Insecure HTTP Header Setting
Insecure HTTP Header Setting
Description
Insecure Header Setting:
- Content Security Policy: Mitigates risks of cross-site scripting (XSS) by specifying trusted sources for content.
- Cookie: Enhances security by setting attributes like HttpOnly and Secure to protect cookie data from unauthorized access.
- Cross-Origin Resource Sharing: Controls how resources can be shared across different domains to prevent malicious access.
- HTTP Public Key Pinning: Protects against man-in-the-middle attacks by specifying which public keys are valid for a particular site.
- Redirection: Ensures that redirects are safe and only lead to trusted destinations to prevent open redirect vulnerabilities.
- Referrer Policy: Defines how much referrer information is passed when navigating from one site to another, enhancing privacy.
- Subresource Integrity: Verifies that resources loaded from third-party domains have not been tampered with by checking their cryptographic hash.
- X-Content-Type-Options: Prevents browsers from MIME-sniffing the content type, reducing the risk of content-type-based attacks.
- X-Frame-Options: Prevents clickjacking attacks by controlling whether a page can be embedded in a frame.
- X-XSS-Protection: Activates the browser's built-in XSS filtering to block detected cross-site scripting attacks.
- Permissions-Policy: Controls which features and APIs can be used in the browser, enhancing security by limiting capabilities for untrusted content.
- Clear-Site-Data: Allows sites to request the browser to clear stored data (cookies, local storage, caches) for a specified origin, helping to mitigate the impact of data leaks or privacy concerns.
Recommendation
To ensure you don't have insecure header settings, consider the following:
- Content Security Policy (CSP):
Enforce restrictions on content sources, mitigating risks associated with cross-site scripting (XSS) attacks and unauthorized resource loading.
Content-Security-Policy: default-src 'self'; script-src 'self' https://cdnjs.cloudflare.com;
- Cookie Security Headers:
Implement Secure and HttpOnly flags to prevent cookie theft and manipulation, enhancing user session security.
Set-Cookie: sessionid=abc123; Secure; HttpOnly;
- Cross-Origin Resource Sharing (CORS):
Properly configure CORS policies to restrict resource access from different origins, mitigating cross-site request forgery (CSRF) and cross-origin data leakage.
Access-Control-Allow-Origin: https://example.com
- HTTP Public Key Pinning (HPKP):
Utilize HPKP to bind public keys to specific web servers, protecting against Man-in-the-Middle (MitM) attacks involving fraudulent certificates.
Public-Key-Pins: pin-sha256="base64=="; max-age=5184000; includeSubDomains;
- Redirection Headers:
Ensure secure redirection by implementing strict controls to prevent open redirection vulnerabilities, thereby safeguarding users against phishing attacks.
Location: https://example.com/secure-page
- Referrer Policy:
Set appropriate referrer policies to control how much information is passed in the Referer header, reducing the risk of sensitive data exposure.
Referrer-Policy: strict-origin-when-cross-origin
- Subresource Integrity (SRI):
Implement SRI to verify the integrity of external resources, such as scripts and stylesheets, guarding against unauthorized modifications and supply chain attacks.
<script src="https://example.com/example.js" integrity="sha256-base64==" crossorigin="anonymous"></script>
- X-Content-Type-Options:
Enable the 'nosniff' directive to prevent browsers from MIME-sniffing a response, mitigating risks associated with content type confusion attacks.
X-Content-Type-Options: nosniff
- X-Frame-Options:
Set X-Frame-Options to restrict embedding of web content into frames, protecting against clickjacking attacks and ensuring the integrity of our web pages.
X-Frame-Options: DENY
- X-XSS-Protection:
Enable XSS protection mechanisms to mitigate XSS attacks by instructing browsers to sanitize or block potentially malicious scripts.
X-XSS-Protection: 1; mode=block
Links
Standards
- OWASP_ASVS_L1:
- V5_1_3
- V14_5_3
- OWASP_ASVS_L2:
- V5_1_3
- V14_5_3
- OWASP_ASVS_L3:
- V5_1_3
- V14_5_3