There are a lot of things to consider to when securing your website or web application, but a good place to start is to explore your HTTP security headers and ensure you are keeping up with best practices. In many cases they are very easy to implement and only require a slight web server configuration change. HTTP security headers provide yet another layer of security by helping to mitigate attacks and security vulnerabilities. In this post we will explore some of them to help you better understand their purpose and how to implement them.
What Are HTTP Security Headers?
Whenever a browser requests a page from a web server, the server responds with the content along with HTTP response headers. Some of these headers contain content meta data such as the content-encoding, cache-control, status error codes, etc.
Along with these are also HTTP security headers that tell your browser how to behave when handling your website’s content. For example, by using the strict-transport-security you can force the browser to communicate solely over HTTPS. There are six different HTTP security headers that we will explore below (in no particular order) that you should be aware of and we recommend implementing if possible.
An HTTP header consists of its case-insensitive name followed by a colon (:), then by its value. Whitespace before the value is ignored.
There are a lot of things to consider to when securing your website or web application, but a good place to start is to explore your HTTP security headers and ensure you are keeping up with best practices. In many cases they are very easy to implement and only require a slight web server configuration change. HTTP security headers provide yet another layer of security by helping to mitigate attacks and security vulnerabilities.
1. Add Content Security Policy
The content-security-policy header provides an additional layer of security. This policy helps prevent attacks such as Cross Site Scripting (XSS) and other code injection attacks by defining content sources which are approved and thus allowing the browser to load them.
All major browsers currently offer full or partial support for content security policy. And it won’t break delivery of the content if it does happen to be delivered to an older browser, it will simply not be executed.
There are many directives which you can use with content security policy.
2. Add X-XSS-Protection
The x-xss-protection header is designed to enable the cross-site scripting (XSS) filter built into modern web browsers. This is usually enabled by default, but using it will enforce it. It is supported by Internet Explorer 8+, Chrome, and Safari.
3.Add HTTP Strict Transport Security (HSTS)
The strict-transport-security header is a security enhancement that restricts web browsers to access web servers solely over HTTPS. This ensures the connection cannot be establish through an insecure HTTP connection which could be susceptible to attacks.
All major modern browsers currently support HTTP strict transport security except for Opera Mini and versions previous of Internet Explorer.
An example scenario
You log into a free WiFi access point at an airport and start surfing the web, visiting your online banking service to check your balance and pay a couple of bills. Unfortunately, the access point you're using is actually a hacker's laptop, and they're intercepting your original HTTP request and redirecting you to a clone of your bank's site instead of the real thing. Now your private data is exposed to the hacker.
Strict Transport Security resolves this problem; as long as you've accessed your bank's web site once using HTTPS, and the bank's web site uses Strict Transport Security, your browser will know to automatically use only HTTPS, which prevents hackers from performing this sort of man-in-the-middle attack.
How the browser handles it
The first time your site is accessed using HTTPS and it returns the Strict-Transport-Security header, the browser records this information, so that future attempts to load the site using HTTP will automatically use HTTPS instead.
When the expiration time specified by the Strict-Transport-Security header elapses, the next attempt to load the site via HTTP will proceed as normal instead of automatically using HTTPS.
Whenever the Strict-Transport-Security header is delivered to the browser, it will update the expiration time for that site, so sites can refresh this information and prevent the timeout from expiring. Should it be necessary to disable Strict-Transport-Security, setting the max-age to 0 (over a https connection) will immediately expire the Strict-Transport-Security header, allowing access via http.
Increase the time periodically.
4. Add X-Frame-Options
The x-frame-options header provides clickjacking protection by not allowing iframes to load on your website. It is supported by IE 8+, Chrome 4.1+, Firefox 3.6.9+, Opera 10.5+, Safari 4+.
5. Add Expect-CT
The expect-ct header prevents misissued certificates from being used by allowing websites to report and optionally enforce Certificate Transparency requirements. When this header is enabled the website is requesting the browser to verify whether or not the certificate appears in the public CT logs.
6. Add X-Content-Type-Options
The x-content-type-options header prevents Internet Explorer and Google Chrome from sniffing a response away from the declared content-type. This helps reduce the danger of drive-by downloads and helps treat the content the right way.
7. Add Feature-Policy
The feature-policy header grants the ability to allow or deny browser features, whether in its own frame or content within an inline frame element (<iframe>).
8. Remove X-Forwarded-For
When a client connects to a server through a proxy or a load balancer, it’s imperative for an endpoint to use custom HTTP headers to be able to forward the identity of a the connecting client.
X-Forwarded-For (XFF) header is one of the mostly used HTTP header for that purpose. It serves a place where every forwarding node uses to store its direct client’s IP address using a comma as the separator forming a historical HTTP connection path. However HTTP is a text-based standard and it’s super easy to forge any part of it’s content.
By forging XFF header in this way the client may reach unauthorized parts of an application, create possible denial of service attacks or forge IP addresses logged.
Contains information from the client-facing side of proxy servers that is altered or lost when a proxy is involved in the path of the request.
Identifies the originating IP addresses of a client connecting to a web server through an HTTP proxy or a load balancer.
Identifies the original host requested that a client used to connect to your proxy or load balancer.
Identifies the protocol (HTTP or HTTPS) that a client used to connect to your proxy or load balancer.
Added by proxies, both forward and reverse proxies, and can appear in the request headers and the response headers.
9. Remove X-Powered-By
May be set by hosting environments or other frameworks and contains information about them while not providing any usefulness to the application or its visitors. Unset this header to avoid exposing potential vulnerabilities.
10. Remove HTTP Ranges
The "Range" header is meant to be used to support partial downloads. A client may request just part of a file, instead of asking for the entire file.
Range is used in the request, to ask for a particular range (or ranges) of bytes. Content-Range is used in the response, to indicate which bytes the server is giving you (which may be different than the range you requested), as well as how long the entire content is (if known).
11. Remove HTTP Proxy - (HTTPoxy)
httpoxy is a set of vulnerabilities that affect application code running in CGI, or CGI-like environments. It comes down to a simple namespace conflict:
httpoxy is extremely easy to exploit in basic form. And we expect security researchers to be able to scan for it quickly. Luckily, if you read on and find you are affected, easy mitigations are available.
Isn’t this old news? Is this still a problem?
httpoxy was disclosed in mid-2016. If you’re reading about it now for the first time, you can probably relax and take your time reading about this quaint historical bug that hopefully no longer affects any of the applications you maintain. But you should verify that to your own satisfaction.
The content below this point reflects the original disclosure, and I’ll be leaving the site up and mostly unchanged, other than noting fix versions where I can. I guess I’m just saying: the time for urgency was last year.
12. Remove X-HTTP-Method-Override
In certain situations (for example, when the service or its consumers are behind an overzealous corporate firewall, or if the main consumer is a web page), only the GET and POST HTTP methods might be available. In such a case, it is possible to emulate the missing verbs by passing a custom header in the requests.
For example, resource updates can be handled using POST requests by setting a custom header (for example, X-HTTP-Method-Override) to PUT to indicate we are emulating a PUT request via a POST request.
Upload the downloaded archive to the store via Extension Installer
Add user permissions for security_headers to modify the settings
Go to Extensions > Modules > Opencart Security Headers
Select your settings and Save
Check your stores from: