Web Application Security: HTTP Headers
1. Strict-Transport-Security (HSTS)
Should Have:
Strict-Transport-Security: max-age=31536000; includeSubDomains
This header instructs browsers to only connect to the website over HTTPS for the specified duration, protecting against man-in-the-middle attacks.
Should Not Have:
Strict-Transport-Security: max-age=0
Setting max-age to 0 means the browser should immediately stop enforcing HSTS, which could expose the application to downgrade attacks.
2. Content Security Policy (CSP)
Should Have:
Content-Security-Policy: default-src 'self'; script-src 'self' 'nonce-randomvalue'
This header defines the allowed sources for content, preventing XSS attacks by restricting where scripts can be loaded from.
Should Not Have:
Content-Security-Policy: unsafe-inline
Allowing inline scripts (`unsafe-inline`) can introduce XSS vulnerabilities, as attackers may inject malicious scripts directly into the page.
3. Cross-Origin Resource Sharing (CORS)
Should Have:
Access-Control-Allow-Origin: https://trusted-domain.com
Restricts cross-origin requests to only the specified domain, preventing unintended data exposure.
Should Not Have:
Access-Control-Allow-Origin: *
Allowing any origin (`*`) can expose the application to Cross-Site Request Forgery (CSRF) and unauthorized data access.
4. X-Frame-Options
Should Have:
X-Frame-Options: DENY
Prevents the web page from being embedded within an iframe, reducing the risk of clickjacking attacks.
Should Not Have:
X-Frame-Options: ALLOW-FROM https://trusted-domain.com
Allowing embedding on specific domains may introduce security risks if those domains are compromised.
5. HTTP Public Key Pinning (HPKP)
Should Have:
Public-Key-Pins: pin-sha256="base64=="; max-age=5184000; includeSubDomains
Pins the public key of the site's certificate, enhancing security against fraudulent certificates.
Should Not Have:
Public-Key-Pins: pin-sha256="base64=="; max-age=0
Setting max-age to 0 effectively disables HPKP, potentially exposing the application to man-in-the-middle attacks.
6. Referrer Policy
Should Have:
Referrer-Policy: strict-origin-when-cross-origin
Limits referrer information sent in requests, improving privacy and security.
Should Not Have:
Referrer-Policy: no-referrer
Sending no referrer information could lead to information leakage and privacy issues.
7. Cookie Attributes (Secure, HttpOnly, SameSite)
Should Have:
Set-Cookie: sessionid=123; Secure; HttpOnly; SameSite=Strict
Ensures cookies are transmitted securely over HTTPS, accessible only by the server, and subject to strict SameSite policies.
Should Not Have:
Set-Cookie: sessionid=123
A cookie without Secure, HttpOnly, and SameSite attributes may be vulnerable to interception, theft, and cross-site request forgery.
8. Cache-Control Header
Should Have:
Cache-Control: no-store, no-cache, must-revalidate, proxy-revalidate
Prevents caching of sensitive data on the client or intermediary servers, enhancing security.
Should Not Have:
Cache-Control: public
Allowing public caching may expose sensitive information to unauthorized users.
9. Server Header
Should Have:
Server: MySecureApp
Obfuscates or customizes the server header to avoid revealing unnecessary information about the web server.
Should Not Have:
Server: Apache/2.4.18 (Ubuntu)
Revealing specific server details can be exploited by attackers who may target known vulnerabilities.
10. Expect-CT Header
Should Have:
Expect-CT: enforce, max-age=86400
Enforces Certificate Transparency, which helps ensure the use of valid SSL/TLS certificates.
Should Not Have:
Expect-CT: report-uri="https://example.com/report"
Using report-uri without "enforce" allows for monitoring but does not enforce certificate transparency.
11. Feature Policy Header
Should Have:
Feature-Policy: accelerometer 'none'; camera 'self'
Specifies which browser features are allowed or disallowed on the web page, reducing attack surface.
Should Not Have:
Feature-Policy: *
Allowing all features (*) may expose the application to potential security risks.
12. X-Content-Type-Options Header
Should Have:
X-Content-Type-Options: nosniff
Prevents browsers from MIME-sniffing, reducing the risk of interpreting files incorrectly.
Should Not Have:
X-Content-Type-Options: none
Disabling X-Content-Type-Options allows browsers to MIME-sniff, potentially exposing security vulnerabilities.
13. X-Content-Security-Policy Header
Should Have:
X-Content-Security-Policy: default-src 'self'; script-src 'self'
Similar to CSP, this header defines content security policies for the page.
Should Not Have:
X-Content-Security-Policy: unsafe-inline
Allowing unsafe inline scripts can introduce XSS vulnerabilities.
14. X-Permitted-Cross-Domain-Policies Header
Should Have:
X-Permitted-Cross-Domain-Policies: none
Disallows any cross-domain policy files, reducing the risk of security vulnerabilities.
Should Not Have:
X-Permitted-Cross-Domain-Policies: all
Allowing all cross-domain policy files (all) may expose the application to potential security risks.
15. Proxy Headers (X-Forwarded-For, X-Forwarded-Proto)
Should Have:
X-Forwarded-For: client_ip
X-Forwarded-Proto: https
Helps preserve client IP and protocol information when behind a proxy, improving security and ensuring correct redirection.
Should Not Have:
X-Forwarded-For: *
Allowing a wildcard (*) in X-Forwarded-For may lead to IP spoofing and security risks.
16. Early-Data Header (Alt-Svc)
Should Have:
Alt-Svc: h2=":443"
Informs the browser about alternative services, enhancing security when using HTTP/2.
Should Not Have:
Alt-Svc: clear
Specifying "clear" may expose the application to potential downgrade attacks.
17. X-Download-Options Header
Should Have:
X-Download-Options: noopen
Prevents browsers from automatically opening files that are downloaded, reducing the risk of security vulnerabilities.
Should Not Have:
X-Download-Options: open
Allowing file opening (open) may expose users to potential security risks.
18. Public-Key-Pins (Deprecated, Use Expect-CT Instead)
Should Not Have:
Public-Key-Pins: pin-sha256="base64=="; max-age=5184000; includeSubDomains
Public-Key-Pins (HPKP) is deprecated and can have serious consequences if misconfigured. It is recommended to use Expect-CT for similar purposes.
19. X-Clacks-Overhead Header
Should Not Have:
X-Clacks-Overhead: GNU Terry Pratchett
This non-standard header is used as a tribute and should not be used for security. It doesn't provide any security benefits.
20. X-DNS-Prefetch-Control Header
Should Have:
X-DNS-Prefetch-Control: off
Disables DNS prefetching, reducing the risk of privacy and security issues.
Should Not Have:
X-DNS-Prefetch-Control: on
Enabling DNS prefetching may lead to privacy concerns and potential security risks.
21. Content-Disposition Header
Should Have:
Content-Disposition: attachment; filename="example.pdf"
Specifies how the browser should handle the content, improving security when serving downloadable files.
Should Not Have:
Content-Disposition: inline
Using inline may lead to the execution of certain file types in the browser, posing security risks.
22. Cross-Domain Cookies (SameSite)
Should Have:
Set-Cookie: sessionid=123; Secure; HttpOnly; SameSite=Strict
Ensures cookies are transmitted securely over HTTPS, accessible only by the server, and subject to strict SameSite policies.
Should Not Have:
Set-Cookie: sessionid=123; SameSite=None
Using SameSite=None may expose cookies to cross-site requests, potentially leading to security risks.
23. X-WebKit-CSP Header (Deprecated in Modern Browsers)
Should Not Have:
X-WebKit-CSP: default-src 'self'
X-WebKit-CSP is deprecated in modern browsers, and its use is discouraged.
24. X-XSS-Protection Header
Should Have:
X-XSS-Protection: 1; mode=block
Enables the browser's built-in Cross-Site Scripting (XSS) protection, preventing the rendering of pages when an XSS attack is detected.
Should Not Have:
X-XSS-Protection: 0
Disabling XSS protection (0) may expose the application to XSS attacks.
25. Early-Data Header (Alt-Svc)
Should Have:
Alt-Svc: h2=":443"
Informs the browser about alternative services, enhancing security when using HTTP/2.
Should Not Have:
Alt-Svc: clear
Specifying "clear" may expose the application to potential downgrade attacks.
26. X-Download-Options Header
Should Have:
X-Download-Options: noopen
Prevents browsers from automatically opening files that are downloaded, reducing the risk of security vulnerabilities.
Should Not Have:
X-Download-Options: open
Allowing file opening (open) may expose users to potential security risks.
27. Content-Disposition Header
Should Have:
Content-Disposition: attachment; filename="example.pdf"
Specifies how the browser should handle the content, improving security when serving downloadable files.
Should Not Have:
Content-Disposition: inline
Using inline may lead to the execution of certain file types in the browser, posing security risks.
28. Cross-Origin Opener Policy (COOP)
Should Have:
Cross-Origin-Opener-Policy: same-origin
Specifies that a document should be opened only in a browsing context that has the same origin as the document.
Should Not Have:
Cross-Origin-Opener-Policy: unsafe-none
Allowing unsafe-none may expose the application to potential security risks by relaxing the opener policy.
29. Cross-Origin Embedder Policy (COEP)
Should Have:
Cross-Origin-Embedder-Policy: require-corp
Requires a cross-origin resource to be embedded with a CORP (Cross-Origin-Resource-Policy) header.
Should Not Have:
Cross-Origin-Embedder-Policy: unsafe-none
Allowing unsafe-none may expose the application to potential security risks by relaxing the embedder policy.
30. Cross-Origin Resource Policy (CORP)
Should Have:
Cross-Origin-Resource-Policy: same-site
Specifies that a cross-origin resource must be requested with a `same-site` request, enhancing security.
Should Not Have:
Cross-Origin-Resource-Policy: cross-origin
Allowing cross-origin may expose the application to potential security risks.