SlideShare a Scribd company logo

HTTP_Header_Security.pdf

K
ksudhakarreddy5

This document discusses HTTP security headers that can be implemented by web servers to enhance browser security. It introduces headers like HSTS, X-Frame-Options, Expect-CT, Content-Security-Policy, XSS-Protection and X-Content-Type-Options. It explains what each header does, potential attacks it prevents, and sample implementations. Code snippets are provided for common web servers like Apache, Nginx and IIS. The document aims to help web developers understand and apply these headers to make user experience more secure.

Education
1 of 27
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
HTTP SECURITY HEADERS (Protection For Browsers)
BIO Bug bounty student by night – 1st Private Invite on Hackerone • Emmanuel JK Gbordzor ISO 27001 LI, CISA, CCNA, CCNA-Security, ITILv3, … 11 years in IT – About 2 years In Security Information Security Manager @ PaySwitch Head, Network & Infrastructure @ PaySwitch Head of IT @ Financial Institution
Introduction • In this presentation, I will introduce you to HyperText Transfer Protocol (HTTP) response security headers. • By specifying expected and allowable behaviors, we will see how security headers can prevent a number of attacks against websites. • I’ll explain some of the different HTTP response headers that a web server can include in a response, and what impact they can have on the security of the web browser. • How web developers can implement these security headers to make user experience more secure
A Simple Look At Web Browsing
Snippet At The Request And Response Headers
Why Browser Security Headers? Browser Security Headers help: ➢ to define whether a set of security precautions should be activated or deactivated on the web browser. ➢ to reinforce the security of your web browser to fend off attacks and to mitigate vulnerabilities. ➢ in fighting client side (browser) attacks such as clickjacking, injections, Multipurpose Internet Mail Extensions (MIME) sniffing, Cross-Site Scripting (XSS), etc.
Content / Context HTTP STRICT TRANSPORT SECURITY (HSTS) X-FRAME-OPTIONS EXPECT-CT CONTENT-SECURITY- POLICY X-XSS-PROTECTION X-CONTENT-TYPE- OPTIONS
HTTP Strict Transport Security (HSTS) • HSTS header forces browsers to communicate using secure (HTTPS) connection. • Protects against “downgrade attacks” • When configured with the “Preload” option, it can prevent Man-In-The-Middle (MiTM) attack • “Preload” - https://hstspreload.org/ - from google
HTTP Redirection To HTTPS
HTTP Redirection To HTTPS - Continued
HTTP Strict Transport Security (HSTS) - Implementation Syntax: Strict-Transport-Security: max-age=<expire-time> includeSubDomains preload Apache: Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload“ Nginx: add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload'; Microsoft IIS: Name: Strict-Transport-Security Value: max-age=31536000; includeSubDomains; preload
X-Frame- Options • An iFrame is an element that allows a web app to be nested within a parent web app. • Can be used maliciously for a clickjacking attack or loading a malicious website inside the frame Prevention: • Frame busting • X-Frame-Option Header
X-Frame-Options - Implementation Apache: Header always set X-Frame-Options “deny” Nginx: add_header X-Frame-Options “DENY”; WordPress: header('X-Frame-Options: DENY); Microsoft IIS: Name: X-Frame-Options Value: DENY Syntax: X-Frame-Options: deny sameorigin allow-from url (deprecated)
Expect-CT • HTTP Public Key Pinning (HPKP) header is being deprecated to Expect-CT • Expect-CT detects certificates issued by rogue Certificate Authorities (CA) or prevents them from doing so • This header prevents MiTM attack against compromised Certificate Authority (CA) and rogue issued certificate
Expect-CT - Implementation Apache: Header set Expect-CT 'enforce, max-age=86400, report-uri="https://foo.example/report“’ Nginx: add_header Expect-CT 'max-age=60, report-uri="https://mydomain.com/report"'; Syntax: Expect-CT: max-age enforce report-uri
Content-Security-Policy (CSP) When this header is well implemented, there is no need to implement “X-Frame-Options” and “X-XSS- Protection” headers This helps prevents XSS, clickjacking, code injection, etc., attacks This header helps you to whitelist sources of approved content into your browser hence, preventing the browser from loading malicious assets.
Content-Security-Policy - Directives Keywords: *, none, self, hosts Content-Security-Policy: default-src Serves as a fallback for the other fetch directives font-src Specifies valid sources for fonts loaded frame-src Sources for nested contexts such as <frame> and <iframe> img-src Sources of images and favicons media-src Valid sources for loading <audio>, <video> & <track> object-src Sources for the <object>, <embed> and <applet> elements script-src Specifies valid sources for JavaScript style-src Specifies valid sources for stylesheets report-uri Reports violations
CSP Sample - https://haveibeenpwned.com content-security-policy: default-src 'none';script-src 'self' www.google-analytics.com www.google.com www.gstatic. js.stripe.com ajax.cloudflare.com;style-src 'self' 'unsafe-inline' cdnjs.cloudflare.com;img-src 'self' www.google-analytics.com stats.g.doubleclick.net www.gstatic.com;font-src 'self' cdnjs.cloudflare.com fonts.gstatic.com;base-uri 'self';child-src www.google.com js.stripe.com;frame-ancestors 'none';report-uri https://troyhunt.report- uri.com/r/d/csp/enforce.com/en_US/i/scr/pixel.gif;"
X-XSS- Protection These header detect dangerous HTML input and either prevent the site from loading or remove potentially malicious scripts
X-XSS-Protection - Implementation Syntax: X-XSS-Protection: 0 1 mode=block Apache: Header set X-XSS-Protection "1; mode=block“ Nginx: add_header X-XSS-Protection "1; mode=block"; Microsoft IIS: Name: X-XSS-Protection Value: 1; mode=block
X-Content-Type-Options • For your seamless experience on the web, MIME sniffing of resource was introduced. • Adversely, an attacker can introduce a malicious executable script such as an image. When acted on by MIME sniffing could have the script executed.
X-Content-Type-Options - Implementation Syntax: X-Content-Type-Options: nosniff Apache: Header set X-Content-Type-Options nosniff Nginx: add_header X-Content-Type-Options nosniff; Microsoft IIS: Name: X-Content-Type-Options Value: nosniff
Demo Time – Clickjacking – iFrame injection – Harlem shake https://127.0.0.1/mutillidae/
Takeaways • Enforce HTTPS using the Strict-Transport-Security header and add your domain to Chrome’s preload list. • Make your web app more robust against XSS by leveraging the X-XSS- Protection header. • Block clickjacking using the X-Frame-Options header. • Leverage Content-Security-Policy to whitelist specific sources and endpoints. • Prevent MIME-sniffing attacks using the X-Content-Type-Options header.
Resources / Tools • Check Website HTTP Response Header – https://gf.dev/http-headers-test • Secure Headers Test – https://gf.dev/secure-headers-test • Scott Helme – Security Header Scanner – https://securityheaders.com • HTTP Headers Reference – https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers • HTTP Compatibility Among Browsers – https://caniuse.com
References • https://www.netsparker.com/whitepaper-http- security-headers • https://www.ntu.edu.sg/home/ehchua/programming/ webprogramming/HTTP_Basics.html • https://owasp.org/www-chapter-ghana/#div- pastevents • https://www.keycdn.com/blog/http-security-headers
THANK YOU Let’s Connect: @egbordzor linkedin.com/in/egbordzor egbordzor@protonmail.com Questions And Answers

More Related Content

PDF
Browser Wars 2019 - Implementing a Content Security Policy
George Boobyer
 
PDF
Rails security: above and beyond the defaults
Matias Korhonen
 
PDF
Content Security Policy (CSP)
Arun Kumar
 
PDF
Content Security Policy
Austin Gil
 
PPTX
Protecting Web App users in today’s hostile environment
ajitdhumale
 
PPTX
Ignite content security policy
jstack
 
PDF
Web Security - CSP & Web Cryptography
Samsung Open Source Group
 
PPTX
Analysis of HTTP Security Headers in Turkey
Dr. Emin İslam Tatlı
 
Browser Wars 2019 - Implementing a Content Security Policy
George Boobyer
 
Rails security: above and beyond the defaults
Matias Korhonen
 
Content Security Policy (CSP)
Arun Kumar
 
Content Security Policy
Austin Gil
 
Protecting Web App users in today’s hostile environment
ajitdhumale
 
Ignite content security policy
jstack
 
Web Security - CSP & Web Cryptography
Samsung Open Source Group
 
Analysis of HTTP Security Headers in Turkey
Dr. Emin İslam Tatlı
 

Similar to HTTP_Header_Security.pdf (20)

PDF
Content-Security-Policy 2018.0
Philippe Gamache
 
PDF
Csp and http headers
devObjective
 
PDF
Csp and http headers
ColdFusionConference
 
PDF
CONFidence 2018: Defense-in-depth techniques for modern web applications and ...
PROIDEA
 
PPT
Top Ten Web Hacking Techniques – 2008
Jeremiah Grossman
 
PDF
Content Security Policy - Lessons learned at Yahoo
Binu Ramakrishnan
 
PDF
http security response headers for web security
Olatunji Adetunji
 
PDF
Defeating Cross-Site Scripting with Content Security Policy (updated)
Francois Marier
 
PDF
Cabeçalhos de Segurança HTTP
Ismael Goncalves
 
PDF
Rails and Content Security Policies
Matias Korhonen
 
PDF
HTTP Security Headers
Ismael Goncalves
 
PPTX
D3LDN17 - Recruiting the Browser
Imperva Incapsula
 
PDF
Why Traditional Web Security Technologies no Longer Suffice to Keep You Safe
Philippe De Ryck
 
PPTX
W3 conf hill-html5-security-realities
Brad Hill
 
PPTX
Content Security Policy - The application security Swiss Army Knife
Scott Helme
 
PDF
Web Development Security
Rafael Monteiro
 
PDF
Web Application Security 2nd Edition (Early Release) Andrew Hoffman
dirosochaniz
 
PPTX
W3 conf hill-html5-security-realities
Brad Hill
 
PDF
2015-04-25-content-security-policy
Sastry Tumuluri
 
PDF
Web Application Security 2nd Edition (Early Release) Andrew Hoffman
haskgeilyn
 
Content-Security-Policy 2018.0
Philippe Gamache
 
Csp and http headers
devObjective
 
Csp and http headers
ColdFusionConference
 
CONFidence 2018: Defense-in-depth techniques for modern web applications and ...
PROIDEA
 
Top Ten Web Hacking Techniques – 2008
Jeremiah Grossman
 
Content Security Policy - Lessons learned at Yahoo
Binu Ramakrishnan
 
http security response headers for web security
Olatunji Adetunji
 
Defeating Cross-Site Scripting with Content Security Policy (updated)
Francois Marier
 
Cabeçalhos de Segurança HTTP
Ismael Goncalves
 
Rails and Content Security Policies
Matias Korhonen
 
HTTP Security Headers
Ismael Goncalves
 
D3LDN17 - Recruiting the Browser
Imperva Incapsula
 
Why Traditional Web Security Technologies no Longer Suffice to Keep You Safe
Philippe De Ryck
 
W3 conf hill-html5-security-realities
Brad Hill
 
Content Security Policy - The application security Swiss Army Knife
Scott Helme
 
Web Development Security
Rafael Monteiro
 
Web Application Security 2nd Edition (Early Release) Andrew Hoffman
dirosochaniz
 
W3 conf hill-html5-security-realities
Brad Hill
 
2015-04-25-content-security-policy
Sastry Tumuluri
 
Web Application Security 2nd Edition (Early Release) Andrew Hoffman
haskgeilyn
 
Ad

Recently uploaded (20)

PDF
Basic Mud Logging Guide for educational purpose
wdandworks
 
PDF
Insiders guide to clinical Medicine.pdf
AbhishekPatil315128
 
PPTX
IMMUNITY IMMUNITY refers to protection against infection, and the immune syst...
shilpa939953
 
PDF
RMMM.pdf make it easy to upload and study
sajedul2
 
PDF
3rd Neelam Sanjeevareddy Memorial Lecture.pdf
Academy of Grassroots Studies and Research of India (AGRASRI)
 
PPTX
Pharmacology of Heart Failure /Pharmacotherapy of CHF
Rajshri Ghogare
 
PDF
01-Introduction-to-Information-Management.pdf
PrinceIbarra
 
PDF
Sports Quiz easy sports quiz sports quiz
nikunj2757
 
PDF
Computing-Curriculum for Schools in Ghana
abigailanane203
 
PDF
TR - Agricultural Crops Production NC III.pdf
avgilmegino3
 
PDF
Microbial disease of the cardiovascular and lymphatic systems
KeyaSharma
 
PDF
Anesthesia in Laparoscopic Surgery in India
mohitsuren827
 
PDF
2.FourierTransform-ShortQuestionswithAnswers.pdf
Raji Murugan
 
PDF
STATICS OF THE RIGID BODIES Hibbelers.pdf
pascualasturiaskaye4
 
PDF
The Lost Whites of Pakistan by Jahanzaib Mughal.pdf
jahanzaibmughal6
 
PDF
Physiotherapy_for_Respiratory_and_Cardiac_Problems WEBBER.pdf
DrMONISHAphysio
 
PPTX
Microbial diseases, their pathogenesis and prophylaxis
DevlinaSengupta
 
PDF
Black Hat USA 2025 - Micro ICS Summit - ICS/OT Threat Landscape
Chris Sistrunk
 
PPTX
Introduction_to_Human_Anatomy_and_Physiology_for_B.Pharm.pptx
chetansingh379583
 
PPTX
Pharma ospi slides which help in ospi learning
rameetkumar304
 
Basic Mud Logging Guide for educational purpose
wdandworks
 
Insiders guide to clinical Medicine.pdf
AbhishekPatil315128
 
IMMUNITY IMMUNITY refers to protection against infection, and the immune syst...
shilpa939953
 
RMMM.pdf make it easy to upload and study
sajedul2
 
3rd Neelam Sanjeevareddy Memorial Lecture.pdf
Academy of Grassroots Studies and Research of India (AGRASRI)
 
Pharmacology of Heart Failure /Pharmacotherapy of CHF
Rajshri Ghogare
 
01-Introduction-to-Information-Management.pdf
PrinceIbarra
 
Sports Quiz easy sports quiz sports quiz
nikunj2757
 
Computing-Curriculum for Schools in Ghana
abigailanane203
 
TR - Agricultural Crops Production NC III.pdf
avgilmegino3
 
Microbial disease of the cardiovascular and lymphatic systems
KeyaSharma
 
Anesthesia in Laparoscopic Surgery in India
mohitsuren827
 
2.FourierTransform-ShortQuestionswithAnswers.pdf
Raji Murugan
 
STATICS OF THE RIGID BODIES Hibbelers.pdf
pascualasturiaskaye4
 
The Lost Whites of Pakistan by Jahanzaib Mughal.pdf
jahanzaibmughal6
 
Physiotherapy_for_Respiratory_and_Cardiac_Problems WEBBER.pdf
DrMONISHAphysio
 
Microbial diseases, their pathogenesis and prophylaxis
DevlinaSengupta
 
Black Hat USA 2025 - Micro ICS Summit - ICS/OT Threat Landscape
Chris Sistrunk
 
Introduction_to_Human_Anatomy_and_Physiology_for_B.Pharm.pptx
chetansingh379583
 
Pharma ospi slides which help in ospi learning
rameetkumar304
 
Ad

HTTP_Header_Security.pdf

  • 2. BIO Bug bounty student by night – 1st Private Invite on Hackerone • Emmanuel JK Gbordzor ISO 27001 LI, CISA, CCNA, CCNA-Security, ITILv3, … 11 years in IT – About 2 years In Security Information Security Manager @ PaySwitch Head, Network & Infrastructure @ PaySwitch Head of IT @ Financial Institution
  • 3. Introduction • In this presentation, I will introduce you to HyperText Transfer Protocol (HTTP) response security headers. • By specifying expected and allowable behaviors, we will see how security headers can prevent a number of attacks against websites. • I’ll explain some of the different HTTP response headers that a web server can include in a response, and what impact they can have on the security of the web browser. • How web developers can implement these security headers to make user experience more secure
  • 4. A Simple Look At Web Browsing
  • 5. Snippet At The Request And Response Headers
  • 6. Why Browser Security Headers? Browser Security Headers help: ➢ to define whether a set of security precautions should be activated or deactivated on the web browser. ➢ to reinforce the security of your web browser to fend off attacks and to mitigate vulnerabilities. ➢ in fighting client side (browser) attacks such as clickjacking, injections, Multipurpose Internet Mail Extensions (MIME) sniffing, Cross-Site Scripting (XSS), etc.
  • 7. Content / Context HTTP STRICT TRANSPORT SECURITY (HSTS) X-FRAME-OPTIONS EXPECT-CT CONTENT-SECURITY- POLICY X-XSS-PROTECTION X-CONTENT-TYPE- OPTIONS
  • 8. HTTP Strict Transport Security (HSTS) • HSTS header forces browsers to communicate using secure (HTTPS) connection. • Protects against “downgrade attacks” • When configured with the “Preload” option, it can prevent Man-In-The-Middle (MiTM) attack • “Preload” - https://hstspreload.org/ - from google
  • 10. HTTP Redirection To HTTPS - Continued
  • 11. HTTP Strict Transport Security (HSTS) - Implementation Syntax: Strict-Transport-Security: max-age=<expire-time> includeSubDomains preload Apache: Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload“ Nginx: add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload'; Microsoft IIS: Name: Strict-Transport-Security Value: max-age=31536000; includeSubDomains; preload
  • 12. X-Frame- Options • An iFrame is an element that allows a web app to be nested within a parent web app. • Can be used maliciously for a clickjacking attack or loading a malicious website inside the frame Prevention: • Frame busting • X-Frame-Option Header
  • 13. X-Frame-Options - Implementation Apache: Header always set X-Frame-Options “deny” Nginx: add_header X-Frame-Options “DENY”; WordPress: header('X-Frame-Options: DENY); Microsoft IIS: Name: X-Frame-Options Value: DENY Syntax: X-Frame-Options: deny sameorigin allow-from url (deprecated)
  • 14. Expect-CT • HTTP Public Key Pinning (HPKP) header is being deprecated to Expect-CT • Expect-CT detects certificates issued by rogue Certificate Authorities (CA) or prevents them from doing so • This header prevents MiTM attack against compromised Certificate Authority (CA) and rogue issued certificate
  • 15. Expect-CT - Implementation Apache: Header set Expect-CT 'enforce, max-age=86400, report-uri="https://foo.example/report“’ Nginx: add_header Expect-CT 'max-age=60, report-uri="https://mydomain.com/report"'; Syntax: Expect-CT: max-age enforce report-uri
  • 16. Content-Security-Policy (CSP) When this header is well implemented, there is no need to implement “X-Frame-Options” and “X-XSS- Protection” headers This helps prevents XSS, clickjacking, code injection, etc., attacks This header helps you to whitelist sources of approved content into your browser hence, preventing the browser from loading malicious assets.
  • 17. Content-Security-Policy - Directives Keywords: *, none, self, hosts Content-Security-Policy: default-src Serves as a fallback for the other fetch directives font-src Specifies valid sources for fonts loaded frame-src Sources for nested contexts such as <frame> and <iframe> img-src Sources of images and favicons media-src Valid sources for loading <audio>, <video> & <track> object-src Sources for the <object>, <embed> and <applet> elements script-src Specifies valid sources for JavaScript style-src Specifies valid sources for stylesheets report-uri Reports violations
  • 18. CSP Sample - https://haveibeenpwned.com content-security-policy: default-src 'none';script-src 'self' www.google-analytics.com www.google.com www.gstatic. js.stripe.com ajax.cloudflare.com;style-src 'self' 'unsafe-inline' cdnjs.cloudflare.com;img-src 'self' www.google-analytics.com stats.g.doubleclick.net www.gstatic.com;font-src 'self' cdnjs.cloudflare.com fonts.gstatic.com;base-uri 'self';child-src www.google.com js.stripe.com;frame-ancestors 'none';report-uri https://troyhunt.report- uri.com/r/d/csp/enforce.com/en_US/i/scr/pixel.gif;"
  • 19. X-XSS- Protection These header detect dangerous HTML input and either prevent the site from loading or remove potentially malicious scripts
  • 20. X-XSS-Protection - Implementation Syntax: X-XSS-Protection: 0 1 mode=block Apache: Header set X-XSS-Protection "1; mode=block“ Nginx: add_header X-XSS-Protection "1; mode=block"; Microsoft IIS: Name: X-XSS-Protection Value: 1; mode=block
  • 21. X-Content-Type-Options • For your seamless experience on the web, MIME sniffing of resource was introduced. • Adversely, an attacker can introduce a malicious executable script such as an image. When acted on by MIME sniffing could have the script executed.
  • 22. X-Content-Type-Options - Implementation Syntax: X-Content-Type-Options: nosniff Apache: Header set X-Content-Type-Options nosniff Nginx: add_header X-Content-Type-Options nosniff; Microsoft IIS: Name: X-Content-Type-Options Value: nosniff
  • 23. Demo Time – Clickjacking – iFrame injection – Harlem shake https://127.0.0.1/mutillidae/
  • 24. Takeaways • Enforce HTTPS using the Strict-Transport-Security header and add your domain to Chrome’s preload list. • Make your web app more robust against XSS by leveraging the X-XSS- Protection header. • Block clickjacking using the X-Frame-Options header. • Leverage Content-Security-Policy to whitelist specific sources and endpoints. • Prevent MIME-sniffing attacks using the X-Content-Type-Options header.
  • 25. Resources / Tools • Check Website HTTP Response Header – https://gf.dev/http-headers-test • Secure Headers Test – https://gf.dev/secure-headers-test • Scott Helme – Security Header Scanner – https://securityheaders.com • HTTP Headers Reference – https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers • HTTP Compatibility Among Browsers – https://caniuse.com
  • 26. References • https://www.netsparker.com/whitepaper-http- security-headers • https://www.ntu.edu.sg/home/ehchua/programming/ webprogramming/HTTP_Basics.html • https://owasp.org/www-chapter-ghana/#div- pastevents • https://www.keycdn.com/blog/http-security-headers