Difference between revisions of "User:Pawel Krawczyk/List of useful HTTP headers"

From OWASP
Jump to: navigation, search
m (border)
m (-refs)
Line 7: Line 7:
 
! Example
 
! Example
 
|-
 
|-
|Strict-Transport-Security: max-age=16070400; includeSubDomains
+
|[Strict-Transport-Security http://tools.ietf.org/html/rfc6797]
|Complying user agents are to interact with this server using only secure HTTP connections (HTTP over TLS/SSL). HSTS is an IETF standards track protocol and is specified in [http://tools.ietf.org/html/rfc6797 RFC 6797].
+
|Complying user agents are to interact with this server using only secure HTTP connections (HTTP over TLS/SSL).
 
|<code>Strict-Transport-Security: max-age=16070400; includeSubDomains</code>
 
|<code>Strict-Transport-Security: max-age=16070400; includeSubDomains</code>
 
|-
 
|-
| X-Frame-Options<ref>[http://blogs.msdn.com/ie/archive/2009/01/27/ie8-security-part-vii-clickjacking-defenses.aspx IE8 Security Part VII: ClickJacking Defenses]</ref> || [[Clickjacking]] protection. Values: ''deny'' - no rendering within a frame, ''sameorigin'' - no rendering if origin mismatch, ''allow-from URL'' - allow rendering frame if loaded from ''URL''
+
| [http://blogs.msdn.com/ie/archive/2009/01/27/ie8-security-part-vii-clickjacking-defenses.aspx X-Frame-Options]<ref>
 +
| [[Clickjacking]] protection. Values: ''deny'' - no rendering within a frame, ''sameorigin'' - no rendering if origin mismatch, ''allow-from URL'' - allow rendering frame if loaded from ''URL''
 
| <code> X-Frame-Options: deny</code>
 
| <code> X-Frame-Options: deny</code>
 
|-
 
|-
| X-XSS-Protection<ref>[http://blogs.msdn.com/b/ie/archive/2008/07/02/ie8-security-part-iv-the-xss-filter.aspx IE8 Security Part IV: The XSS Filter]</ref>
+
| [http://blogs.msdn.com/b/ie/archive/2008/07/02/ie8-security-part-iv-the-xss-filter.aspx X-XSS-Protection]
 
| [[Cross-site scripting]] (XSS) filter
 
| [[Cross-site scripting]] (XSS) filter
 
| <code>X-XSS-Protection: 1; mode=block</code>
 
| <code>X-XSS-Protection: 1; mode=block</code>
 
|-
 
|-
| X-Content-Type-Options<ref>{{[http://blogs.msdn.com/b/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspxIE8 Security Part VI: Beta 2 Update]</ref>
+
| [http://blogs.msdn.com/b/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx X-Content-Type-Options
| The only defined value, "nosniff", prevents Internet Explorer and Google Chrom from MIME-sniffing a response away from the declared content-type. This also applies to [[Google Chrome]], when downloading extensions.<ref>{[url=http://code.google.com/chrome/extensions/hosting.htmlHosting - Google Chrome Extensions - Google Code]</ref>
+
| The only defined value, "nosniff", prevents Internet Explorer and Google Chrom from MIME-sniffing a response away from the declared content-type. This also applies to [http://code.google.com/chrome/extensions/hosting.html Google Chrome], when downloading extensions.
 
| <code> X-Content-Type-Options: nosniff </code>
 
| <code> X-Content-Type-Options: nosniff </code>
 
|-
 
|-
|X-Content-Security-Policy, X-WebKit-CSP<ref>[http://www.w3.org/TR/CSP/|title=Content Security Policy ]</ref>
+
|[http://www.w3.org/TR/CSP/ X-Content-Security-Policy, X-WebKit-CSP]
 
|[[Content Security Policy]] definition. Requires careful tuning and precise definition of the policy. If enabled CSP has significant impact on the way browser renders pages (e.g. inline JavaScript disabled by default and must be explicitly allowed in policy).
 
|[[Content Security Policy]] definition. Requires careful tuning and precise definition of the policy. If enabled CSP has significant impact on the way browser renders pages (e.g. inline JavaScript disabled by default and must be explicitly allowed in policy).
 
|<code>X-WebKit-CSP: default-src 'self'</code>
 
|<code>X-WebKit-CSP: default-src 'self'</code>

Revision as of 13:55, 14 January 2013

This page lists useful security-related HTTP headers. In most web application frameworks HTTP headers can be set in web server configuration, without changing actual application's code. This is often significantly faster and cheaper solution for at least partial mitigation of existing issues, and a quick additional layer of defense for new applications.

Field name Description Example
[Strict-Transport-Security http://tools.ietf.org/html/rfc6797] Complying user agents are to interact with this server using only secure HTTP connections (HTTP over TLS/SSL). Strict-Transport-Security: max-age=16070400; includeSubDomains
X-Frame-Options<ref> Clickjacking protection. Values: deny - no rendering within a frame, sameorigin - no rendering if origin mismatch, allow-from URL - allow rendering frame if loaded from URL X-Frame-Options: deny
X-XSS-Protection Cross-site scripting (XSS) filter X-XSS-Protection: 1; mode=block
[http://blogs.msdn.com/b/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx X-Content-Type-Options The only defined value, "nosniff", prevents Internet Explorer and Google Chrom from MIME-sniffing a response away from the declared content-type. This also applies to Google Chrome, when downloading extensions. X-Content-Type-Options: nosniff
X-Content-Security-Policy, X-WebKit-CSP Content Security Policy definition. Requires careful tuning and precise definition of the policy. If enabled CSP has significant impact on the way browser renders pages (e.g. inline JavaScript disabled by default and must be explicitly allowed in policy). X-WebKit-CSP: default-src 'self'


Real life examples

Below examples present selected HTTP headers as set by popular websites to demonstrate that they are indeed being used in production services:

Facebook

As of January 2013 Facebook main page was setting these security related HTTP headers.

Strict-Transport-Security: max-age=60
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-WebKit-CSP: default-src *; script-src https://*.facebook.com
  http://*.facebook.com https://*.fbcdn.net http://*.fbcdn.net *.facebook.net
  *.google-analytics.com *.virtualearth.net *.google.com 127.0.0.1:* *.spotilocal.com:*
  'unsafe-inline' 'unsafe-eval' https://*.akamaihd.net http://*.akamaihd.net;
  style-src * 'unsafe-inline'; connect-src https://*.facebook.com http://*.facebook.com
  https://*.fbcdn.net http://*.fbcdn.net *.facebook.net *.spotilocal.com:*
  https://*.akamaihd.net ws://*.facebook.com:* http://*.akamaihd.net;
X-XSS-Protection: 1; mode=block

Especially interesting is Facebook's use of Content Security Policy (using Google Chrome syntax), whose implementation can be challenging for large sites with heavy usage of JavaScript.

Google+

As of January 2013 Google+ main page was setting these security related HTTP headers:

x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
x-xss-protection: 1; mode=block

<reflist/>