Did you know that in most cases, the security vulnerability can be eliminated by adding the necessary response headers?
Security is as important as content or search engine optimization. Thousands of
sites are hacked due to configuration errors or insufficient protection. If you are a site owner or an information security specialist, and are interested in
protecting a site from
clickjacking, code injection, MIME type vulnerabilities, XSS attacks , etc., then this instruction will be useful to you.
')
In this article, I’ll cover different HTTP headers for use with various web servers, network peripherals, or content delivery networks to increase the
level of site security .
Remarks:
- Before making changes, I advise you to backup the configuration file;
- Some headers may not be supported on all browsers, so before running it is worth checking compatibility ;
- Mod_headers must be enabled in Apache to use these headers. The following line should be uncommented in httpd.conf file: LoadModule headers_module modules / mod_headers.so
If you use
SUCURI Cloud WAF , then you can not worry about setting up the server manually, most of the parameters are already automatically enabled.
HTTP headers list
X-XSS-Protection
HTTP Strict Transport Security
X-Frame-Options
X-Content-Type-Options
HTTP Public Key Pinning
Content Security Policy
X-XSS-Protection
The X-XSS-Protection header can prevent some
XSS attacks (“cross-site scripting”), it is compatible with IE 8+, Chrome, Opera, Safari, and Android.
Google, Facebook, Github use this heading, and most intrusion prevention consultants will recommend you to use it.
In total there are four configuration options:
Parameter value | Content |
---|
0 | XSS filter disabled |
one | The XSS filter is enabled, and if an attack is detected, the page is censored. |
1; mode = block | XSS filter is enabled, and, in the event of an attack, prevents page processing |
1; report = http: //example.com/report_URI | The XSS filter is enabled, and if an attack is detected, a violation report is sent. |
Let's use 1; mode = block for the following web servers.
Apache HTTP Server
Add the following entry to your Apache server httpd.conf:
Header set X-XSS-Protection “1; mode=block”
Restart Apache to test.
Nginx
Add the following to the HTTP section of nginx.conf:
add_header X-XSS-Protection "1; mode=block";
You must restart Nginx for the changes to be reflected in the header of your site’s response.
MaxCDN
If you are using
MaxCDN , then adding a header is a
snap . Go to Edge Rules, click “New Rule” and select “Add X-XSS-Protection Header” from the drop-down list.
Microsoft IIS
- Open the IIS Manager;
- Select the site for which you want to include the title;
- Go to “HTTP response headers”
- Click “Add” in the action section.
- Enter the name, value and click OK.
- Restart IIS to see the results.
HTTP Strict Transport Security
The HSTS (HTTP Strict Transport Security Security) header ensures that all communication from the browser is carried out using the HTTPS protocol (HTTP Secure). This prevents attempts to bypass HTTPS and redirects all HTTP requests to HTTPS.
Before you add this title, make sure that all pages on the site are accessible via HTTPS, otherwise they will not be displayed.
The HSTS header is compatible with the latest versions of most browsers (IE, Firefox, Opera, Safari and Chrome). There are three configuration options.
Parameter value | Content |
---|
max-age | Interval (in seconds) to indicate to the browser that requests should only be sent via HTTPS. |
includeSubDomains | The configuration applies to subdomains. |
preload | Use if you want to add a domain to the predefined HSTS list . |
As an example, let's set up HSTS for a year and add the domain and
subdomains to the predefined HSTS list.
Apache HTTP Server
To use HSTS in Apache, add the following entry to the httpd.conf file:
Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
Restart Apache to see the result.
Nginx
To configure HSTS in Nginx, add the following entry to nginx.conf in the Server directive (SSL):
add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload';
As always, you have to restart Nginx to check.
Cloud flare
If you are using Cloud Flare, you can enable HSTS in just a couple of mouse clicks.
- Log in to Cloud Flare and select your site.
- Go to the “Crypto” tab and click “Enable HSTS.”
Select the settings you need, and the changes will take effect immediately.
Microsoft IIS
Launch IIS Manager and add a header by going to the “HTTP response headers” for the corresponding site.
Restart the site.
X-Frame-Options
The X-Frame-Options header allows you to reduce the vulnerability of your site to clickjacking. This header serves as an instruction for the browser not to load your page in frame / iframe. Not all browsers support this option, so check the header for compatibility before adding it.
There are three configuration options.
Parameter value | Content |
---|
SAMEORIGIN | Allows you to download content in frame / iframe only if the frame and the page loading it are located on the same domain. |
DENY | Forbids content loading in frame / iframe. |
ALLOW-FROM | Allows content to be loaded in frames only for a specific URI. |
Let's take a look at how to add the “
DENY ” configuration to disable embedding.
Apache
Add the following line to httpd.conf and restart the web server to verify:
Header always append X-Frame-Options DENY
Nginx
Add the following to nginx.conf in the Server directive:
add_header X-Frame-Options “DENY”;
A reboot is required to check the results.
F5 LTM
Create the following iRule for the corresponding virtual server:
when HTTP_RESPONSE { HTTP::header insert "X-FRAME-OPTIONS" "DENY" }
There is no need to reboot, changes occur automatically.
Wordpress
This title can also be used in WordPress. Add the following to the wp-config.php file:
header('X-Frame-Options: DENY');
If you do not want to make changes to the file, you can use the
plugin with this instruction .
Microsoft IIS
To add a header, open the “HTTP response headers” for the corresponding site.
For the changes to appear, you need to restart the site.
X-Content-Type-Options
You can prevent attacks using
MIME type spoofing by adding this HTTP response header. The header contains instructions for determining the type of file and does not allow for sniffing content. When configuring, you need to add only one parameter: “nosniff”.
Let's see how to add this header.
Apache
Add the following line to the httpd.conf file:
Header set X-Content-Type-Options nosniff
Remember to restart the Apache web server for the configuration to take effect.
Nginx
Add the following line to the nginx.conf file in the Server directive:
add_header X-Content-Type-Options nosniff;
As usual, you will need to restart Nginx to verify the results.
Wordpress
If you are using WordPress, then you can use the
Security Headers plugin to use this header.
Microsoft IIS
Open IIS and go to the HTTP Response Headers section.
Click “Add”, enter the name and value.
Click OK and restart IIS to check the result.
HTTP Public Key Pinning
Reduce the risk of
MITM attacks (“man in the middle”) by binding the certificate. To do this, add an
HPKP (HTTP Public Key Pinning) header.
You can bind the public key root certificate or intermediate certificate. At the time of preparing the article, HPKP support is provided in Firefox and Chrome with the
SHA-256 hashing algorithm.
There are four configuration options.
Parameter value | Content |
---|
report-uri = ”url” | Send a report to a specific URL if the binding did not take place. This is an optional parameter. |
pin-sha256 = ”sha256key” | Define a binding. |
max-age = | Instructions for the browser to remember the time in seconds during which the site will be available only using one of the associated certificates. |
IncludeSubDomains | Apply against subdomains. |
As an example, let's look at the HPKP header for facebook.com:
public-key-pins-report-only:max-age=500; pin-sha256="WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18="; pin-sha256="r/mIkG3eEpVdm+u/ko/cwxzOMo1bk4TyHIlByibiA5E="; pin-sha256="q4PO2G2cbkZhZ82+JgmRUyGMoAeozA+BSXVXQWB8XWQ="; report-uri=http://reports.fb.com/hpkp/
If you are going to use this on your website, I recommend referring to the
manual written by Scott Helme .
Content Security Policy
To prevent XSS attacks, clickjacking,
code injection , you can add a Content Security Policy (CSP) response header.
The CSP contains instructions for downloading content from authorized sources.
Not all browsers support CSP , so you will have to check it out before using it. There are three uses for CSP headers:
- Content-Security-Policy - Level 2 / 1.0;
- X-Content-Security-Policy - not recommended;
- X-Webkit-CSP is not recommended.
If you are still using an outdated option, then you should think about switching to the updated one.
For the CSP header, you can set a lot of parameters, you can study them at
OWASP . I propose to consider the two most common.
Parameter value | Content |
---|
default-src | Download everything from a specific source. |
script-src | Download only scripts from a specific source. |
Consider the permission to download any content from the current domain for different web servers.
Apache
Add the following line to the httpd.conf file and restart the web server:
Header set Content-Security-Policy "default-src 'self';"
Nginx
Add the following to the Server section in the nginx.conf file:
add_header Content-Security-Policy "default-src 'self';";
Microsoft IIS
Go to the "HTTP response headers" for the corresponding site in the IIS Manager and add the following settings:
I hope that the instruction on the use of headers will allow you to increase the
safety and security of your web application. If you are looking for a secure IIS web server, then pay attention to
WebKnight WAF , where you can implement the above configurations and not only.
The last paragraph, for the sake of which Chandan Kumar writes these articles , and I translate them:
We will be glad to see you among the visitors of HOSTING.cafe (search for virtual servers , shared hosting and not only) or POISK.hosting (collection of reviews about hosts).