Skip to content

Insecure HTTP Header Setting

Insecure HTTP Header Setting

Description

Insecure Header Setting:

  • Content Security Policy
  • Cookie
  • Cross-Origin Resource Sharing
  • HTTP Public Key Pinning
  • Redirection
  • Referrer Policy
  • Subresource Integrity
  • X-Content-Type-Options
  • X-Frame-Options
  • X-XSS-Protection

Recommendation

To ensure you don't have insecure header settings, consider the following:

  1. Content Security Policy (CSP):

Enforce restrictions on content sources, mitigating risks associated with cross-site scripting (XSS) attacks and unauthorized resource loading.

Content-Security-Policy: default-src 'self'; script-src 'self' https://cdnjs.cloudflare.com;
  1. Cookie Security Headers:

Implement Secure and HttpOnly flags to prevent cookie theft and manipulation, enhancing user session security.

Set-Cookie: sessionid=abc123; Secure; HttpOnly;
  1. Cross-Origin Resource Sharing (CORS):

Properly configure CORS policies to restrict resource access from different origins, mitigating cross-site request forgery (CSRF) and cross-origin data leakage.

Access-Control-Allow-Origin: https://example.com
  1. HTTP Public Key Pinning (HPKP):

Utilize HPKP to bind public keys to specific web servers, protecting against Man-in-the-Middle (MitM) attacks involving fraudulent certificates.

Public-Key-Pins: pin-sha256="base64=="; max-age=5184000; includeSubDomains;
  1. Redirection Headers:

Ensure secure redirection by implementing strict controls to prevent open redirection vulnerabilities, thereby safeguarding users against phishing attacks.

Location: https://example.com/secure-page
  1. Referrer Policy:

Set appropriate referrer policies to control how much information is passed in the Referer header, reducing the risk of sensitive data exposure.

Referrer-Policy: strict-origin-when-cross-origin
  1. Subresource Integrity (SRI):

Implement SRI to verify the integrity of external resources, such as scripts and stylesheets, guarding against unauthorized modifications and supply chain attacks.

<script src="https://example.com/example.js" integrity="sha256-base64==" crossorigin="anonymous"></script>
  1. X-Content-Type-Options:

Enable the 'nosniff' directive to prevent browsers from MIME-sniffing a response, mitigating risks associated with content type confusion attacks.

X-Content-Type-Options: nosniff
  1. X-Frame-Options:

Set X-Frame-Options to restrict embedding of web content into frames, protecting against clickjacking attacks and ensuring the integrity of our web pages.

X-Frame-Options: DENY
  1. X-XSS-Protection:

Enable XSS protection mechanisms to mitigate XSS attacks by instructing browsers to sanitize or block potentially malicious scripts.

X-XSS-Protection: 1; mode=block

Standards

  • OWASP_ASVS_L1:
    • V5_1_3
    • V14_5_3
  • OWASP_ASVS_L2:
    • V5_1_3
    • V14_5_3
  • OWASP_ASVS_L3:
    • V5_1_3
    • V14_5_3