HTTP Security Headers

HTTP Security Headers

Table of contents

1. X-Content-Type-Options Header

The X-Content-Type-Options header prevents browsers from performing MIME sniffing, which could lead to security vulnerabilities.

Policies

  • nosniff -> Blocks a request if the MIME type does not match the resource type (e.g., blocking scripts that are not served with the correct MIME type).

Attack Scenario

An attacker serves a malicious script file as a CSS file. Without nosniff, the browser might execute it, assuming it is a script.

Defending on Apache

Header set X-Content-Type-Options "nosniff"

Defending on Nginx

add_header X-Content-Type-Options "nosniff";

2. Reflected File Download (RFD)

RFD is an attack where the attacker tricks the victim into downloading a malicious file by exploiting vulnerabilities in the application.

Detecting Reflected XSS

Proper security headers (like X-Content-Type-Options) help mitigate RFD by ensuring proper content type handling.

Misconfigure

Without the proper configuration, a web server may allow reflected file download attacks, putting users at risk.

Defending on Apache/Nginx

Ensure headers like X-Content-Type-Options are correctly configured to prevent content type misinterpretation.


3. CORS Deception

Improper Cross-Origin Resource Sharing (CORS) can allow unauthorized access to sensitive resources across different origins, leading to security breaches.

Attack Scenario

An attacker could exploit misconfigured CORS policies to access resources from unauthorized domains.

Defending on Apache

Header set Access-Control-Allow-Origin "https://trusteddomain.com"

Defending on Nginx

add_header Access-Control-Allow-Origin "https://trusteddomain.com";

4. Clickjacking

Clickjacking occurs when a malicious actor overlays a legitimate page with a transparent iframe, tricking users into clicking hidden content.

Policies

  • X-Frame-Options: DENY -> Prevents the site from being displayed in an iframe.

  • X-Frame-Options: SAMEORIGIN -> Allows the site to be framed only by pages from the same origin.

Attack Scenario

A phishing site embeds a banking site in a hidden iframe, tricking users into entering credentials.

Defending on Apache

Header always set X-Frame-Options "DENY"

Defending on Nginx

add_header X-Frame-Options "DENY";

5. XSS (Cross-Site Scripting)

XSS allows attackers to inject malicious scripts into a web page, which can execute in the victim's browser.

Policies

  • X-XSS-Protection: 1; mode=block -> Enables XSS filtering in browsers, preventing page rendering when an attack is detected.

  • Content-Security-Policy -> Restricts which resources (scripts, media, etc.) can be loaded by the browser.

Attack Scenario

An attacker injects malicious JavaScript through a form field, and it executes in the browser of a user visiting the page.

Defending on Apache

Header set X-XSS-Protection "1; mode=block"
Header set Content-Security-Policy "default-src 'self'; script-src 'self'"

Defending on Nginx

add_header X-XSS-Protection "1; mode=block";
add_header Content-Security-Policy "default-src 'self'; script-src 'self'";

6. SSL/TLS Stripping (MITM)

Man-in-the-middle (MITM) attackers may intercept communication between a user and the server by downgrading HTTPS to HTTP, exposing sensitive information.

Policies

  • Strict-Transport-Security: max-age=31536000; includeSubDomains -> Instructs the browser to only access the site using HTTPS for a specified time.

Attack Scenario

An attacker intercepts a connection and downgrades it to HTTP, allowing them to steal cookies and session data.

Defending on Apache

Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"

Defending on Nginx

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";

An attacker can steal session cookies to impersonate a user and gain unauthorized access.

Policies

  • Secure -> Ensures that cookies are only sent over HTTPS.

  • HttpOnly -> Prevents JavaScript from accessing the cookies.

Attack Scenario

An attacker intercepts cookies on an HTTP connection and uses them to impersonate the user.

Defending on Apache/Nginx

Ensure cookies are configured as Secure and HttpOnly in your application and server settings.


8. CSRF (Cross-Site Request Forgery)

CSRF exploits a user's session with a trusted site to perform unauthorized actions on their behalf.

Policies

  • Referrer-Policy -> Limits the amount of referrer information shared with third-party websites, reducing exposure to CSRF.

Attack Scenario

An attacker tricks the user into clicking a link that performs an action on a legitimate site without their consent.

Defending on Apache

Header set Referrer-Policy "no-referrer-when-downgrade"

Defending on Nginx

add_header Referrer-Policy "no-referrer-when-downgrade";

9. Information Disclosure Attacks

Information disclosure vulnerabilities allow attackers to gather sensitive information about the server or application that can be used in further attacks.

Policies

  • Content-Security-Policy: default-src 'self' -> Ensures that only trusted sources can load content on the page.

  • Referrer-Policy -> Limits the amount of referrer information sent with requests.

Attack Scenario

An attacker gleans sensitive details about the server or application from misconfigured headers or verbose error messages.

Defending on Apache

Header set Content-Security-Policy "default-src 'self'"
Header set Referrer-Policy "no-referrer"

Defending on Nginx

add_header Content-Security-Policy "default-src 'self'";
add_header Referrer-Policy "no-referrer";

Cache-Control Header

The Cache-Control header specifies caching policies in both browsers and shared caches. Misconfigurations can lead to sensitive data exposure or cache-related attacks.

Policies

  • no-cache -> Forces the browser to validate the response with the origin server before reusing it.

  • no-store -> Ensures that the response is not stored in caches.

Attack Scenario: Cache Inspection and Deception

An attacker can exploit misconfigured caching to serve outdated or malicious content by tricking the browser into reusing cached responses.

Defending on Apache

Header set Cache-Control "no-store, no-cache, must-revalidate"

Defending on Nginx

add_header Cache-Control "no-store, no-cache, must-revalidate";

Content-Disposition Header

The Content-Disposition header instructs browsers whether to display content inline or to download it as an attachment.

Policies

  • inline -> Instructs the browser to display the file directly in the browser.

  • attachment; filename="file.jpg" -> Forces the browser to download the file as an attachment with a specific name.

Attack Scenario: RFD and Clickjacking

If improperly configured, attackers can deliver malicious files disguised as legitimate content.

Defending on Apache

Header set Content-Disposition "attachment; filename=securefile.txt"

Defending on Nginx

add_header Content-Disposition "attachment; filename=securefile.txt";

Cross-Origin Resource Policy (CORP)

CORP restricts how a resource can be shared with requests from different origins, preventing unauthorized access to resources.

Policies

  • same-site -> Only requests from the same site can access the resource.

  • same-origin -> Only requests from the same origin (scheme + host + port) can access the resource.

  • cross-origin -> Any origin can read the resource.

Attack Scenario: XSS, Clickjacking, and CSRF

Without proper cross-origin restrictions, attackers can exploit XSS, clickjacking, or CSRF vulnerabilities by making unauthorized requests to your resources.

Defending on Apache

Header set Cross-Origin-Resource-Policy "same-origin"

Defending on Nginx

add_header Cross-Origin-Resource-Policy "same-origin";

Extra HTTP Header Injection

Improper handling of headers allows attackers to inject arbitrary headers, leading to cache poisoning, XSS, and other injection-based attacks.

Attack Scenario: Cache Poisoning and Header Injection

An attacker injects malicious headers, potentially overriding cache policies, allowing poisoned or malicious content to be served to users.

Defending on Apache

Ensure that input is sanitized and that headers are properly validated before being set.

Defending on Nginx

Sanitize all user inputs and avoid exposing sensitive data through headers.


Content-Encoding Header

The Content-Encoding header specifies the type of encoding applied to the content (e.g., gzip, compress, deflate, br).

Policies

  • gzip, compress, deflate, br -> Compression methods applied to the content for transfer over the network.

Attack Scenario: DDoS and Network Eavesdropping

If content encoding is misconfigured, attackers could cause network issues by sending compressed payloads or even exploit vulnerabilities in the compression algorithms.

Defending on Apache

AddOutputFilterByType DEFLATE text/html text/plain text/xml

Defending on Nginx

gzip on;
gzip_types text/plain application/xml;

Access-Control-Allow-Origin Header

This header defines which origins are allowed to access a resource via cross-origin requests.

Policies

  • * -> Allows all origins (risky).

  • <origin> -> Allows requests only from a specific origin.

Attack Scenario: Cross-Origin XSS and Host Header Injection

An attacker may inject malicious headers, causing the server to accept unauthorized cross-origin requests, leading to data leakage or XSS attacks.

Defending on Apache

Header set Access-Control-Allow-Origin "https://trustedsite.com"

Defending on Nginx

add_header Access-Control-Allow-Origin "https://trustedsite.com";

X-Rate-Limit and X-Forwarded Headers

  • X-Rate-Limit -> Controls the rate limit for requests from clients.

  • X-Forwarded-IP -> Captures the real IP address of the client when using a proxy or load balancer.

Attack Scenario: Ratelimit Bypass

Attackers may attempt to bypass rate limits by spoofing IP addresses, leading to abuse of server resources.

Defending on Apache

Implement rate-limiting modules like mod_ratelimit and ensure that forwarded IPs are logged correctly.

Defending on Nginx

limit_req zone=one burst=5 nodelay;

X-Content-Type-Options Header

Prevents browsers from performing MIME type sniffing, which can prevent attacks like XSS and clickjacking.

Policies

  • nosniff -> Prevents the browser from guessing the MIME type and executing malicious scripts.

Attack Scenario: XSS and Clickjacking

An attacker can serve a script as a different file type (e.g., CSS) and trick the browser into executing it, leading to XSS.

Defending on Apache

Header set X-Content-Type-Options "nosniff"

Defending on Nginx

add_header X-Content-Type-Options "nosniff";

XSS and CSRF Protection

Preventing cross-site scripting (XSS) and cross-site request forgery (CSRF) requires multiple headers like X-XSS-Protection, Content-Security-Policy, and proper origin policies.

Attack Scenario: XSS, CSRF, and Host Header Injection

If not properly configured, attackers can inject scripts or forge requests, leading to session hijacking or data exfiltration.

Defending on Apache

Header set X-XSS-Protection "1; mode=block"
Header set Content-Security-Policy "default-src 'self';"

Defending on Nginx

add_header X-XSS-Protection "1; mode=block";
add_header Content-Security-Policy "default-src 'self';";

Content-Security-Policy (CSP)

CSP restricts which resources (scripts, styles, media) a browser can load, helping to prevent XSS and data injection attacks.

Policies

  • default-src 'self' -> Allows resources only from the site's own origin.

  • script-src 'self' -> Allows only trusted scripts from the site’s origin.

Attack Scenario: XSS and Data Exfiltration

If CSP is misconfigured or missing, an attacker can inject scripts that steal data or deface the site.

Defending on Apache

Header set Content-Security-Policy "default-src 'self'; script-src 'self'"

Defending on Nginx

add_header Content-Security-Policy "default-src 'self'; script-src 'self'";