HTTP Headers

Description

HTTP Headers play a crucial role in web security by providing additional metadata about requests and responses between clients and servers. Misconfigured, missing, or weak security headers can expose web applications to various attacks, such as Cross-Site Scripting (XSS), Clickjacking, Man-in-the-Middle (MitM) attacks, and data leaks. Properly setting HTTP headers enhances the security posture of an application by enforcing secure communication, restricting browser behaviors, and mitigating common web vulnerabilities.

Without correctly configured security headers, attackers can manipulate responses, inject malicious scripts, or exploit browser-side weaknesses to compromise users and sensitive data.

Examples

Missing Strict-Transport-Security (HSTS)

The HTTP Strict Transport Security (HSTS) header ensures that browsers only connect to a site over HTTPS, preventing downgrade attacks and MitM attacks:

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

If this header is missing, an attacker can force a user to visit the HTTP version of the site and intercept or alter the traffic.

Missing X-Frame-Options (Clickjacking Protection)

If an application allows framing inside <iframe> elements, attackers can create Clickjacking attacks that trick users into interacting with hidden UI elements.

To prevent this, the following header should be set:

X-Frame-Options: DENY

Without this, an attacker can embed the site within a malicious page and hijack user actions.

Missing X-Content-Type-Options (MIME Sniffing Attack Prevention)

Some browsers try to detect the content type of files even if the Content-Type header is present. This behavior, known as MIME sniffing, can be exploited to execute malicious scripts.

To prevent this, the following header should be set:

X-Content-Type-Options: nosniff

Without this, attackers can trick browsers into executing non-script files as JavaScript.

Weak or Missing Content-Security-Policy (XSS Prevention)

A missing Content Security Policy (CSP) allows attackers to inject malicious scripts via Cross-Site Scripting (XSS).

A strong CSP header should look like:

Content-Security-Policy: default-src 'self'; script-src 'self' 'nonce-random123'; object-src 'none'

Without this, malicious scripts injected into the site may execute in users' browsers.

Remediation

  1. Enforce HTTPS with HSTS

    • Prevents protocol downgrade attacks by ensuring all traffic is over HTTPS.
    • Recommended setting:
    Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

  2. Prevent Clickjacking with X-Frame-Options

    • Blocks embedding of the site in iframes to prevent UI redress attacks.
    • Recommended setting:
    X-Frame-Options: DENY

  3. Block MIME Sniffing with X-Content-Type-Options

    • Ensures the browser respects declared Content-Type and doesn't execute non-script files as scripts.
    • Recommended setting:
    X-Content-Type-Options: nosniff

  4. Mitigate XSS with Content-Security-Policy

    • Restricts allowed sources for scripts, styles, and other content.
    • Example policy:
    Content-Security-Policy: default-src 'self'; script-src 'self' 'nonce-random123'; object-src 'none'

  5. Enable Referrer-Policy for Privacy Protection

    • Controls how much referrer information is sent when navigating between sites.
    • Recommended setting:
    Referrer-Policy: strict-origin-when-cross-origin