Configure Security HTTP Headers to Prevent Vulnerabilities
HTTP is short for HyperText Transfer Protocol, HTTP is a set of standards that allow users of the World Wide Web to exchange information found on web pages. When accessing any web page entering http:// in front of the address tells the browser to communicate over HTTP. For example, the URL for Computer Hope is https://www.computerhope.com. Today’s browsers no longer require HTTP in front of the URL since it is the default method of communication. However, it is kept in browsers because of the need to separate protocols such as FTP.
X-Frame-Options
The X-Frame-Options HTTP response header is used to give the browser a flag that allows a page to be displayed in <frame>, <iframe>, or <object>. Web sites can use this feature to ensure that the content of their site is not embedded in someone else’s website, and thus avoid the click hijacking (clickjacking) attacks. X-Frame-Options has three values, namely: DENY, SAMEORIGIN, ALLOW-FROM
DENY: that the page is not allowed to show in the frame, even in the same domain name of the nest is not allowed.
SAMEORIGIN: Indicates that the page can be displayed in the frame of the same domain name page.
ALLOW-FROM: Indicates that the page can be displayed in the frame of the specified source.
In other words, if set to DENY, not only in someone else’s website frame will not be embedded when embedded in the same domain name page will not be loaded. On the other hand, if set to SAMEORIGIN, then the page can be nested in the same domain name frame.
Configure Apache
Configuring Apache To send an X-Frame-Options header on all pages, you need to add the following line to the ‘site’ configuration:
Configure nginx
Configure nginx to send the X-Frame-Options header, add the following line to the configuration of ‘http’, ‘server’ or ‘location’:
Configure IIS
Configure IIS to send the X-Frame-Options response header and add the following configuration to the Web.config file:
X-Content-Type-Options
There are various types of resources on the Internet, usually the browser will be based on the response to the Content-Type field to distinguish their type. For example: “text / html” represents html document, “image / png” is PNG picture, “text/css” is CSS style document. However, some of the resources of the Content-Type is wrong or not defined. At this point, some browsers will enable MIME-sniffing to guess the type of the resource, parse the content and execute it.
For example, even if we specify an HTML document Content-Type as “text / plain”, in IE8- this document will still be used as html to resolve. Using this feature of the browser, an attacker can even make a request that should have been parsed as an image. Through the following response head can disable the browser type guess behavior:
This value is fixed to nosniff
Access-Control-Allow-Origin
Cross-original resource sharing (CORS) allows websites to share content between them. To enable secure cross-domain access between sites, you can set up Access-Control-Allow-Origin to allow specified sites to cross-domain access to local resources.
Simple explanation
Only when the target page of the response, including the Access-Control-Allow-Origin this header, and its value in our own domain name, the browser allows us to get the data of its page for the next step. Such as:
If its value is set to *, it means that anyone can use:
In the production environment we will not use *, because this is very insecure.
X-XSS-Protection
The X-XSS-Protection response header is a feature of Internet Explorer, Chrome, and Safari, and the browser stops loading the page when a cross-site scripting attack (XSS) is detected. While these protections are essentially unnecessary in modern browsers, when the site implements a powerful Content-Security-Policy to disable inline JavaScript (‘unsafe-inline’), they can still support CSP Older browsers provide protection for users.
Parameter Explanation
Disable XSS filtering.
Enable XSS filtering (usually the browser is the default). If a cross-site scripting attack is detected, the browser will clear the page (remove the unsafe portion).
Enable XSS filtering. If an attack is detected, the browser will not clear the page, but will prevent the page from loading.
Enable XSS filtering. If a cross-site scripting attack is detected, the browser will clear the page and send the violation report using the functionality of the CSP report-uri directive.
HTTP Strict Transport Security (HSTS)
HTTP Strict Transmission Security (HSTS) is a security feature that the web server uses to tell the browser to communicate with HTTPS instead of using HTTP.
HSTS causes the Web server to tell the browser not to use HTTP access, and automatically replace all HTTP access to the site with HTTPS access on the browser side.
Content Security Policy
Content Security Policy is a computer security flag that is primarily used to prevent cross-site scripting requests (XSS), click hijacking and code injection attacks. CSP prevents malicious code from being loaded by defining the location and content of the script that allows loading.
Basic usage
The CSP is defined by the Content-Security-Policy of the HTTP header (the old version is X-Content-Security-Policy). Each HTTP request returns a maximum of CSP headers (multiple duplicate CSP policies will take the union). The format of the CSP header is:
Where the policy parameter is a string describing the CSP policy directive. A policy consists of two parts, the name (constraint policy range) and the value (the path that allows the script to execute). Multiple Policy rooms are separated by commas. The value of Policy consists of multiple source expressions (source-expression), each of which can be a hash value for hosts, ports, keywords, and Base64 encoded.
More info CSP, please read this article.