., inline JavaScript disabled by default and must be explicitly allowed in policy). CSP prevents a wide range of attacks, including Cross-site scripting and other cross-site injections.
Values
Directive | Description |
---|---|
base-uri | Define the base uri for relative uri. |
default-src | Define loading policy for all resources type in case of a resource type dedicated directive is not defined (fallback). |
script-src | Define which scripts the protected resource can execute. |
object-src | Define from where the protected resource can load plugins. |
style-src | Define which styles (CSS) the user applies to the protected resource. |
img-src | Define from where the protected resource can load images. |
media-src | Define from where the protected resource can load video and audio. |
frame-src | Deprecated and replaced by child-src. Define from where the protected resource can embed frames. |
child-src | Define from where the protected resource can embed frames. |
frame-ancestors | Define from where the protected resource can be embedded in frames. |
font-src | Define from where the protected resource can load fonts. |
connect-src | Define which URIs the protected resource can load using script interfaces. |
manifest-src | Define from where the protected resource can load manifest. |
form-action | Define which URIs can be used as the action of HTML form elements. |
sandbox | Specifies an HTML sandbox policy that the user agent applies to the protected resource. |
script-nonce | Define script execution by requiring the presence of the specified nonce on script elements. |
plugin-types | Define the set of plugins that can be invoked by the protected resource by limiting the types of resources that can be embedded. |
reflected-xss | Instructs a user agent to activate or deactivate any heuristics used to filter or block reflected cross-site scripting attacks, equivalent to the effects of the non-standard X-XSS-Protection header. |
block-all-mixed-content | Prevent user agent from loading mixed content. |
upgrade-insecure-requests | Instructs user agent to download insecure resources using HTTPS. |
referrer | Define information user agent must send in Referer header. |
report-uri | Specifies a URI to which the user agent sends reports about policy violation. |
report-to | Specifies a group (defined in Report-To header) to which the user agent sends reports about policy violation. |
Example
Content-Security-Policy: script-src 'self'
References
- https://www.w3.org/TR/CSP/
- https://developer.mozilla.org/en-US/docs/Web/Security/CSP
- https://www.owasp.org/index.php/Content_Security_Policy
- https://scotthelme.co.uk/content-security-policy-an-introduction/
- https://report-uri.io
- http://www.cspplayground.com/home
- http://content-security-policy.com
X-Permitted-Cross-Domain-Policies
A cross-domain policy file is an XML document that grants a web client, such as Adobe Flash Player or Adobe Acrobat (though not necessarily limited to these), permission to handle data across domains. When clients request content hosted on a particular source domain and that content make requests directed towards a domain other than its own, the remote domain needs to host a cross-domain policy file that grants access to the source domain, allowing the client to continue the transaction. Normally a meta-policy is declared in the master policy file, but for those who can’t write to the root directory, they can also declare a meta-policy using the X-Permitted-Cross-Domain-Policies HTTP response header.
Values
Value | Description |
---|---|
none | No policy files are allowed anywhere on the target server, including this master policy file. |
master-only | Only this master policy file is allowed. |
by-content-type | [HTTP/HTTPS only] Only policy files served with Content-Type: text/x-cross-domain-policy are allowed. |
by-ftp-filename | [FTP only] Only policy files whose file names are crossdomain.xml (i.e. URLs ending in /crossdomain.xml) are allowed. |
all | All policy files on this target domain are allowed. |
Example
X-Permitted-Cross-Domain-Policies: none
References
- https://www.adobe.com/devnet-docs/acrobatetk/tools/AppSec/xdomain.html
- https://www.adobe.com/devnet/adobe-media-server/articles/cross-domain-xml-for-streaming.html
- https://www.perpetual-beta.org/weblog/security-headers.html#rule-8470-2-establish-a-cross-domain-meta-policy
- https://danielnixon.org/http-security-headers/
- https://rorsecurity.info/portfolio/new-http-headers-for-more-security
- https://github.com/twitter/secureheaders/issues/88
Browser Support
Internet Explorer | Edge | Firefox | Chrome | Safari | Opera | Android | |
---|---|---|---|---|---|---|---|
HTTP Strict Transport Security (HSTS) | 11 | 13 | 47 | 49 | 9.1 | 39 | 4.4 |
Public Key Pinning Extension for HTTP (HPKP) | NS | NS | 47 | 49 | NS | 39 | 51 |
X-Frame-Options | 8 | 13 | 47 | 49 | 9.1 | 39 | 4.4 |
X-XSS-Protection | 8 | NS | |||||
X-Content-Type-Options | 8 | 51 | 1.0 | NS | 13 | ||
Content-Security-Policy | 11 | 13 | 47 | 49 | 9.1 | 39 | 4.4 |
X-Permitted-Cross-Domain-Policies |
NS = Not Supported
References
- HTTP Strict Transport Security (HSTS)
- https://blogs.windows.com/msedgedev/2015/06/09/http-strict-transport-security-comes-to-internet-explorer-11-on-windows-8-1-and-windows-7/
- https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
- https://www.owasp.org/index.php/HTTP_Strict_Transport_Security_Cheat_Sheet
- http://caniuse.com/#search=HSTS
- Public Key Pinning Extension for HTTP (HPKP)
- X-Frame-Options
- X-XSS-Protection
- X-Content-Type-Options
- Content-Security-Policy
- X-Permitted-Cross-Domain-Policies
This section cover a list of tools to analyze, develop and administrate HTTP secure headers in order to help achieve more secure and trustworthy web systems.
Analysis Tools | Reference |
hsecscan A security scanner for HTTP response headers. |
|
headers Python script to get some response headers from Alexa top sites file and store in a MySQL database. |
|
securityheaders.io There are services out there that will analyse the HTTP response headers of other sites but I also wanted to add a rating system to the results. The HTTP response headers that this site analyses provide huge levels of protection and it's important that sites deploy them. Hopefully, by providing an easy mechanism to assess them, and further information on how to deploy missing headers, we can drive up the usage of security based headers across the web. |
|
Mozilla Observatory A Mozilla project designed to help developers, system administrators, and security professionals configure their sites safely and securely. |
|
High-Tech Bridge Web Security Scanner An online service that will retrieve and analyse headers syntax and proper configuration in a comprehensive way. It will be able for instance to highlight Public-Key-Pins that matches one certificate of the chain or if Content-Security-Policy contains values that could be unsafe or too permissive. |
|
Check Your Headers Just another web scanner for HTTP response headers. |
|
Recx Security Analyser Chrome extension that allows the inspection of security aspects of a site's HTTP headers, cookies and other key security settings. |
|
KickOff While each project you launch may have a different feature set, they often share many of the same performance, SEO and security requirements. This tool aims to automate the process of checking your list of requirements shortly before launch or directly after a deployment. |
|
Development Libraries | Language | Reference |
secureheaders Security related headers all in one gem. |
|
|
Security Header Injection Module (SHIM) SHIM is a HTTP module that provides protection for many vulnerabilities by injecting security-specific HTTP headers into ASP.NET web applications. |
|
|
Spring Security Spring Security’s support for adding various security headers to the response. |
|
|
rack-secure_headers Security related HTTP headers for Rack applications. |
|
|
helmet and hood Node.js (express). |
|
|
blankie A CSP plugin for hapi. |
|
|
NWebsec NWebsec consists of several security libraries for ASP.NET applications. |
|
|
django-csp + commonware; django-security django-csp + commonware; django-security. |
|
|
secureheader Package secureheader adds some HTTP header fields widely considered to improve safety of HTTP requests. |
|
|
secure_headers This Plug will automatically apply several security headers to the Plug.Conn response. By design SecureHeaders will attempt to apply the most strict security policy. Although, security headers are configurable and are validated to avoid misconfiguration. |
|
|
dropwizard-web-security A bundle for applying default web security functionality to a dropwizard application. |
|
|
ember-cli-content-security-policy This addon makes it easy to use Content Security Policy (CSP) in your project. It can be deployed either via a Content-Security-Policy header sent from the Ember CLI Express server, or as a meta tag in the index.html file. |
|
|
Operation Tools | Web Servers Supported | Reference |
http_hardening Puppet module to enable, configure and manage secure http headers on web servers. |
|
|
HTTP response headers from the top websites in the world. Command used to extract the headers:
curl -L -A "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36" -s -D - https://www.example.com -o /dev/null
$ curl -L -A "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36" -s -D - https://www.google.com -o /dev/null HTTP/1.1 302 Found Cache-Control: private Content-Type: text/html; charset=UTF-8 Location: https://www.google.com.br/?gfe_rd=cr&ei=pNhBV6yTAvSp8wf3lInoCg Content-Length: 263 Date: Sun, 22 May 2016 16:04:52 GMT Alternate-Protocol: 443:quic Alt-Svc: quic=":443"; ma=2592000; v="34,33,32,31,30,29,28,27,26,25" HTTP/1.1 200 OK Date: Sun, 22 May 2016 16:04:52 GMT Expires: -1 Cache-Control: private, max-age=0 Content-Type: text/html; charset=UTF-8 P3P: CP="This is not a P3P policy! See https://www.google.com/support/accounts/answer/151657?hl=en for more info." Server: gws X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Set-Cookie: NID=79=BdHGSU63HWlvH35tKMhNOYIN8VCnB0huHol7Yl-29r0jEE2HY1n6Nts9BJH_JZ-Cps57guAUTLSyTO6caM9WzOPJYDfsRt8qMZ4tt4rGdfN0pURn1j-xRW-zxwx9-mkb; expires=Mon, 21-Nov-2016 16:04:52 GMT; path=/; domain=.google.com.br; HttpOnly Alternate-Protocol: 443:quic Alt-Svc: quic=":443"; ma=2592000; v="34,33,32,31,30,29,28,27,26,25" Accept-Ranges: none Vary: Accept-Encoding Transfer-Encoding: chunked
$ curl -L -A "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36" -s -D - https://www.facebook.com -o /dev/null HTTP/1.1 200 OK Strict-Transport-Security: max-age=15552000; preload Expires: Sat, 01 Jan 2000 00:00:00 GMT Cache-Control: private, no-cache, no-store, must-revalidate content-security-policy: default-src * data: blob:;script-src *.facebook.com *.fbcdn.net *.facebook.net *.google-analytics.com *.virtualearth.net *.google.com 127.0.0.1:* *.spotilocal.com:* 'unsafe-inline' 'unsafe-eval' fbstatic-a.akamaihd.net fbcdn-static-b-a.akamaihd.net *.atlassolutions.com blob: chrome-extension://lifbcibllhkdhoafpjfnlhfpfgnpldfl;style-src * 'unsafe-inline' data:;connect-src *.facebook.com *.fbcdn.net *.facebook.net *.spotilocal.com:* *.akamaihd.net wss://*.facebook.com:* https://fb.scanandcleanlocal.com:* *.atlassolutions.com attachment.fbsbx.com ws://localhost:* blob: 127.0.0.1:*; Pragma: no-cache public-key-pins-report-only: max-age=500; pin-sha256="WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18="; pin-sha256="r/mIkG3eEpVdm+u/ko/cwxzOMo1bk4TyHIlByibiA5E="; pin-sha256="q4PO2G2cbkZhZ82+JgmRUyGMoAeozA+BSXVXQWB8XWQ="; report-uri="http://reports.fb.com/hpkp/" X-Content-Type-Options: nosniff X-XSS-Protection: 0 X-Frame-Options: DENY Vary: Accept-Encoding Content-Type: text/html X-FB-Debug: 7zpjoR0dVod3whuapaNzLVQnAg077KxpFx7VJO2nLT0AX3jD3IquGAFK+o5E1UARnZhloBpGmOaMns7AE7lllA== Date: Sun, 22 May 2016 16:05:38 GMT Transfer-Encoding: chunked Connection: keep-alive
$ curl -L -A "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36" -s -D - https://www.twitter.com -o /dev/null HTTP/1.1 301 Moved Permanently content-length: 0 date: Sun, 22 May 2016 16:06:04 GMT location: https://twitter.com/ server: tsa_d set-cookie: guest_id=v1%3A146393316440053116; Domain=.twitter.com; Path=/; Expires=Tue, 22-May-2018 16:06:04 UTC strict-transport-security: max-age=631138519 x-connection-hash: fcf0a8e18ecc1a28f22e30285de55fe0 x-response-time: 121 HTTP/1.1 200 OK cache-control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 content-length: 255393 content-security-policy: script-src https://connect.facebook.net https://cm.g.doubleclick.net https://ssl.google-analytics.com https://graph.facebook.com https://twitter.com 'unsafe-eval' https://*.twimg.com https://api.twitter.com https://analytics.twitter.com https://publish.twitter.com https://ton.twitter.com https://syndication.twitter.com 'nonce-grHpCTpdmetRD4mMTtwgmA==' https://www.google.com https://t.tellapart.com https://platform.twitter.com https://www.google-analytics.com 'self'; frame-ancestors 'self'; font-src https://twitter.com https://*.twimg.com data: https://ton.twitter.com https://fonts.gstatic.com https://maxcdn.bootstrapcdn.com https://netdna.bootstrapcdn.com 'self'; media-src https://twitter.com https://*.twimg.com https://ton.twitter.com blob: 'self'; connect-src https://graph.facebook.com https://*.giphy.com https://*.twimg.com https://pay.twitter.com https://analytics.twitter.com https://media.riffsy.com https://upload.twitter.com https://api.mapbox.com 'self'; style-src https://fonts.googleapis.com https://twitter.com https://*.twimg.com https://translate.googleapis.com https://ton.twitter.com 'unsafe-inline' https://platform.twitter.com https://maxcdn.bootstrapcdn.com https://netdna.bootstrapcdn.com 'self'; object-src https://twitter.com https://pbs.twimg.com; default-src 'self'; frame-src https://staticxx.facebook.com https://twitter.com https://*.twimg.com https://player.vimeo.com https://pay.twitter.com https://www.facebook.com https://ton.twitter.com https://syndication.twitter.com https://vine.co twitter: https://www.youtube.com https://platform.twitter.com https://upload.twitter.com https://s-static.ak.facebook.com 'self' https://donate.twitter.com; img-src https://graph.facebook.com https://*.giphy.com https://twitter.com https://*.twimg.com data: https://fbcdn-profile-a.akamaihd.net https://www.facebook.com https://ton.twitter.com https://*.fbcdn.net https://syndication.twitter.com https://media.riffsy.com https://www.google.com https://stats.g.doubleclick.net https://*.tiles.mapbox.com https://www.google-analytics.com blob: 'self'; report-uri https://twitter.com/i/csp_report?a=NVQWGYLXFVZXO2LGOQ%3D%3D%3D%3D%3D%3D&ro=false; content-type: text/html;charset=utf-8 date: Sun, 22 May 2016 16:06:05 GMT expires: Tue, 31 Mar 1981 05:00:00 GMT last-modified: Sun, 22 May 2016 16:06:04 GMT pragma: no-cache server: tsa_d set-cookie: fm=0; Expires=Sun, 22 May 2016 16:05:54 GMT; Path=/; Domain=.twitter.com; Secure; HTTPOnly set-cookie: _twitter_sess=BAh7CSIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoPY3JlYXRlZF9hdGwrCKtcN9lUAToMY3NyZl9p%250AZCIlOGVhNjNkOTRjZWQ4ZDg4YzQ0MTFiMzc5MzM3MjRjMTI6B2lkIiVmYTRl%250AZmZjMGM1MzNkN2Y0YWUyODAwZTcwOGI2NmRmYg%253D%253D--7ff51585db5754a6c35882f921ea30fa98ef7d9f; Path=/; Domain=.twitter.com; Secure; HTTPOnly set-cookie: guest_id=v1%3A146393316461963429; Domain=.twitter.com; Path=/; Expires=Tue, 22-May-2018 16:06:04 UTC status: 200 OK strict-transport-security: max-age=631138519 x-connection-hash: 8f6fcd1089ed5b7edb3f837fb0a42d28 x-content-type-options: nosniff x-frame-options: SAMEORIGIN x-response-time: 495 x-transaction: cbe2aac34e0865e5 x-twitter-response-tags: BouncerCompliant x-ua-compatible: IE=edge,chrome=1 x-xss-protection: 1; mode=block
Github
$ curl -L -A "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36" -s -D - https://www.github.com -o /dev/null HTTP/1.1 301 Moved Permanently Content-length: 0 Location: https://github.com/ Connection: close HTTP/1.1 200 OK Server: GitHub.com Date: Sun, 22 May 2016 16:06:43 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Status: 200 OK Cache-Control: no-cache Vary: X-PJAX X-UA-Compatible: IE=Edge,chrome=1 Set-Cookie: logged_in=no; domain=.github.com; path=/; expires=Thu, 22 May 2036 16:06:43 -0000; secure; HttpOnly Set-Cookie: _gh_sess=eyJzZXNzaW9uX2lkIjoiMThjNGQxMDg2ZGIzMTMzNzliZmE5Zjk2NmM2Y2NjNDUiLCJfY3NyZl90b2tlbiI6Ill1aWJraDVFZDZhUFBzNTU0MnJyTWh1Qkk5UC9tRGN0eFZaWlMvYXd1aHM9In0%3D--088e76dc9d04769096885e47245d5257cccdd05d; path=/; secure; HttpOnly X-Request-Id: 4a657bc2248311cfded00c09766a48f1 X-Runtime: 0.010857 Content-Security-Policy: default-src 'none'; base-uri 'self'; block-all-mixed-content; child-src render.githubusercontent.com; connect-src 'self' uploads.github.com status.github.com api.github.com www.google-analytics.com github-cloud.s3.amazonaws.com wss://live.github.com; font-src assets-cdn.github.com; form-action 'self' github.com gist.github.com; frame-ancestors 'none'; frame-src render.githubusercontent.com; img-src 'self' data: assets-cdn.github.com identicons.github.com www.google-analytics.com collector.githubapp.com *.gravatar.com *.wp.com *.githubusercontent.com; media-src 'none'; object-src assets-cdn.github.com; plugin-types application/x-shockwave-flash; script-src assets-cdn.github.com; style-src 'unsafe-inline' assets-cdn.github.com Strict-Transport-Security: max-age=31536000; includeSubdomains; preload Public-Key-Pins: max-age=5184000; pin-sha256="WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18="; pin-sha256="RRM1dGqnDFsCJXBTHky16vi1obOlCgFFn/yOhI/y+ho="; pin-sha256="k2v657xBsOVe1PQRwOsHsw3bsGT2VzIqz5K+59sNQws="; pin-sha256="K87oWBWM9UZfyddvDfoxL+8lpNyoUB2ptGtn0fv6G2Q="; pin-sha256="IQBnNBEiFuhj+8x6X8XLgh01V9Ic5/V3IRQLNFFc7v4="; pin-sha256="iie1VXtL7HzAMF+/PVPR9xzT80kQxdZeJ+zduCB3uj0="; pin-sha256="LvRiGEjRqfzurezaWuj8Wie2gyHMrW5Q06LspMnox7A="; includeSubDomains X-Content-Type-Options: nosniff X-Frame-Options: deny X-XSS-Protection: 1; mode=block Vary: Accept-Encoding X-Served-By: d41662224d8c44f09604b862e979767a X-GitHub-Request-Id: B36F2320:987D:E88A2AC:5741D913
Please note the best practices below suggest methods to change webserver configuration to add headers. Security headers can also be successfully added to your application at the software level as well in almost every web language. Many web frameworks add some of these headers automatically.
Response Headers
- HTTP Strict Transport Security (HSTS)
- Public Key Pinning Extension for HTTP (HPKP)
- X-Frame-Options
- X-XSS-Protection
- X-Content-Type-Options
- Content-Security-Policy
- X-Permitted-Cross-Domain-Policies
HTTP Strict Transport Security (HSTS)
- Apache
- Edit your apache configuration file and add the following to your VirtualHost.
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains"
- nginx
- Edit your nginx configuration file and add the following snippet.
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
- lighttpd
- Edit your lighttpd configuration file and add the following snippet.
setenv.add-response-header = ("Strict-Transport-Security" => "max-age=63072000; includeSubdomains",)
- IIS
Public Key Pinning Extension for HTTP (HPKP)
- Apache
- Edit your apache configuration file and add the following to your VirtualHost.
Header set Public-Key-Pins "pin-sha256=\"klO23nT2ehFDXCfx3eHTDRESMz3asj1muO+4aIdjiuY=\"; pin-sha256=\"633lt352PKRXbOwf4xSEa1M517scpD3l5f79xMD9r9Q=\"; max-age=2592000; includeSubDomains"
- nginx
- Edit your nginx configuration file and add the following snippet.
add_header Public-Key-Pins "pin-sha256=\"klO23nT2ehFDXCfx3eHTDRESMz3asj1muO+4aIdjiuY=\"; pin-sha256=\"633lt352PKRXbOwf4xSEa1M517scpD3l5f79xMD9r9Q=\"; max-age=2592000; includeSubDomains";
- lighttpd
- Edit your lighttpd configuration file and add the following snippet.
setenv.add-response-header = ("Public-Key-Pins" => "pin-sha256=\"klO23nT2ehFDXCfx3eHTDRESMz3asj1muO+4aIdjiuY=\"; pin-sha256=\"633lt352PKRXbOwf4xSEa1M517scpD3l5f79xMD9r9Q=\"; max-age=2592000; includeSubDomains",)
- IIS
X-Frame-Options
- Apache
- Add this line below into your site's configuration to configure Apache to send X-Frame-Options header for all pages.
Header set X-Frame-Options DENY
- nginx
- Add snippet below into configuration file to send X-Frame-Options header.
add_header X-Frame-Options "DENY";
- lighttpd
- Add snippet below into configuration file to send X-Frame-Options header.
setenv.add-response-header = ("X-Frame-Options" => "DENY",)
- IIS
X-XSS-Protection
Add appropriate snippet into configuration file.
- Apache
Header set X-XSS-Protection: 1; mode=block
- nginx
add_header X-XSS-Protection "1;mode=block";
- lighttpd
setenv.add-response-header = ("X-XSS-Protection" => "1; mode=block",)
- IIS
X-Content-Type-Options
Add appropriate snippet into configuration file.
- Apache
Header set X-Content-Type-Options: nosniff
- nginx
add_header X-Content-Type-Options "nosniff";
- lighttpd
setenv.add-response-header = ("X-Content-Type-Options" => "nosniff",)
- IIS
Content-Security-Policy
Add appropriate snippet into configuration file.
- Apache
Header set Content-Security-Policy: script-src 'self'
- nginx
add_header Content-Security-Policy "script-src 'self'";
- lighttpd
setenv.add-response-header = ("Content-Security-Policy" => "script-src 'self'",)
- IIS
X-Permitted-Cross-Domain-Policies
Add appropriate snippet into configuration file.
- Apache
Header set X-Permitted-Cross-Domain-Policies: none
- nginx
add_header X-Permitted-Cross-Domain-Policies "none";
- lighttpd
setenv.add-response-header = ("X-Permitted-Cross-Domain-Policies" => "none",)
- IIS
- [update needed]
- What is HTTP header?
- HTTP header fields are part of HTTP message defined in RFC 2616 that consists of requests from client to server and responses from server to client that define parameters for the communication process including: language, compression support, security and a lot of resources.
- Is there a standard for HTTP headers?
- A core set of fields is standardized by the Internet Engineering Task Force (IETF) in RFCs 7230, 7231, 7232, 7233, 7234, and 7235. The permanent registry of header fields and repository of provisional registrations are maintained by the IANA. Additional field names and permissible values may be defined by each application. Non-standard header fields were conventionally marked by prefixing the field name with X- but this convention was deprecated in June 2012 because of the inconveniences it caused when non-standard fields became standard. An earlier restriction on use of Downgraded- was lifted in March 2013.
- Why I need worry about that?
- Like other initiatives supported by OWASP, this project have the objetive to help all community to conceive, develop, acquire, operate and maintain applications that can be trusted as provide useful information about the use relative of secure http headers by applications and platforms supported.
- Where can apply secure features presented by this project?
- The effectiveness provides by secure http headers demands that application or some component of infrastructure indicate proper header and correspondent value as like use of some client that implement that feature.
- When I consider apply this improvements?
- The short response it's right now. However we believe in approach more responsible. So we recommend conducting a planning and preliminary study, as well the incremental inclusion of insurance headers.
- Headers like: Public Key Pinning Extension for HTTP (HPKP), HTTP Strict Transport Security (HSTS) and Content Security Policy (CSP) need a special attention in order not to cause any incident. Some real cases about to use of secure headers can be seen:
- - Secure websites shun HTTP Public Key Pinning
- - HTTP Public Key Pinning: You’re doing it wrong!
- - CSP On Reporting and Filtering
- - Content Security Policy (CSP)
- Who can be responsible to apply secure features?
- The responsability to provides more secure environment it's a effort that envolve developers, system administrators, vendors of web browsers and end user.
- Like this the success of secure headers strategy depends of proper client, in general a web browser, and web application or some infrastructure component configured appropriately.
- How can I apply secure http headers?
- The use of secure headers can occur directly through of handling http response headers or using some framework, in addition to conducting appropriate configuration in web server.
- The OWASP: Secure Headers project provides a list of resources and examples to help understand, analyze and configure secure headers.
- What's the costs relative to apply this actions?
- There's no costs in to use secure headers. However some effort to configure and manage properly configuration will be necessary.
Contributors
OWASP Secure Headers Project is developed by a worldwide team of volunteers. The primary contributors to date have been:
Involvement in the development and promotion of OWASP Secure Headers Project is actively encouraged! You do not have to be a security expert in order to contribute. If you want to help send an email to [email protected].
To Do
- Perform public to scan websites and view stats regarding these headers. Automated scanning of the top 1m sites on the web; filtering of said sites to view stats across industries and countries; published database dumps for public consumption/tools; scanning of individual sites; comparing multiple scanned sites.
- Consistent reports regarding this secure headers, their usage, any changes to existing headers.
- Reorganize "Best Practices" tab and include a section for related security best practices around headers (e.g. "Remove Server Header" and "Remove X-Powered-By Header".
- Include X-Permitted-Cross-Domain-Policies on Stats tab.
- Create a parser to grab the headers from https://scans.io and populate the MySQL database.
Doing
- Producing open source, easily implemented, well documented code libraries that enable these headers for a variety of platforms. We'll prioritize creating and publicizing Node.JS, PHP, Ruby, and Java, but will eventually reach out towards edge cases like Go, Python and others. The key is to make this accessible as possible to developers.
- Including how to set properly secure headers on IIS.
- Improve constantly hsecscan tool to detect bad practices and provide link to the best practices above.
Done
- Creating secure best practices implementations including how to set properly secure headers on the most common platforms (eg. Apache, NGINX and Lighttpd).
- Divide the "Tools_and_Libraries" tab into two differents tab (Scanners and Libraries).
- Include link to attack pages.
- Include Top Websites Examples tab.
- Move the Best Practices to another tab.
- Include a new tab only for browser versions compatibility.
- Include X-Permitted-Cross-Domain-Policies under Headers and Best Practices tab.