Strengthening Your Web Apps: A Guide to HTTP Security Headers

-

 


There is a certain set of standard HTTP headers that every website should ideally set to provide a basic level of security. This note discusses such headers and how to set them on sites deployed in Netlify.

Common security headers
First, let’s consider basic HTTP headers - they are common to all requests and provide a basic level of security.

  • The Content-Security-Policy header helps protect your website from cross-site scripting attacks by providing a list of approved content. This header allows you to prohibit the use of content that does not pass the rules or should not be used as content. Setting this header may seem complicated, so if you want to delve into the topic, visit the official website. Example usage:

    Content-Security-Policy: default-src 'https://example.com'; script-src 'unsafe-inline' 'https://example.com'; style-src 'unsafe-inline' 'https://example.com'; object-src 'none'

  • The X-Frame-Options header tells the browser whether you want your site to be in an iframe or not. In most cases, you don’t want this, as it allows the website to be used for clickjacking. The essence of the attack is simple - the visitor is shown a page of your website where they click on a button. In reality, there is another transparent page over this page, on which the visitor actually clicks the button. Example usage:

    X-Frame-Options: DENY

  • The X-XSS-Protection header - in old browsers (mostly in Safari) allows you to protect your site from XSS attacks. Most browsers understand this header and stop loading the page when such attacks are detected. Example usage:

    X-XSS-Protection: 1; mode=block

  • The X-Content-Type-Options header allows you to prevent the browser from analyzing and changing the MIME type of the content. This type of attack checks the content stream to try to determine the format of data files inside it and add its information. Example usage:

    X-Content-Type-Options: nosniff

  • The Referrer-Policy header allows you to specify the browser’s behavior when accessing a page from another domain. Essentially, this header controls how much Referrer information is included in requests. Example usage:

    Referrer-Policy: same-origin

  • The Strict-Transport-Security header allows you to protect your site from redirection to unprotected protocols. It tells browsers to always connect to your site via HTTPS and never connect via HTTP. Example usage:

    Strict-Transport-Security: max-age=31536000; includeSubDomains

  • The Permissions-Policy header informs browsers which browser functions (geolocation, camera, microphone, etc.) are allowed or prohibited on your website. Example usage:

    Permissions-Policy = "geolocation=(), gyroscope=(), magnetometer=()"

Configuring headers in Apache2
There are two ways to set headers in Apache: adding them to the Apache configuration file (apache.conf) or adding a separate config site file.

Apache configuration file apache.conf

<IfModule mod_headers.c>
    # Referrer-Policy
    Header set Referrer-Policy "strict-origin-when-cross-origin"
    # prevent mime based attacks
    Header set X-Content-Type-Options "nosniff"
    # Google adsense, e.g. this CSP "works"
    Header set Content-Security-Policy "frame-ancestors 'self'"
    # Permissions Policy is a new header that allows a site to control which features and APIs can be used in the browser.
    Header set Permissions-Policy "geolocation=(), midi=(), accelerometer=(), sync-xhr=(), microphone=(), camera=(), magnetometer=(),gyroscope=(), fullscreen=(self), payment=(), usb=()"
    # Guarantee HTTPS for 1 Year including Sub Domains 
    Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
    # Sites can use this to avoid click-jacking attacks, by ensuring that their content is not embedded into other sites.
    Header set X-Frame-Options: "sameorigin" # default value
</IfModule>

Conclusions
Setting security headers should give your website an A rating on services like securityheaders.com, and meaningful use should make any security testers take your security level into account.

Configuring content security policies depends on the specific website and may vary, for example, if you use Google Analytics or other third-party scripts. Keep in mind that when implementing any content security policy, you should thoroughly test your website to ensure that all third-party resources and clients still work with it.


Sources:


Comments

Post a Comment

Popular posts from this blog

Installing the Certbot Let’s Encrypt Client for NGINX on Amazon Linux 2

-
Image
Installing the Certbot Let’s Encrypt Client The certbot package is not available through the package manager by default. You will need to enable the  EPEL  repository to install Certbot. sudo yum install epel-release sudo yum install certbot-nginx Set Up NGINX certbot  can automatically configure  NGINX  for SSL/TLS. It looks for and modifies the server block in your  NGINX  configuration that contains a server_name directive with the domain name you’re requesting a certificate for. In our example, the domain is  www.mydomain.com . Assuming you’re starting with a fresh NGINX install, use a text editor to create a file in the  /etc/nginx/conf.d  directory named  domain_name.conf  (so in our example, www.mydomain.com.conf). Specify your domain name (and variants, if any) with the  server_name  directive: server { listen 80 default_server; listen [::]:80 default_server; root /var/www/html; server_name myd...
Read more

psql: error: connection to server at "localhost" (127.0.0.1), port 5433 failed: ERROR: failed to authenticate with backend using SCRAM DETAIL: valid password not found

-
Image
ERROR psql: error: connection to server at "localhost" (127.0.0.1), port 5433 failed: ERROR: failed to authenticate with backend using SCRAM DETAIL: valid password not found Since Pgpool-II is a PostgreSQL proxy that works between clients and PostgreSQL servers, the authentication comprises two steps: Authentication between client and Pgpool-II Authentication between Pgpool-II and PostgreSQL servers Starting with Pgpool-II 4.0, Pgpool-II supports scram-sha-256 authentication. scram-sha-256 authentication method is strongly recommended because it is the most secure password-based authentication method. Solution 1 If PostgreSQL servers require  MD5  or  SCRAM  authentication for some user’s authentication but the password for that user is not present in  pool_passwd , then enabling  allow_clear_text_frontend_auth  will allow the  Pgpool-II  to use clear-text-password authentication with user to get the password in plain text form from the user ...
Read more

Deploy Nuxt.js app using Apache 2

-
  Deploy your dynamic Nuxt.js app Nuxt.js is an amazing server side rendering application framework for Vue.js. In this article we will see how to deploy Nuxt.js application to AWS instance in universal app mode. Where in Nuxt.js you can choose between Universal, Static Generated or Single Page application. Before we start deploying our dynamic app, if you want just to deploy a static website, you can run this command: npm run generate and it will generate the files and put them in  dist  folder which you can upload to any server you want. But this will not work for universal apps. 1. Build your app To build a ssr app you need to run the following command: npm run build The generated files will not be in the  dist  folder as for the static app, but you can find all generated files in  .nuxt  folder which will be the entry point. 2. Upload to the server There are two ways to do this upload your whole application with the source code or just upload the n...
Read more