Detailed explanation of HTTP protocol security-related headers

HTTP security headers are a fundamental part of website security. The HTTP protocol has many security policies that can enhance website security and reduce user attacks. Deploying these security headers helps protect your website from XSS, code injection, and clickjacking.

When a user accesses a site through a browser, the server responds with HTTP response headers. These headers tell the browser how to communicate with the site. They contain metadata about the website. You can use this information to summarize the entire communication and improve security. This article will introduce the HTTP protocol security-related headers one by one.

1. Force the use of https transmission, HTTP Strict Transport Security (HSTS)

In various hijacked ads + multiple jump network environments, this phenomenon can be effectively alleviated. It can also be used to avoid downgrading from https to http attacks (SSL Strip)

The server sets the response header: Strict-Transport-Security: max-age=31536000 ; includeSubDomains​ to enable

After a website (such as Baidu) enables this policy and it is within the validity period, when a user enters baidu.com in the browser address bar, the browser will not go through the process: baidu.com--->http://www.baidu.com--->https://www.baidu.com; instead, it will directly access https://www.baidu.com

This policy only applies to ports 80 and 443.

Some websites are not fully https, such as pictures. After all, using https requires higher server performance, and man-in-the-middle attacks can still modify the pictures users see.

2. Security Policy (CSP)

The HTTP Content Security Policy response header provides a sense of control to website administrators by giving them the ability to restrict the resources that users are allowed to load within their site. In other words, you can whitelist the content sources for your site.

Content Security Policy prevents cross-site scripting and other code injection attacks. While it doesn't completely eliminate the possibility of them, it does minimize the damage. Most major browsers support CSP, so compatibility isn't a problem.

 Content-Security-Policy: < policy-directive > ; < policy-directive >  

3. Cross-site XSS protection, X-XSS-Protection

Enable XSS protection on the browser side to reduce the harm of reflected XSS to users (enabled by default in Chrome browser)

Server configuration response header:

 X-XSS-Protection: 1; mode = block / 1; report = http ://[YOURDOMAIN]/your_report_URI

[[261206]]

4. Prevent websites from being nested, X-Frame-Options

The website is nested, and attacks such as clickhijacking may occur

Server configuration response header:

 X-Frame-Options: deny/sameorigin/allow-from: DOMAIN

Because X-Frame-Options only detects the relationship with the top window, if there are multiple layers of nested victim{hacker{victim, it can be bypassed.

In addition, the main page can listen to the onBeforeUnload event to cancel the iframe jump; the iframe's sandbox attribute can disable the j in the iframe

Therefore, it is necessary to cooperate with the csp rule Content-Security-Policy: frame-ancestors 'self';

5. Configure multiple security policies, Content-Security-Policy

You can define many security policies, script-src, frame-src, referrer, etc.

Server configuration response header: Content-Security-Policy: script-src 'self'

[[261207]]

6. Response content detection, X-Content-Type-Options

Some servers do not set content-type in response content, and the browser will automatically detect the content type (MIME self-identification), which may cause encoding-related security issues (IE and Chrome will ignore content-type and guess the web page format, encoding, etc., which may cause IE's utf-7 xss bypass bug)

Server configuration response header: X-Content-Type-Options: nosniff

[[261208]]

As the times progress and develop, our lives are increasingly inseparable from the Internet. It can be said that the Internet carries most of our lives, and it will be exposed to criminals if we are not careful. The process of deploying SSL certificates for websites is unstoppable. Digital Security Times recommends that webmasters or corporate website managers deploy appropriate SSL certificates for their websites as soon as possible.