Table of contents
- 1. X-Content-Type-Options Header
- 2. Reflected File Download (RFD)
- 3. CORS Deception
- 4. Clickjacking
- 5. XSS (Cross-Site Scripting)
- 6. SSL/TLS Stripping (MITM)
- 7. Cookie Hijacking
- 8. CSRF (Cross-Site Request Forgery)
- 9. Information Disclosure Attacks
- Cache-Control Header
- Content-Disposition Header
- Cross-Origin Resource Policy (CORP)
- Extra HTTP Header Injection
- Content-Encoding Header
- Access-Control-Allow-Origin Header
- X-Rate-Limit and X-Forwarded Headers
- X-Content-Type-Options Header
- XSS and CSRF Protection
- Content-Security-Policy (CSP)
1. X-Content-Type-Options Header
The X-Content-Type-Options
header prevents browsers from performing MIME sniffing, which could lead to security vulnerabilities.
Policies
nosniff
-> Blocks a request if the MIME type does not match the resource type (e.g., blocking scripts that are not served with the correct MIME type).
Attack Scenario
An attacker serves a malicious script file as a CSS file. Without nosniff
, the browser might execute it, assuming it is a script.
Defending on Apache
Header set X-Content-Type-Options "nosniff"
Defending on Nginx
add_header X-Content-Type-Options "nosniff";
2. Reflected File Download (RFD)
RFD is an attack where the attacker tricks the victim into downloading a malicious file by exploiting vulnerabilities in the application.
Detecting Reflected XSS
Proper security headers (like X-Content-Type-Options
) help mitigate RFD by ensuring proper content type handling.
Misconfigure
Without the proper configuration, a web server may allow reflected file download attacks, putting users at risk.
Defending on Apache/Nginx
Ensure headers like X-Content-Type-Options
are correctly configured to prevent content type misinterpretation.
3. CORS Deception
Improper Cross-Origin Resource Sharing (CORS) can allow unauthorized access to sensitive resources across different origins, leading to security breaches.
Attack Scenario
An attacker could exploit misconfigured CORS policies to access resources from unauthorized domains.
Defending on Apache
Header set Access-Control-Allow-Origin "https://trusteddomain.com"
Defending on Nginx
add_header Access-Control-Allow-Origin "https://trusteddomain.com";
4. Clickjacking
Clickjacking occurs when a malicious actor overlays a legitimate page with a transparent iframe, tricking users into clicking hidden content.
Policies
X-Frame-Options: DENY
-> Prevents the site from being displayed in an iframe.X-Frame-Options: SAMEORIGIN
-> Allows the site to be framed only by pages from the same origin.
Attack Scenario
A phishing site embeds a banking site in a hidden iframe, tricking users into entering credentials.
Defending on Apache
Header always set X-Frame-Options "DENY"
Defending on Nginx
add_header X-Frame-Options "DENY";
5. XSS (Cross-Site Scripting)
XSS allows attackers to inject malicious scripts into a web page, which can execute in the victim's browser.
Policies
X-XSS-Protection: 1; mode=block
-> Enables XSS filtering in browsers, preventing page rendering when an attack is detected.Content-Security-Policy
-> Restricts which resources (scripts, media, etc.) can be loaded by the browser.
Attack Scenario
An attacker injects malicious JavaScript through a form field, and it executes in the browser of a user visiting the page.
Defending on Apache
Header set X-XSS-Protection "1; mode=block"
Header set Content-Security-Policy "default-src 'self'; script-src 'self'"
Defending on Nginx
add_header X-XSS-Protection "1; mode=block";
add_header Content-Security-Policy "default-src 'self'; script-src 'self'";
6. SSL/TLS Stripping (MITM)
Man-in-the-middle (MITM) attackers may intercept communication between a user and the server by downgrading HTTPS to HTTP, exposing sensitive information.
Policies
Strict-Transport-Security: max-age=31536000; includeSubDomains
-> Instructs the browser to only access the site using HTTPS for a specified time.
Attack Scenario
An attacker intercepts a connection and downgrades it to HTTP, allowing them to steal cookies and session data.
Defending on Apache
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
Defending on Nginx
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
7. Cookie Hijacking
An attacker can steal session cookies to impersonate a user and gain unauthorized access.
Policies
Secure
-> Ensures that cookies are only sent over HTTPS.HttpOnly
-> Prevents JavaScript from accessing the cookies.
Attack Scenario
An attacker intercepts cookies on an HTTP connection and uses them to impersonate the user.
Defending on Apache/Nginx
Ensure cookies are configured as Secure
and HttpOnly
in your application and server settings.
8. CSRF (Cross-Site Request Forgery)
CSRF exploits a user's session with a trusted site to perform unauthorized actions on their behalf.
Policies
Referrer-Policy
-> Limits the amount of referrer information shared with third-party websites, reducing exposure to CSRF.
Attack Scenario
An attacker tricks the user into clicking a link that performs an action on a legitimate site without their consent.
Defending on Apache
Header set Referrer-Policy "no-referrer-when-downgrade"
Defending on Nginx
add_header Referrer-Policy "no-referrer-when-downgrade";
9. Information Disclosure Attacks
Information disclosure vulnerabilities allow attackers to gather sensitive information about the server or application that can be used in further attacks.
Policies
Content-Security-Policy: default-src 'self'
-> Ensures that only trusted sources can load content on the page.Referrer-Policy
-> Limits the amount of referrer information sent with requests.
Attack Scenario
An attacker gleans sensitive details about the server or application from misconfigured headers or verbose error messages.
Defending on Apache
Header set Content-Security-Policy "default-src 'self'"
Header set Referrer-Policy "no-referrer"
Defending on Nginx
add_header Content-Security-Policy "default-src 'self'";
add_header Referrer-Policy "no-referrer";
Cache-Control Header
The Cache-Control
header specifies caching policies in both browsers and shared caches. Misconfigurations can lead to sensitive data exposure or cache-related attacks.
Policies
no-cache
-> Forces the browser to validate the response with the origin server before reusing it.no-store
-> Ensures that the response is not stored in caches.
Attack Scenario: Cache Inspection and Deception
An attacker can exploit misconfigured caching to serve outdated or malicious content by tricking the browser into reusing cached responses.
Defending on Apache
Header set Cache-Control "no-store, no-cache, must-revalidate"
Defending on Nginx
add_header Cache-Control "no-store, no-cache, must-revalidate";
Content-Disposition Header
The Content-Disposition
header instructs browsers whether to display content inline or to download it as an attachment.
Policies
inline
-> Instructs the browser to display the file directly in the browser.attachment; filename="file.jpg"
-> Forces the browser to download the file as an attachment with a specific name.
Attack Scenario: RFD and Clickjacking
If improperly configured, attackers can deliver malicious files disguised as legitimate content.
Defending on Apache
Header set Content-Disposition "attachment; filename=securefile.txt"
Defending on Nginx
add_header Content-Disposition "attachment; filename=securefile.txt";
Cross-Origin Resource Policy (CORP)
CORP restricts how a resource can be shared with requests from different origins, preventing unauthorized access to resources.
Policies
same-site
-> Only requests from the same site can access the resource.same-origin
-> Only requests from the same origin (scheme + host + port) can access the resource.cross-origin
-> Any origin can read the resource.
Attack Scenario: XSS, Clickjacking, and CSRF
Without proper cross-origin restrictions, attackers can exploit XSS, clickjacking, or CSRF vulnerabilities by making unauthorized requests to your resources.
Defending on Apache
Header set Cross-Origin-Resource-Policy "same-origin"
Defending on Nginx
add_header Cross-Origin-Resource-Policy "same-origin";
Extra HTTP Header Injection
Improper handling of headers allows attackers to inject arbitrary headers, leading to cache poisoning, XSS, and other injection-based attacks.
Attack Scenario: Cache Poisoning and Header Injection
An attacker injects malicious headers, potentially overriding cache policies, allowing poisoned or malicious content to be served to users.
Defending on Apache
Ensure that input is sanitized and that headers are properly validated before being set.
Defending on Nginx
Sanitize all user inputs and avoid exposing sensitive data through headers.
Content-Encoding Header
The Content-Encoding
header specifies the type of encoding applied to the content (e.g., gzip
, compress
, deflate
, br
).
Policies
gzip
,compress
,deflate
,br
-> Compression methods applied to the content for transfer over the network.
Attack Scenario: DDoS and Network Eavesdropping
If content encoding is misconfigured, attackers could cause network issues by sending compressed payloads or even exploit vulnerabilities in the compression algorithms.
Defending on Apache
AddOutputFilterByType DEFLATE text/html text/plain text/xml
Defending on Nginx
gzip on;
gzip_types text/plain application/xml;
Access-Control-Allow-Origin Header
This header defines which origins are allowed to access a resource via cross-origin requests.
Policies
*
-> Allows all origins (risky).<origin>
-> Allows requests only from a specific origin.
Attack Scenario: Cross-Origin XSS and Host Header Injection
An attacker may inject malicious headers, causing the server to accept unauthorized cross-origin requests, leading to data leakage or XSS attacks.
Defending on Apache
Header set Access-Control-Allow-Origin "https://trustedsite.com"
Defending on Nginx
add_header Access-Control-Allow-Origin "https://trustedsite.com";
X-Rate-Limit and X-Forwarded Headers
X-Rate-Limit
-> Controls the rate limit for requests from clients.X-Forwarded-IP
-> Captures the real IP address of the client when using a proxy or load balancer.
Attack Scenario: Ratelimit Bypass
Attackers may attempt to bypass rate limits by spoofing IP addresses, leading to abuse of server resources.
Defending on Apache
Implement rate-limiting modules like mod_ratelimit
and ensure that forwarded IPs are logged correctly.
Defending on Nginx
limit_req zone=one burst=5 nodelay;
X-Content-Type-Options Header
Prevents browsers from performing MIME type sniffing, which can prevent attacks like XSS and clickjacking.
Policies
nosniff
-> Prevents the browser from guessing the MIME type and executing malicious scripts.
Attack Scenario: XSS and Clickjacking
An attacker can serve a script as a different file type (e.g., CSS) and trick the browser into executing it, leading to XSS.
Defending on Apache
Header set X-Content-Type-Options "nosniff"
Defending on Nginx
add_header X-Content-Type-Options "nosniff";
XSS and CSRF Protection
Preventing cross-site scripting (XSS) and cross-site request forgery (CSRF) requires multiple headers like X-XSS-Protection
, Content-Security-Policy
, and proper origin policies.
Attack Scenario: XSS, CSRF, and Host Header Injection
If not properly configured, attackers can inject scripts or forge requests, leading to session hijacking or data exfiltration.
Defending on Apache
Header set X-XSS-Protection "1; mode=block"
Header set Content-Security-Policy "default-src 'self';"
Defending on Nginx
add_header X-XSS-Protection "1; mode=block";
add_header Content-Security-Policy "default-src 'self';";
Content-Security-Policy (CSP)
CSP restricts which resources (scripts, styles, media) a browser can load, helping to prevent XSS and data injection attacks.
Policies
default-src 'self'
-> Allows resources only from the site's own origin.script-src 'self'
-> Allows only trusted scripts from the site’s origin.
Attack Scenario: XSS and Data Exfiltration
If CSP is misconfigured or missing, an attacker can inject scripts that steal data or deface the site.
Defending on Apache
Header set Content-Security-Policy "default-src 'self'; script-src 'self'"
Defending on Nginx
add_header Content-Security-Policy "default-src 'self'; script-src 'self'";