⬆️ ⬇️

How to use HTTP headers to prevent vulnerabilities





Did you know that in most cases, the security vulnerability can be eliminated by adding the necessary response headers?



Security is as important as content or search engine optimization. Thousands of sites are hacked due to configuration errors or insufficient protection. If you are a site owner or an information security specialist, and are interested in protecting a site from clickjacking, code injection, MIME type vulnerabilities, XSS attacks , etc., then this instruction will be useful to you.

')

In this article, I’ll cover different HTTP headers for use with various web servers, network peripherals, or content delivery networks to increase the level of site security .



Remarks:





If you use SUCURI Cloud WAF , then you can not worry about setting up the server manually, most of the parameters are already automatically enabled.



HTTP headers list



X-XSS-Protection





HTTP Strict Transport Security





X-Frame-Options





X-Content-Type-Options





HTTP Public Key Pinning



Content Security Policy





X-XSS-Protection



The X-XSS-Protection header can prevent some XSS attacks (“cross-site scripting”), it is compatible with IE 8+, Chrome, Opera, Safari, and Android.



Google, Facebook, Github use this heading, and most intrusion prevention consultants will recommend you to use it.



In total there are four configuration options:

Parameter valueContent
0XSS filter disabled
oneThe XSS filter is enabled, and if an attack is detected, the page is censored.
1; mode = blockXSS filter is enabled, and, in the event of an attack, prevents page processing
1; report = http: //example.com/report_URIThe XSS filter is enabled, and if an attack is detected, a violation report is sent.


Let's use 1; mode = block for the following web servers.



Apache HTTP Server



Add the following entry to your Apache server httpd.conf:



Header set X-XSS-Protection “1; mode=block” 


Restart Apache to test.



Nginx



Add the following to the HTTP section of nginx.conf:



 add_header X-XSS-Protection "1; mode=block"; 


You must restart Nginx for the changes to be reflected in the header of your site’s response.



MaxCDN



If you are using MaxCDN , then adding a header is a snap . Go to Edge Rules, click “New Rule” and select “Add X-XSS-Protection Header” from the drop-down list.







Microsoft IIS











HTTP Strict Transport Security



The HSTS (HTTP Strict Transport Security Security) header ensures that all communication from the browser is carried out using the HTTPS protocol (HTTP Secure). This prevents attempts to bypass HTTPS and redirects all HTTP requests to HTTPS.



Before you add this title, make sure that all pages on the site are accessible via HTTPS, otherwise they will not be displayed.



The HSTS header is compatible with the latest versions of most browsers (IE, Firefox, Opera, Safari and Chrome). There are three configuration options.

Parameter valueContent
max-ageInterval (in seconds) to indicate to the browser that requests should only be sent via HTTPS.
includeSubDomainsThe configuration applies to subdomains.
preloadUse if you want to add a domain to the predefined HSTS list .


As an example, let's set up HSTS for a year and add the domain and subdomains to the predefined HSTS list.



Apache HTTP Server



To use HSTS in Apache, add the following entry to the httpd.conf file:



 Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" 


Restart Apache to see the result.



Nginx



To configure HSTS in Nginx, add the following entry to nginx.conf in the Server directive (SSL):



 add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload'; 


As always, you have to restart Nginx to check.



Cloud flare



If you are using Cloud Flare, you can enable HSTS in just a couple of mouse clicks.









Select the settings you need, and the changes will take effect immediately.



Microsoft IIS



Launch IIS Manager and add a header by going to the “HTTP response headers” for the corresponding site.







Restart the site.



X-Frame-Options



The X-Frame-Options header allows you to reduce the vulnerability of your site to clickjacking. This header serves as an instruction for the browser not to load your page in frame / iframe. Not all browsers support this option, so check the header for compatibility before adding it.



There are three configuration options.

Parameter valueContent
SAMEORIGINAllows you to download content in frame / iframe only if the frame and the page loading it are located on the same domain.
DENYForbids content loading in frame / iframe.
ALLOW-FROMAllows content to be loaded in frames only for a specific URI.


Let's take a look at how to add the “ DENY ” configuration to disable embedding.



Apache



Add the following line to httpd.conf and restart the web server to verify:



 Header always append X-Frame-Options DENY 


Nginx



Add the following to nginx.conf in the Server directive:



 add_header X-Frame-Options “DENY”; 


A reboot is required to check the results.



F5 LTM



Create the following iRule for the corresponding virtual server:



 when HTTP_RESPONSE { HTTP::header insert "X-FRAME-OPTIONS" "DENY" } 


There is no need to reboot, changes occur automatically.



Wordpress



This title can also be used in WordPress. Add the following to the wp-config.php file:



 header('X-Frame-Options: DENY'); 


If you do not want to make changes to the file, you can use the plugin with this instruction .



Microsoft IIS



To add a header, open the “HTTP response headers” for the corresponding site.







For the changes to appear, you need to restart the site.



X-Content-Type-Options



You can prevent attacks using MIME type spoofing by adding this HTTP response header. The header contains instructions for determining the type of file and does not allow for sniffing content. When configuring, you need to add only one parameter: “nosniff”.



Let's see how to add this header.



Apache



Add the following line to the httpd.conf file:



 Header set X-Content-Type-Options nosniff 


Remember to restart the Apache web server for the configuration to take effect.



Nginx



Add the following line to the nginx.conf file in the Server directive:



 add_header X-Content-Type-Options nosniff; 


As usual, you will need to restart Nginx to verify the results.



Wordpress



If you are using WordPress, then you can use the Security Headers plugin to use this header.



Microsoft IIS



Open IIS and go to the HTTP Response Headers section.

Click “Add”, enter the name and value.







Click OK and restart IIS to check the result.



HTTP Public Key Pinning



Reduce the risk of MITM attacks (“man in the middle”) by binding the certificate. To do this, add an HPKP (HTTP Public Key Pinning) header.



You can bind the public key root certificate or intermediate certificate. At the time of preparing the article, HPKP support is provided in Firefox and Chrome with the SHA-256 hashing algorithm.



There are four configuration options.

Parameter valueContent
report-uri = ”url”Send a report to a specific URL if the binding did not take place. This is an optional parameter.
pin-sha256 = ”sha256key”Define a binding.
max-age =Instructions for the browser to remember the time in seconds during which the site will be available only using one of the associated certificates.
IncludeSubDomainsApply against subdomains.


As an example, let's look at the HPKP header for facebook.com:



 public-key-pins-report-only:max-age=500; pin-sha256="WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18="; pin-sha256="r/mIkG3eEpVdm+u/ko/cwxzOMo1bk4TyHIlByibiA5E="; pin-sha256="q4PO2G2cbkZhZ82+JgmRUyGMoAeozA+BSXVXQWB8XWQ="; report-uri=http://reports.fb.com/hpkp/ 


If you are going to use this on your website, I recommend referring to the manual written by Scott Helme .



Content Security Policy



To prevent XSS attacks, clickjacking, code injection , you can add a Content Security Policy (CSP) response header. The CSP contains instructions for downloading content from authorized sources.



Not all browsers support CSP , so you will have to check it out before using it. There are three uses for CSP headers:

  1. Content-Security-Policy - Level 2 / 1.0;
  2. X-Content-Security-Policy - not recommended;
  3. X-Webkit-CSP is not recommended.


If you are still using an outdated option, then you should think about switching to the updated one.



For the CSP header, you can set a lot of parameters, you can study them at OWASP . I propose to consider the two most common.

Parameter valueContent
default-srcDownload everything from a specific source.
script-srcDownload only scripts from a specific source.


Consider the permission to download any content from the current domain for different web servers.



Apache



Add the following line to the httpd.conf file and restart the web server:



 Header set Content-Security-Policy "default-src 'self';" 


Nginx



Add the following to the Server section in the nginx.conf file:



 add_header Content-Security-Policy "default-src 'self';"; 


Microsoft IIS



Go to the "HTTP response headers" for the corresponding site in the IIS Manager and add the following settings:







I hope that the instruction on the use of headers will allow you to increase the safety and security of your web application. If you are looking for a secure IIS web server, then pay attention to WebKnight WAF , where you can implement the above configurations and not only.



The last paragraph, for the sake of which Chandan Kumar writes these articles , and I translate them:

We will be glad to see you among the visitors of HOSTING.cafe (search for virtual servers , shared hosting and not only) or POISK.hosting (collection of reviews about hosts).

Source: https://habr.com/ru/post/315802/



All Articles