This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "List of useful HTTP headers"

From OWASP
Jump to: navigation, search
Line 8: Line 8:
 
|-
 
|-
 
|[http://tools.ietf.org/html/rfc6797 Strict-Transport-Security]
 
|[http://tools.ietf.org/html/rfc6797 Strict-Transport-Security]
|Enforces secure (HTTP over SSL/TLS) connections to the server. This reduces impact of bugs in web applications leaking session data through cookies and external links.
+
|HTTP Strict-Transport-Security (HSTS) enforces secure (HTTP over SSL/TLS) connections to the server. This reduces impact of bugs in web applications leaking session data through cookies and external links and defends against Man-in-the-middle attacks. HSTS also disables the ability for user's to ignore SSL negotiation warnings.
 
|<code>Strict-Transport-Security: max-age=16070400; includeSubDomains</code>
 
|<code>Strict-Transport-Security: max-age=16070400; includeSubDomains</code>
 
|-
 
|-
 
| [http://tools.ietf.org/html/draft-ietf-websec-x-frame-options-01 X-Frame-Options], [http://tools.ietf.org/html/draft-ietf-websec-frame-options-00 Frame-Options]
 
| [http://tools.ietf.org/html/draft-ietf-websec-x-frame-options-01 X-Frame-Options], [http://tools.ietf.org/html/draft-ietf-websec-frame-options-00 Frame-Options]
| [[Clickjacking]] protection. Values: ''deny'' - no rendering within a frame, ''sameorigin'' - no rendering if origin mismatch, ''allow-from: URL'' - allow rendering frame if loaded from ''URL''
+
| Provides [[Clickjacking]] protection. Values: ''deny'' - no rendering within a frame, ''sameorigin'' - no rendering if origin mismatch, ''allow-from: DOMAIN'' - allow rendering if framed by frame loaded from ''DOMAIN''
 
| <code> X-Frame-Options: deny</code>
 
| <code> X-Frame-Options: deny</code>
 
|-
 
|-
Line 24: Line 24:
 
|-
 
|-
 
|[http://www.w3.org/TR/CSP/ X-Content-Security-Policy, X-WebKit-CSP]
 
|[http://www.w3.org/TR/CSP/ X-Content-Security-Policy, X-WebKit-CSP]
|[[Content Security Policy]] definition. Requires careful tuning and precise definition of the policy. If enabled CSP has significant impact on the way browser renders pages (e.g. inline JavaScript disabled by default and must be explicitly allowed in policy). CSP prevents a wide range of attacks, including [[Cross-site Scripting]] and other cross-site injections.
+
|[[Content Security Policy]] requires careful tuning and precise definition of the policy. If enabled, CSP has significant impact on the way browser renders pages (e.g., inline JavaScript disabled by default and must be explicitly allowed in policy). CSP prevents a wide range of attacks, including [[Cross-site scripting]] and other cross-site injections.
 
|<code>X-WebKit-CSP: default-src 'self'</code>
 
|<code>X-WebKit-CSP: default-src 'self'</code>
 
|}
 
|}

Revision as of 19:20, 13 September 2013

This page lists useful security-related HTTP headers. In most architectures these headers can be set in web server configuration (Apache, IIS), without changing actual application's code. This offers significantly faster and cheaper method for at least partial mitigation of existing issues, and an additional layer of defense for new applications.

Field name Description Example
Strict-Transport-Security HTTP Strict-Transport-Security (HSTS) enforces secure (HTTP over SSL/TLS) connections to the server. This reduces impact of bugs in web applications leaking session data through cookies and external links and defends against Man-in-the-middle attacks. HSTS also disables the ability for user's to ignore SSL negotiation warnings. Strict-Transport-Security: max-age=16070400; includeSubDomains
X-Frame-Options, Frame-Options Provides Clickjacking protection. Values: deny - no rendering within a frame, sameorigin - no rendering if origin mismatch, allow-from: DOMAIN - allow rendering if framed by frame loaded from DOMAIN X-Frame-Options: deny
X-XSS-Protection This header enables the Cross-site scripting (XSS) filter built into most recent web browsers. It's usually enabled by default anyway, so the role of this header is to re-enable the filter for this particular website if it was disabled by the user. This header is supported in IE 8+, and in Chrome (not sure which versions). The anti-XSS filter was added in Chrome 4. Its unknown if that version honored this header. X-XSS-Protection: 1; mode=block
X-Content-Type-Options The only defined value, "nosniff", prevents Internet Explorer and Google Chrome from MIME-sniffing a response away from the declared content-type. This also applies to Google Chrome, when downloading extensions. This reduces exposure to drive-by download attacks and sites serving user uploaded content that, by clever naming, could be treated by MSIE as executable or dynamic HTML files. X-Content-Type-Options: nosniff
X-Content-Security-Policy, X-WebKit-CSP Content Security Policy requires careful tuning and precise definition of the policy. If enabled, CSP has significant impact on the way browser renders pages (e.g., inline JavaScript disabled by default and must be explicitly allowed in policy). CSP prevents a wide range of attacks, including Cross-site scripting and other cross-site injections. X-WebKit-CSP: default-src 'self'


Real life examples

Below examples present selected HTTP headers as set by popular websites to demonstrate that they are indeed being used in production services:

Facebook

As of January 2013 Facebook main page was setting these security related HTTP headers.

Strict-Transport-Security: max-age=60
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-WebKit-CSP: default-src *; script-src https://*.facebook.com
  http://*.facebook.com https://*.fbcdn.net http://*.fbcdn.net *.facebook.net
  *.google-analytics.com *.virtualearth.net *.google.com 127.0.0.1:* *.spotilocal.com:*
  'unsafe-inline' 'unsafe-eval' https://*.akamaihd.net http://*.akamaihd.net;
  style-src * 'unsafe-inline'; connect-src https://*.facebook.com http://*.facebook.com
  https://*.fbcdn.net http://*.fbcdn.net *.facebook.net *.spotilocal.com:*
  https://*.akamaihd.net ws://*.facebook.com:* http://*.akamaihd.net;
X-XSS-Protection: 1; mode=block

Especially interesting is Facebook's use of Content Security Policy (using Google Chrome syntax), whose implementation can be challenging for large sites with heavy usage of JavaScript.

Google+

As of January 2013 Google+ main page was setting these security related HTTP headers:

x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
x-xss-protection: 1; mode=block

Twitter

As of May 2013 Twitter main page was setting these security related HTTP headers:

strict-transport-security: max-age=631138519
x-frame-options: SAMEORIGIN
x-xss-protection: 1; mode=block