Difference between revisions of "User:Pawel Krawczyk/List of useful HTTP headers"

From OWASP
Jump to: navigation, search
(new page)
 
m
Line 10: Line 10:
 
  '''X-Content-Type-Options:''' nosniff
 
  '''X-Content-Type-Options:''' nosniff
 
  '''X-Frame-Options:''' DENY
 
  '''X-Frame-Options:''' DENY
  '''X-WebKit-CSP:''' default-src *;script-src https://*.facebook.com http://*.facebook.com https://*.fbcdn.net http://*.fbcdn.net *.facebook.net *.google-analytics.com *.virtualearth.net *.google.com 127.0.0.1:* *.spotilocal.com:* chrome-extension://lifbcibllhkdhoafpjfnlhfpfgnpldfl 'unsafe-inline' 'unsafe-eval'  https://*.akamaihd.net http://*.akamaihd.net;style-src * 'unsafe-inline';connect-src https://*.facebook.com http://*.facebook.com https://*.fbcdn.net http://*.fbcdn.net *.facebook.net *.spotilocal.com:* https://*.akamaihd.net ws://*.facebook.com:* http://*.akamaihd.net;
+
  '''X-WebKit-CSP:''' default-src *;script-src https://*.facebook.com http://*.facebook.com https://*.fbcdn.net http://*.fbcdn.net  
 +
*.facebook.net *.google-analytics.com *.virtualearth.net *.google.com 127.0.0.1:* *.spotilocal.com:* 'unsafe-inline' 'unsafe-eval'
 +
  https://*.akamaihd.net http://*.akamaihd.net;style-src * 'unsafe-inline';connect-src https://*.facebook.com http://*.facebook.com https://*.fbcdn.net
 +
http://*.fbcdn.net *.facebook.net *.spotilocal.com:* https://*.akamaihd.net ws://*.facebook.com:* http://*.akamaihd.net;
 
  '''X-XSS-Protection:''' 1; mode=block
 
  '''X-XSS-Protection:''' 1; mode=block
  
Line 16: Line 19:
  
 
===Google+===
 
===Google+===
As of January 2013 [https://plus.google.com/ Facebook] main page was setting these security related HTTP headers:
+
As of January 2013 [https://plus.google.com/ Google+] main page was setting these security related HTTP headers:
  
 
  '''x-content-type-options:''' nosniff
 
  '''x-content-type-options:''' nosniff
 
  '''x-frame-options:''' SAMEORIGIN
 
  '''x-frame-options:''' SAMEORIGIN
 
  '''x-xss-protection:''' 1; mode=block
 
  '''x-xss-protection:''' 1; mode=block

Revision as of 11:33, 14 January 2013

This page lists useful security-related HTTP headers. In most web application frameworks HTTP headers can be set in web server configuration, without changing actual application's code. This is often significantly faster and cheaper solution for at least partial mitigation of existing issues, and a quick additional layer of defense for new applications.

Real life examples

Below examples present selected HTTP headers as set by popular websites to demonstrate that they are indeed being used in production services:

Facebook

As of January 2013 Facebook main page was setting these security related HTTP headers.

Strict-Transport-Security: max-age=60
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-WebKit-CSP: default-src *;script-src https://*.facebook.com http://*.facebook.com https://*.fbcdn.net http://*.fbcdn.net 
*.facebook.net *.google-analytics.com *.virtualearth.net *.google.com 127.0.0.1:* *.spotilocal.com:*  'unsafe-inline' 'unsafe-eval'
https://*.akamaihd.net http://*.akamaihd.net;style-src * 'unsafe-inline';connect-src https://*.facebook.com http://*.facebook.com https://*.fbcdn.net
http://*.fbcdn.net *.facebook.net *.spotilocal.com:* https://*.akamaihd.net ws://*.facebook.com:* http://*.akamaihd.net;
X-XSS-Protection: 1; mode=block

Especially interesting is Facebook's use of Content Security Policy (using Google Chrome syntax), whose implementation is challenging for large sites with heavy usage of JavaScript.

Google+

As of January 2013 Google+ main page was setting these security related HTTP headers:

x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
x-xss-protection: 1; mode=block