नमस्ते Readers, it’s been a long time since I have written any blog, so decided to write one today. This one is going to be on the security of web applications.
Most of the security vulnerabilities can be fixed by implementing necessary security headers in the response header. These security header prevents any web application from attacks like code-injections, clickjacking, cross-site scripting etc. Modern browsers accepts certain response headers so that you can enforce security policies on the client side. This increases web application security.
Solution is the implementation of few security headers in server configuration file in order to tell the browser running on your web application what is allowed and what is not. Some of the common security header are:
- HSTS (HTTP Strict Transport Security)
- X-XSS Protection
- X-Frame options
- X-Content type options
- CSP (Content Security Policy)
HTTP Strict Transport Security
HSTS (HTTP Strict Transport Security) header ensures that all communication from a browser is sent over HTTPS (HTTP Secure). This prevents HTTPS click through prompts and redirects HTTP requests to HTTPS.
X-XSS Protection
This header tells the browser to enforce Cross-site Scripting (XSS) protection. XSS filters are implemented in IE (8+) and Edge. In Chrome and Safari, this feature is called XSS Auditor. While it does not block all the possible attacks (bypass exploits for all of filters are available), it is a defense-in-depth mechanism which can make the life of an attacker at least a little bit harder.
X-Frame Options
X-Frame-Options control the way the site can be framed. The following settings are possible:
- X-Frame-Options: DENY
- X-Frame-Options: SAMEORIGIN
- X-Frame-Options: ALLOW-FROM
X-Frame-Options allow protecting the user from clickjacking attacks which rely on deceiving the user into interacting with content displayed in a hidden iframe embedded in a specially crafted webpage (this attack is also called UI Redressing”).
X-Content type options
Prevent MIME types security risk by adding this header to your web page’s HTTP response. Having this header instruct browser to consider files types as defined and disallow content sniffing. X-Content-Type-Options instructs a browser to stick with Content-Type declared by the server, disabling client-side content sniffing. The correct value for this header is: X-Content-Type-Options: nosniff
Content Security policy
Content-Security-Policy is a header, which allows controlling the origins that are used by a web browser to download assets. There are several directives related to various kinds of resources, the most basic being:
- default-src (covers types of assets that were not set explicitly using other directives)
- img-src (restricts sources of images)
- script-src (restricts sources of scripts)
- connect-src (restricts sources of data that can be obtained)
A server can instruct the browser to whitelist all origins that can be used for dynamic resources. Some of the values that can be used include:
- ‘none’ (prevents loading from any sources)
- ‘self’ (allows only same origin resources)
- domain (allows loading from specific domain, e.g. example.com)
- protocol, e.g. data:, blob: (allows loading resources from specific schemes)
Conclusion
Securing a website is challenging, and I hope by implementing above headers you add a layer of security and further get its security rating done on Mozilla Observatory.
“Arguing that you don’t care about the right to privacy because you have nothing to hide is no different than saying you don’t care about free speech because you have nothing to say.”
―
Hope you all have a happy and SAFE reading.
adios amigo!
n00b301 
Leave a comment