Welcome to Centmin Mod Community
Register Now

WebPerf Hardening Your HTTP Security Headers

Discussion in 'All Internet & Web Performance News' started by eva2000, Mar 11, 2016.

  1. eva2000

    eva2000 Administrator Staff Member

    29,016
    6,585
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,775
    Local Time:
    8:55 AM
    Nginx 1.13.x
    MariaDB 5.5
    There are a lot of things to consider to when securing your website or web application, but a good place to start is to explore your HTTP security headers and ensure you are keeping up with best practices. In many cases they are very easy to implement and only require a slight web server configuration change. HTTP security headers provide yet another layer of security by helping to mitigate attacks and security vulnerabilities. In this post we will explore some of them to help you better understand their purpose and how to implement them.


    What Are HTTP Security Headers?


    Whenever a browser requests a page from a web server, the server responds with the content along with HTTP Response Headers. Some of these headers contain content meta data such as the content-encoding, cache-control, status error codes, etc. Along with these are also HTTP security headers that tell your browser how to behave when handling your site’s content. For example, by using the strict-transport-security you can force the browser to communicate solely over HTTPS. There are six different HTTP security headers that we will explore below (in no particular order) that you should be aware of and we recommend implementing if possible.

    1. Content Security Policy


    The content-security-policy HTTP header provides an additional layer of security. This policy helps prevent attacks such as Cross Site Scripting (XSS) and other code injection attacks by defining content sources which are approved and thus allowing the browser to load them. [​IMG]

    All major browsers currently offer full or partial support for content security policy. And it won’t break delivery of the content if it does happen to be delivered to an older browser, it will simply not be executed.

    [​IMG]

    There are many directives which you can use with content security policy. This example below allows scripts from both the current domain (defined by ‘self’) as well as google-analytics.com.

    content-security-policy: script-src 'self' Google Analytics - Mobile, Premium and Free Website Analytics – Google

    To explore all of the directives, and to see implementation on Nginx and Apache, make sure to check out our in-depth post on Content Security Policy.

    2. X-XSS-Protection


    The x-xss-protection header is designed to enable the cross-site scripting (XSS) filter built into modern web browsers. This is usually enabled by default, but using it will enforce it. It is supported by Internet Explorer 8+, Chrome, and Safari. Here is an example of what the header looks like.

    x-xss-protection: 1; mode=block
    Enable in Nginx


    add_header x-xss-protection "1; mode=block" always;
    Enable in Apache


    header always set x-xss-protection "1; mode=block"
    3. HTTP Strict Transport Security (HSTS)


    The strict-transport-security header is a security enhancement that restricts web browsers to access web servers solely over HTTPS. This ensures the connection cannot be establish through an insecure HTTP connection which could be susceptible to attacks.

    [​IMG]

    All major modern browsers currently support HTTP strict transport security except for Opera Mini and versions previous of Internet Explorer.

    [​IMG]

    Here is an example of what the header looks like. You can include the max age, subdomains, and preload.

    strict-transport-security: max-age=31536000; includeSubDomains; preload

    To read more about this header and see implementation on Nginx and Apache, make sure to check out our in-depth post on HTTP Strict Transport Security.

    4. X-Frame-Options


    The x-frame-options header provides clickjacking protection by not allowing iframes to load on your site. It is supported by IE 8+, Chrome 4.1+, Firefox 3.6.9+, Opera 10.5+, Safari 4+. Here is an example of what the header looks like.

    x-frame-options: SAMEORIGIN
    Enable in Nginx


    add_header x-frame-options "SAMEORIGIN" always;
    Enable in Apache


    header always set x-frame-options "SAMEORIGIN"
    5. Public-Key-Pins


    The public-key-pins header tells the web browser to associate a public key with a certain web server to prevent MITM attacks using rogue and forged X.509 certificates. This protects users in case a certificate authority is compromised. Here is an example of what the header looks like.

    public-key-pins: pin-sha256="t/OMbKSZLWdYUDmhOyUzS+ptUbrdVgb6Tv2R+EMLxJM="; pin-sha256="PvQGL6PvKOp6Nk3Y9B7npcpeL40twdPwZ4kA2IiixqA="; pin-sha256="ZyZ2XrPkTuoiLk/BR5FseiIV/diN3eWnSewbAIUMcn8="; pin-sha256="0kDINA/6eVxlkns5z2zWv2/vHhxGne/W0Sau/ypt3HY="; pin-sha256="ktYQT9vxVN4834AQmuFcGlSysT1ZJAxg+8N1NkNG/N8="; pin-sha256="rwsQi0+82AErp+MzGE7UliKxbmJ54lR/oPheQFZURy8="; max-age=600; report-uri="CDN powered by KeyCDN | Content Delivery Made Easy"

    Scott Helme has an excellent tutorial on how to setup public key pinning.

    6. X-Content-Type-Options


    The x-content-type header prevents Internet Explorer and Google Chrome from sniffing a response away from the declared content-type. This helps reduce the danger of drive-by downloads and helps treat the content the right way. Here is an example of what the header looks like.

    x-content-type: nosniff
    Enable in Nginx


    add_header X-Content-Type-Options "nosniff" always;
    Enable in Apache


    Header always set X-Content-Type-Options "nosniff"
    How to Check Your HTTP Security Headers


    Below are three quick and easy ways to check your HTTP security headers, as part of your HTTP response headers.

    1. KeyCDN’s HTTP Header Check Tool


    KeyCDN has an online HTTP header check tool which you can easily use to retrieve which HTTP security headers are currently running on your website. Simply input the URL you want to check and click on “Request.”

    [​IMG]

    It will then return with your HTTP response headers.

    [​IMG]

    2. Chrome DevTools – Response Headers


    Another quick and easy way to access your HTTP security headers, as part of your response headers, is to fire up Chrome DevTools. To run this click into the “Network” panel press Ctrl + R (Cmd + R) to refresh the page. Click into your domain’s request and you will see a section for your response headers.

    [​IMG]

    3. Scan Your Site With securityheaders.io


    A third way to to check your HTTP security headers is to scan your site on securityheaders.io. This is a handy little little tool that was developed by Scott Helme, an information security consultant. It gives your site a score, based on present HTTP security headers, from an A+ grade down to an F grade. Make sure to bookmark it. Here is an example of an A+ grade on his own site.

    [​IMG]

    Here is an example of an F grade without any of the HTTP security headers present on Citi’s corporate site.

    [​IMG]

    It spits out both your raw HTTP headers and gives you a nice summary of each HTTP security header and what is missing.

    [​IMG]

    [​IMG]

    Scott also created both a Chrome extension and Firefox extension in which you can scan the HTTP security headers of a website you want to analyze. He did an analysis in February 2016 of the Alexa top 1 million sites to see what their HTTP security header usage was and the results might surprise you. The number of sites using the strict-transport-security header nearly doubled. So it appears more people are starting to implement them, especially now that many companies are making the transition to HTTPS. We recommend during an HTTPS migration to do a full evaluation of your current security policies.

    [​IMG]

    Summary


    As you can see HTTP security headers can help harden the security of your website and in most scenarios there is no reason not to use them. If you don’t control access to your own web servers we recommend reaching out to your webhost and let them know. Maybe send them a link from securityheaders.io, an F grade is never a good thing!

    Do you have any thoughts on HTTP security headers? If so, leave us a comment below.

    Related Articles

    Featured

    250GB Free Traffic
    Supercharge your Website Today with KeyCDN
    HTTP/2 – Free SSL – RESTful API – 24+ POPs – Instant Purge

    The post Hardening Your HTTP Security Headers appeared first on KeyCDN Blog.

    Continue reading...
     
    Last edited: Mar 11, 2016
    • Winner Winner x 1
    • Useful Useful x 1