Sunday, June 17, 2012

HTTP Response Headers for Mitigating Web Hacks

HTTP (Hyper Text Transfer Protocol) is an Application Protocol which has different headers for each Requests sent and Responses received based upon the content being exchanged between Web Server, Proxy Server, Cache Server, User-Agent etc.

HttpOnly
Example below shows the syntax used within the HTTP response header:
Set-Cookie: =[; =][; expires=][; domain=][; path=][; secure][; HttpOnly]

Majority of XSS attacks target theft of session id's, cookies etc. A server could help mitigate this issue by setting the HTTPOnly flag on a cookie it creates, indicating the cookie should not be accessible on the client.
 As a result, even if a cross-site scripting (XSS) flaw exists, and a user accidentally accesses a link that exploits this flaw, the browser (primarily Internet Explorer) will not reveal the cookie to a third party.



 If a browser that supports HttpOnly detects a cookie containing the HttpOnly flag, and client side script code attempts to read the cookie, the browser returns an empty string as the result. This causes the attack to fail by preventing the malicious (usually XSS) code from sending the data to an attacker's website.

X-Frame-Options
Used to prevent Clickjacking by not allowing page to be rendered in a frame. There are two possible values for X-Frame-Options
DENY
The page cannot be displayed in a frame, regardless of the site attempting to do so.
SAMEORIGIN
The page can only be displayed in a frame on the same origin as the page itself.



X-Content-Security-Policy
Example 1: Site wants all content to come from its own domain:
X-Content-Security-Policy: allow 'self'

Example 2: Auction site wants to allow images from anywhere, plugin content from a list of trusted media providers (including a content distribution network), and scripts only from its server hosting sanitized JavaScript:
X-Content-Security-Policy: allow 'self'; img-src *; \
                           object-src media1.com media2.com *.cdn.com; \
                           script-src trustedscripts.example.com

Example 3: Server administrators want to deny all third-party scripts for the site, and a given project group also wants to disallow media from other sites (header provided by sysadmins and header provided by project group are both present):
X-Content-Security-Policy: allow *; script-src 'self'
X-Content-Security-Policy: allow *; script-src 'self'; media-src 'self';

Example 4: Online payments site wants to ensure that all of the content in its pages is loaded over SSL to prevent attackers from eavesdropping on requests for insecure content:
X-Content-Security-Policy: allow https://*:443

Strict-Transport-Security (HSTS=HTTP Strict Transport Security)
The first time your site is accessed using HTTPS and it returns the Strict-Transport-Security header, the browser records this information, so that future attempts to load the site using HTTP will automatically use HTTPS instead.
Strict-Transport-Security: max-age=expireTime [; includeSubdomains]

expireTime
        The time, in seconds, that the browser should remember that this site is only to be accessed using HTTPS.
includeSubdomains (Optional)
        If this optional parameter is specified, this rule applies to all of the site's subdomains as well.

The HSTS policy helps protect website users against some passive (eavesdropping) and active network attacks. A man-in-the-middle attacker

X-XSS-Protection
This header is exclusive to Internet Explorer 8 which turns on cross site scripting protection(Off by default as it could potentially break some websites).

X-Download-Options
Stops the opening of the files directly from the domain. The browser removes the file opening control from the download box when it encounters a noopen parameter in the X-Download-Options as a part of the HTTP response.

X-Content-Type-Options
Used to prevent MIME based attacks which may lead to code execution.

unset Server
Don't give verbose information about type of Web Server running, its version, extra plugins loaded etc.