Skip to content

Insecure HTTP Header Setting

Insecure HTTP Header Setting

Description

Insecure Header Setting:

  • Content Security Policy: Mitigates risks of cross-site scripting (XSS) by specifying trusted sources for content.
  • Cookie: Enhances security by setting attributes like HttpOnly and Secure to protect cookie data from unauthorized access.
  • Cross-Origin Resource Sharing: Controls how resources can be shared across different domains to prevent malicious access.
  • HTTP Public Key Pinning: Protects against man-in-the-middle attacks by specifying which public keys are valid for a particular site.
  • Redirection: Ensures that redirects are safe and only lead to trusted destinations to prevent open redirect vulnerabilities.
  • Referrer Policy: Defines how much referrer information is passed when navigating from one site to another, enhancing privacy.
  • Subresource Integrity: Verifies that resources loaded from third-party domains have not been tampered with by checking their cryptographic hash.
  • X-Content-Type-Options: Prevents browsers from MIME-sniffing the content type, reducing the risk of content-type-based attacks.
  • X-Frame-Options: Prevents clickjacking attacks by controlling whether a page can be embedded in a frame.
  • X-XSS-Protection: Activates the browser's built-in XSS filtering to block detected cross-site scripting attacks.
  • Permissions-Policy: Controls which features and APIs can be used in the browser, enhancing security by limiting capabilities for untrusted content.
  • Clear-Site-Data: Allows sites to request the browser to clear stored data (cookies, local storage, caches) for a specified origin, helping to mitigate the impact of data leaks or privacy concerns.

Recommendation

To ensure you don't have insecure header settings, consider the following:

  1. Content Security Policy (CSP):

Enforce restrictions on content sources, mitigating risks associated with cross-site scripting (XSS) attacks and unauthorized resource loading.

Content-Security-Policy: default-src 'self'; script-src 'self' https://cdnjs.cloudflare.com;
  1. Cookie Security Headers:

Implement Secure and HttpOnly flags to prevent cookie theft and manipulation, enhancing user session security.

Set-Cookie: sessionid=abc123; Secure; HttpOnly;
  1. Cross-Origin Resource Sharing (CORS):

Properly configure CORS policies to restrict resource access from different origins, mitigating cross-site request forgery (CSRF) and cross-origin data leakage.

Access-Control-Allow-Origin: https://example.com
  1. HTTP Public Key Pinning (HPKP):

Utilize HPKP to bind public keys to specific web servers, protecting against Man-in-the-Middle (MitM) attacks involving fraudulent certificates.

Public-Key-Pins: pin-sha256="base64=="; max-age=5184000; includeSubDomains;
  1. Redirection Headers:

Ensure secure redirection by implementing strict controls to prevent open redirection vulnerabilities, thereby safeguarding users against phishing attacks.

Location: https://example.com/secure-page
  1. Referrer Policy:

Set appropriate referrer policies to control how much information is passed in the Referer header, reducing the risk of sensitive data exposure.

Referrer-Policy: strict-origin-when-cross-origin
  1. Subresource Integrity (SRI):

Implement SRI to verify the integrity of external resources, such as scripts and stylesheets, guarding against unauthorized modifications and supply chain attacks.

<script src="https://example.com/example.js" integrity="sha256-base64==" crossorigin="anonymous"></script>
  1. X-Content-Type-Options:

Enable the 'nosniff' directive to prevent browsers from MIME-sniffing a response, mitigating risks associated with content type confusion attacks.

X-Content-Type-Options: nosniff
  1. X-Frame-Options:

Set X-Frame-Options to restrict embedding of web content into frames, protecting against clickjacking attacks and ensuring the integrity of our web pages.

X-Frame-Options: DENY
  1. X-XSS-Protection:

Enable XSS protection mechanisms to mitigate XSS attacks by instructing browsers to sanitize or block potentially malicious scripts.

X-XSS-Protection: 1; mode=block

Standards

  • OWASP_ASVS_L1:
    • V5_1_3
    • V14_5_3
  • OWASP_ASVS_L2:
    • V5_1_3
    • V14_5_3
  • OWASP_ASVS_L3:
    • V5_1_3
    • V14_5_3