SlideShare a Scribd company logo

HTTP_Header_Security.pdf

K
ksudhakarreddy5

This document discusses HTTP security headers that can be implemented by web servers to enhance browser security. It introduces headers like HSTS, X-Frame-Options, Expect-CT, Content-Security-Policy, XSS-Protection and X-Content-Type-Options. It explains what each header does, potential attacks it prevents, and sample implementations. Code snippets are provided for common web servers like Apache, Nginx and IIS. The document aims to help web developers understand and apply these headers to make user experience more secure.

Education
1 of 27
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
HTTP SECURITY HEADERS (Protection For Browsers)
BIO Bug bounty student by night – 1st Private Invite on Hackerone • Emmanuel JK Gbordzor ISO 27001 LI, CISA, CCNA, CCNA-Security, ITILv3, … 11 years in IT – About 2 years In Security Information Security Manager @ PaySwitch Head, Network & Infrastructure @ PaySwitch Head of IT @ Financial Institution
Introduction • In this presentation, I will introduce you to HyperText Transfer Protocol (HTTP) response security headers. • By specifying expected and allowable behaviors, we will see how security headers can prevent a number of attacks against websites. • I’ll explain some of the different HTTP response headers that a web server can include in a response, and what impact they can have on the security of the web browser. • How web developers can implement these security headers to make user experience more secure
A Simple Look At Web Browsing
Snippet At The Request And Response Headers
Why Browser Security Headers? Browser Security Headers help: ➢ to define whether a set of security precautions should be activated or deactivated on the web browser. ➢ to reinforce the security of your web browser to fend off attacks and to mitigate vulnerabilities. ➢ in fighting client side (browser) attacks such as clickjacking, injections, Multipurpose Internet Mail Extensions (MIME) sniffing, Cross-Site Scripting (XSS), etc.
Content / Context HTTP STRICT TRANSPORT SECURITY (HSTS) X-FRAME-OPTIONS EXPECT-CT CONTENT-SECURITY- POLICY X-XSS-PROTECTION X-CONTENT-TYPE- OPTIONS
HTTP Strict Transport Security (HSTS) • HSTS header forces browsers to communicate using secure (HTTPS) connection. • Protects against “downgrade attacks” • When configured with the “Preload” option, it can prevent Man-In-The-Middle (MiTM) attack • “Preload” - https://hstspreload.org/ - from google
HTTP Redirection To HTTPS
HTTP Redirection To HTTPS - Continued
HTTP Strict Transport Security (HSTS) - Implementation Syntax: Strict-Transport-Security: max-age=<expire-time> includeSubDomains preload Apache: Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload“ Nginx: add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload'; Microsoft IIS: Name: Strict-Transport-Security Value: max-age=31536000; includeSubDomains; preload
X-Frame- Options • An iFrame is an element that allows a web app to be nested within a parent web app. • Can be used maliciously for a clickjacking attack or loading a malicious website inside the frame Prevention: • Frame busting • X-Frame-Option Header
X-Frame-Options - Implementation Apache: Header always set X-Frame-Options “deny” Nginx: add_header X-Frame-Options “DENY”; WordPress: header('X-Frame-Options: DENY); Microsoft IIS: Name: X-Frame-Options Value: DENY Syntax: X-Frame-Options: deny sameorigin allow-from url (deprecated)
Expect-CT • HTTP Public Key Pinning (HPKP) header is being deprecated to Expect-CT • Expect-CT detects certificates issued by rogue Certificate Authorities (CA) or prevents them from doing so • This header prevents MiTM attack against compromised Certificate Authority (CA) and rogue issued certificate
Expect-CT - Implementation Apache: Header set Expect-CT 'enforce, max-age=86400, report-uri="https://foo.example/report“’ Nginx: add_header Expect-CT 'max-age=60, report-uri="https://mydomain.com/report"'; Syntax: Expect-CT: max-age enforce report-uri
Content-Security-Policy (CSP) When this header is well implemented, there is no need to implement “X-Frame-Options” and “X-XSS- Protection” headers This helps prevents XSS, clickjacking, code injection, etc., attacks This header helps you to whitelist sources of approved content into your browser hence, preventing the browser from loading malicious assets.
Content-Security-Policy - Directives Keywords: *, none, self, hosts Content-Security-Policy: default-src Serves as a fallback for the other fetch directives font-src Specifies valid sources for fonts loaded frame-src Sources for nested contexts such as <frame> and <iframe> img-src Sources of images and favicons media-src Valid sources for loading <audio>, <video> & <track> object-src Sources for the <object>, <embed> and <applet> elements script-src Specifies valid sources for JavaScript style-src Specifies valid sources for stylesheets report-uri Reports violations
CSP Sample - https://haveibeenpwned.com content-security-policy: default-src 'none';script-src 'self' www.google-analytics.com www.google.com www.gstatic. js.stripe.com ajax.cloudflare.com;style-src 'self' 'unsafe-inline' cdnjs.cloudflare.com;img-src 'self' www.google-analytics.com stats.g.doubleclick.net www.gstatic.com;font-src 'self' cdnjs.cloudflare.com fonts.gstatic.com;base-uri 'self';child-src www.google.com js.stripe.com;frame-ancestors 'none';report-uri https://troyhunt.report- uri.com/r/d/csp/enforce.com/en_US/i/scr/pixel.gif;"
X-XSS- Protection These header detect dangerous HTML input and either prevent the site from loading or remove potentially malicious scripts
X-XSS-Protection - Implementation Syntax: X-XSS-Protection: 0 1 mode=block Apache: Header set X-XSS-Protection "1; mode=block“ Nginx: add_header X-XSS-Protection "1; mode=block"; Microsoft IIS: Name: X-XSS-Protection Value: 1; mode=block
X-Content-Type-Options • For your seamless experience on the web, MIME sniffing of resource was introduced. • Adversely, an attacker can introduce a malicious executable script such as an image. When acted on by MIME sniffing could have the script executed.
X-Content-Type-Options - Implementation Syntax: X-Content-Type-Options: nosniff Apache: Header set X-Content-Type-Options nosniff Nginx: add_header X-Content-Type-Options nosniff; Microsoft IIS: Name: X-Content-Type-Options Value: nosniff
Demo Time – Clickjacking – iFrame injection – Harlem shake https://127.0.0.1/mutillidae/
Takeaways • Enforce HTTPS using the Strict-Transport-Security header and add your domain to Chrome’s preload list. • Make your web app more robust against XSS by leveraging the X-XSS- Protection header. • Block clickjacking using the X-Frame-Options header. • Leverage Content-Security-Policy to whitelist specific sources and endpoints. • Prevent MIME-sniffing attacks using the X-Content-Type-Options header.
Resources / Tools • Check Website HTTP Response Header – https://gf.dev/http-headers-test • Secure Headers Test – https://gf.dev/secure-headers-test • Scott Helme – Security Header Scanner – https://securityheaders.com • HTTP Headers Reference – https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers • HTTP Compatibility Among Browsers – https://caniuse.com
References • https://www.netsparker.com/whitepaper-http- security-headers • https://www.ntu.edu.sg/home/ehchua/programming/ webprogramming/HTTP_Basics.html • https://owasp.org/www-chapter-ghana/#div- pastevents • https://www.keycdn.com/blog/http-security-headers
THANK YOU Let’s Connect: @egbordzor linkedin.com/in/egbordzor egbordzor@protonmail.com Questions And Answers

More Related Content

Similar to HTTP_Header_Security.pdf (20)

PDF
Content-Security-Policy 2018.0
Philippe Gamache
 
PDF
Csp and http headers
devObjective
 
PDF
Csp and http headers
ColdFusionConference
 
PDF
CONFidence 2018: Defense-in-depth techniques for modern web applications and ...
PROIDEA
 
PPT
Top Ten Web Hacking Techniques – 2008
Jeremiah Grossman
 
PDF
Content Security Policy - Lessons learned at Yahoo
Binu Ramakrishnan
 
PDF
http security response headers for web security
Olatunji Adetunji
 
PDF
Defeating Cross-Site Scripting with Content Security Policy (updated)
Francois Marier
 
PDF
Cabeçalhos de Segurança HTTP
Ismael Goncalves
 
PDF
Rails and Content Security Policies
Matias Korhonen
 
PDF
HTTP Security Headers
Ismael Goncalves
 
PPTX
D3LDN17 - Recruiting the Browser
Imperva Incapsula
 
PDF
Why Traditional Web Security Technologies no Longer Suffice to Keep You Safe
Philippe De Ryck
 
PPTX
W3 conf hill-html5-security-realities
Brad Hill
 
PPTX
Content Security Policy - The application security Swiss Army Knife
Scott Helme
 
PDF
Web Development Security
Rafael Monteiro
 
PDF
Web Application Security 2nd Edition (Early Release) Andrew Hoffman
dirosochaniz
 
PPTX
W3 conf hill-html5-security-realities
Brad Hill
 
PDF
2015-04-25-content-security-policy
Sastry Tumuluri
 
PDF
Web Application Security 2nd Edition (Early Release) Andrew Hoffman
haskgeilyn
 
Content-Security-Policy 2018.0
Philippe Gamache
 
Csp and http headers
devObjective
 
Csp and http headers
ColdFusionConference
 
CONFidence 2018: Defense-in-depth techniques for modern web applications and ...
PROIDEA
 
Top Ten Web Hacking Techniques – 2008
Jeremiah Grossman
 
Content Security Policy - Lessons learned at Yahoo
Binu Ramakrishnan
 
http security response headers for web security
Olatunji Adetunji
 
Defeating Cross-Site Scripting with Content Security Policy (updated)
Francois Marier
 
Cabeçalhos de Segurança HTTP
Ismael Goncalves
 
Rails and Content Security Policies
Matias Korhonen
 
HTTP Security Headers
Ismael Goncalves
 
D3LDN17 - Recruiting the Browser
Imperva Incapsula
 
Why Traditional Web Security Technologies no Longer Suffice to Keep You Safe
Philippe De Ryck
 
W3 conf hill-html5-security-realities
Brad Hill
 
Content Security Policy - The application security Swiss Army Knife
Scott Helme
 
Web Development Security
Rafael Monteiro
 
Web Application Security 2nd Edition (Early Release) Andrew Hoffman
dirosochaniz
 
W3 conf hill-html5-security-realities
Brad Hill
 
2015-04-25-content-security-policy
Sastry Tumuluri
 
Web Application Security 2nd Edition (Early Release) Andrew Hoffman
haskgeilyn
 

Recently uploaded (20)

PPTX
Rules and Regulations of Madhya Pradesh Library Part-I
SantoshKumarKori2
 
PPT
DRUGS USED IN THERAPY OF SHOCK, Shock Therapy, Treatment or management of shock
Rajshri Ghogare
 
PPTX
How to Track Skills & Contracts Using Odoo 18 Employee
Celine George
 
PPTX
TOP 10 AI TOOLS YOU MUST LEARN TO SURVIVE IN 2025 AND ABOVE
digilearnings.com
 
PPTX
Applications of matrices In Real Life_20250724_091307_0000.pptx
gehlotkrish03
 
PPTX
HEALTH CARE DELIVERY SYSTEM - UNIT 2 - GNM 3RD YEAR.pptx
Priyanshu Anand
 
DOCX
pgdei-UNIT -V Neurological Disorders & developmental disabilities
JELLA VISHNU DURGA PRASAD
 
PDF
Antianginal agents, Definition, Classification, MOA.pdf
Prerana Jadhav
 
PPTX
CONCEPT OF CHILD CARE. pptx
AneetaSharma15
 
PPTX
Continental Accounting in Odoo 18 - Odoo Slides
Celine George
 
PPTX
Basics and rules of probability with real-life uses
ravatkaran694
 
PPTX
ENGLISH 8 WEEK 3 Q1 - Analyzing the linguistic, historical, andor biographica...
OliverOllet
 
PPTX
Command Palatte in Odoo 18.1 Spreadsheet - Odoo Slides
Celine George
 
PPTX
Translation_ Definition, Scope & Historical Development.pptx
DhatriParmar
 
PDF
John Keats introduction and list of his important works
vatsalacpr
 
PPTX
20250924 Navigating the Future: How to tell the difference between an emergen...
McGuinness Institute
 
PPTX
Cleaning Validation Ppt Pharmaceutical validation
Ms. Ashatai Patil
 
PPTX
Artificial Intelligence in Gastroentrology: Advancements and Future Presprec...
AyanHossain
 
PPTX
The Future of Artificial Intelligence Opportunities and Risks Ahead
vaghelajayendra784
 
PPTX
Gupta Art & Architecture Temple and Sculptures.pptx
Virag Sontakke
 
Rules and Regulations of Madhya Pradesh Library Part-I
SantoshKumarKori2
 
DRUGS USED IN THERAPY OF SHOCK, Shock Therapy, Treatment or management of shock
Rajshri Ghogare
 
How to Track Skills & Contracts Using Odoo 18 Employee
Celine George
 
TOP 10 AI TOOLS YOU MUST LEARN TO SURVIVE IN 2025 AND ABOVE
digilearnings.com
 
Applications of matrices In Real Life_20250724_091307_0000.pptx
gehlotkrish03
 
HEALTH CARE DELIVERY SYSTEM - UNIT 2 - GNM 3RD YEAR.pptx
Priyanshu Anand
 
pgdei-UNIT -V Neurological Disorders & developmental disabilities
JELLA VISHNU DURGA PRASAD
 
Antianginal agents, Definition, Classification, MOA.pdf
Prerana Jadhav
 
CONCEPT OF CHILD CARE. pptx
AneetaSharma15
 
Continental Accounting in Odoo 18 - Odoo Slides
Celine George
 
Basics and rules of probability with real-life uses
ravatkaran694
 
ENGLISH 8 WEEK 3 Q1 - Analyzing the linguistic, historical, andor biographica...
OliverOllet
 
Command Palatte in Odoo 18.1 Spreadsheet - Odoo Slides
Celine George
 
Translation_ Definition, Scope & Historical Development.pptx
DhatriParmar
 
John Keats introduction and list of his important works
vatsalacpr
 
20250924 Navigating the Future: How to tell the difference between an emergen...
McGuinness Institute
 
Cleaning Validation Ppt Pharmaceutical validation
Ms. Ashatai Patil
 
Artificial Intelligence in Gastroentrology: Advancements and Future Presprec...
AyanHossain
 
The Future of Artificial Intelligence Opportunities and Risks Ahead
vaghelajayendra784
 
Gupta Art & Architecture Temple and Sculptures.pptx
Virag Sontakke
 
Ad

HTTP_Header_Security.pdf

  • 2. BIO Bug bounty student by night – 1st Private Invite on Hackerone • Emmanuel JK Gbordzor ISO 27001 LI, CISA, CCNA, CCNA-Security, ITILv3, … 11 years in IT – About 2 years In Security Information Security Manager @ PaySwitch Head, Network & Infrastructure @ PaySwitch Head of IT @ Financial Institution
  • 3. Introduction • In this presentation, I will introduce you to HyperText Transfer Protocol (HTTP) response security headers. • By specifying expected and allowable behaviors, we will see how security headers can prevent a number of attacks against websites. • I’ll explain some of the different HTTP response headers that a web server can include in a response, and what impact they can have on the security of the web browser. • How web developers can implement these security headers to make user experience more secure
  • 4. A Simple Look At Web Browsing
  • 5. Snippet At The Request And Response Headers
  • 6. Why Browser Security Headers? Browser Security Headers help: ➢ to define whether a set of security precautions should be activated or deactivated on the web browser. ➢ to reinforce the security of your web browser to fend off attacks and to mitigate vulnerabilities. ➢ in fighting client side (browser) attacks such as clickjacking, injections, Multipurpose Internet Mail Extensions (MIME) sniffing, Cross-Site Scripting (XSS), etc.
  • 7. Content / Context HTTP STRICT TRANSPORT SECURITY (HSTS) X-FRAME-OPTIONS EXPECT-CT CONTENT-SECURITY- POLICY X-XSS-PROTECTION X-CONTENT-TYPE- OPTIONS
  • 8. HTTP Strict Transport Security (HSTS) • HSTS header forces browsers to communicate using secure (HTTPS) connection. • Protects against “downgrade attacks” • When configured with the “Preload” option, it can prevent Man-In-The-Middle (MiTM) attack • “Preload” - https://hstspreload.org/ - from google
  • 10. HTTP Redirection To HTTPS - Continued
  • 11. HTTP Strict Transport Security (HSTS) - Implementation Syntax: Strict-Transport-Security: max-age=<expire-time> includeSubDomains preload Apache: Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload“ Nginx: add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload'; Microsoft IIS: Name: Strict-Transport-Security Value: max-age=31536000; includeSubDomains; preload
  • 12. X-Frame- Options • An iFrame is an element that allows a web app to be nested within a parent web app. • Can be used maliciously for a clickjacking attack or loading a malicious website inside the frame Prevention: • Frame busting • X-Frame-Option Header
  • 13. X-Frame-Options - Implementation Apache: Header always set X-Frame-Options “deny” Nginx: add_header X-Frame-Options “DENY”; WordPress: header('X-Frame-Options: DENY); Microsoft IIS: Name: X-Frame-Options Value: DENY Syntax: X-Frame-Options: deny sameorigin allow-from url (deprecated)
  • 14. Expect-CT • HTTP Public Key Pinning (HPKP) header is being deprecated to Expect-CT • Expect-CT detects certificates issued by rogue Certificate Authorities (CA) or prevents them from doing so • This header prevents MiTM attack against compromised Certificate Authority (CA) and rogue issued certificate
  • 15. Expect-CT - Implementation Apache: Header set Expect-CT 'enforce, max-age=86400, report-uri="https://foo.example/report“’ Nginx: add_header Expect-CT 'max-age=60, report-uri="https://mydomain.com/report"'; Syntax: Expect-CT: max-age enforce report-uri
  • 16. Content-Security-Policy (CSP) When this header is well implemented, there is no need to implement “X-Frame-Options” and “X-XSS- Protection” headers This helps prevents XSS, clickjacking, code injection, etc., attacks This header helps you to whitelist sources of approved content into your browser hence, preventing the browser from loading malicious assets.
  • 17. Content-Security-Policy - Directives Keywords: *, none, self, hosts Content-Security-Policy: default-src Serves as a fallback for the other fetch directives font-src Specifies valid sources for fonts loaded frame-src Sources for nested contexts such as <frame> and <iframe> img-src Sources of images and favicons media-src Valid sources for loading <audio>, <video> & <track> object-src Sources for the <object>, <embed> and <applet> elements script-src Specifies valid sources for JavaScript style-src Specifies valid sources for stylesheets report-uri Reports violations
  • 18. CSP Sample - https://haveibeenpwned.com content-security-policy: default-src 'none';script-src 'self' www.google-analytics.com www.google.com www.gstatic. js.stripe.com ajax.cloudflare.com;style-src 'self' 'unsafe-inline' cdnjs.cloudflare.com;img-src 'self' www.google-analytics.com stats.g.doubleclick.net www.gstatic.com;font-src 'self' cdnjs.cloudflare.com fonts.gstatic.com;base-uri 'self';child-src www.google.com js.stripe.com;frame-ancestors 'none';report-uri https://troyhunt.report- uri.com/r/d/csp/enforce.com/en_US/i/scr/pixel.gif;"
  • 19. X-XSS- Protection These header detect dangerous HTML input and either prevent the site from loading or remove potentially malicious scripts
  • 20. X-XSS-Protection - Implementation Syntax: X-XSS-Protection: 0 1 mode=block Apache: Header set X-XSS-Protection "1; mode=block“ Nginx: add_header X-XSS-Protection "1; mode=block"; Microsoft IIS: Name: X-XSS-Protection Value: 1; mode=block
  • 21. X-Content-Type-Options • For your seamless experience on the web, MIME sniffing of resource was introduced. • Adversely, an attacker can introduce a malicious executable script such as an image. When acted on by MIME sniffing could have the script executed.
  • 22. X-Content-Type-Options - Implementation Syntax: X-Content-Type-Options: nosniff Apache: Header set X-Content-Type-Options nosniff Nginx: add_header X-Content-Type-Options nosniff; Microsoft IIS: Name: X-Content-Type-Options Value: nosniff
  • 23. Demo Time – Clickjacking – iFrame injection – Harlem shake https://127.0.0.1/mutillidae/
  • 24. Takeaways • Enforce HTTPS using the Strict-Transport-Security header and add your domain to Chrome’s preload list. • Make your web app more robust against XSS by leveraging the X-XSS- Protection header. • Block clickjacking using the X-Frame-Options header. • Leverage Content-Security-Policy to whitelist specific sources and endpoints. • Prevent MIME-sniffing attacks using the X-Content-Type-Options header.
  • 25. Resources / Tools • Check Website HTTP Response Header – https://gf.dev/http-headers-test • Secure Headers Test – https://gf.dev/secure-headers-test • Scott Helme – Security Header Scanner – https://securityheaders.com • HTTP Headers Reference – https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers • HTTP Compatibility Among Browsers – https://caniuse.com
  • 26. References • https://www.netsparker.com/whitepaper-http- security-headers • https://www.ntu.edu.sg/home/ehchua/programming/ webprogramming/HTTP_Basics.html • https://owasp.org/www-chapter-ghana/#div- pastevents • https://www.keycdn.com/blog/http-security-headers