Back to Home

How to use HTTP headers to prevent vulnerabilities / HOSTING.cafe Blog

information security · apache · nginx · iis · http headers

How to use HTTP headers to prevent vulnerabilities

Original author: Chandan Kumar


Did you know that in most cases, a security vulnerability can be fixed by adding the necessary response headers?

Security is just as important as content or search engine optimization. Thousands of sites are being hacked due to configuration errors or inadequate protection. If you are a site owner or information security specialist, and are interested in protecting the site from clickjacking, code injection, MIME type vulnerabilities, XSS attacks , etc., then this instruction will be useful to you.

In this article, I’ll talk about different HTTP headers for use with various web servers, network peripherals, or content delivery networks to increase site security .

Remarks:


  • Before making changes, I advise you to backup the configuration file;
  • Some headers may not be supported on all browsers, so you should check compatibility before execution ;
  • Mod_headers must be enabled in Apache to use these headers. The following line should be uncommented in the httpd.conf file: LoadModule headers_module modules / mod_headers.so

If you use SUCURI Cloud WAF , then you do not have to worry about setting up the server manually, most of the parameters are already automatically enabled.

HTTP Header List


X-XSS-Protection


HTTP Strict Transport Security


X-frame-options


X-Content-Type-Options


HTTP Public Key Pinning

Content Security Policy


X-XSS-Protection


The X-XSS-Protection header can prevent some XSS attacks (cross-site scripting), it is compatible with IE 8+, Chrome, Opera, Safari and Android.

Google, Facebook, Github use this heading, and most penetration prevention consultants will recommend you use it.

There are four configuration options:
Parameter valueContent
0XSS filter off
1The XSS filter is enabled, and if an attack is detected, the page is censored
1; mode = blockThe XSS filter is turned on and, in the event of an attack, prevents page processing
1; report = http: //example.com/report_URIThe XSS filter is turned on, and if an attack is detected, a violation report is sent

Let's use 1; mode = block for the following web servers.

Apache HTTP Server


Add the following entry in the httpd.conf of your Apache server:

Header set X-XSS-Protection “1; mode=block”

Restart Apache to verify.

Nginx


Add the following to nginx.conf in the HTTP section:

add_header X-XSS-Protection "1; mode=block";

You must restart Nginx so that the changes are reflected in the response header of your site.

Maxcdn


If you use MaxCDN , then adding a title is as easy as shelling pears . Go to Edge Rules, click “New Rule” and select “Add X-XSS-Protection Header” from the drop-down list.



Microsoft IIS


  • Open IIS Manager;
  • Select the site for which you want to include a heading;
  • Go to “HTTP Response Headers”
  • Click “Add” in the action section.
  • Enter a name, value and click OK.



  • Restart IIS to see the results.

HTTP Strict Transport Security


The HSTS (HTTP Strict Transport Security) header ensures that all communication from the browser is over HTTPS (HTTP Secure). This prevents attempts to bypass HTTPS and redirects all HTTP requests to HTTPS.

Before adding this title, make sure that all pages of the site are accessible via HTTPS, otherwise they will not be displayed.

The HSTS header is compatible with the latest versions of most browsers (IE, Firefox, Opera, Safari and Chrome). There are three configuration options.
Parameter valueContent
max ageThe interval (in seconds) to indicate to the browser that requests should only be sent via HTTPS.
includeSubDomainsConfiguration applies to subdomains.
preloadUse if you want to add a domain to a predefined list of HSTS .

As an example, let's configure HSTS for a year and add the domain and subdomains to the predefined list of HSTS.

Apache HTTP Server


To use HSTS in Apache, add the following entry to the httpd.conf file:

Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

Restart Apache to see the result.

Nginx


To configure HSTS in Nginx, add the following entry to nginx.conf in the Server directive (SSL):

add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload';

As always, you will have to restart Nginx for verification.

Cloud flare


If you use Cloud Flare, you can enable HSTS in just a couple of mouse clicks.

  • Log in to Cloud Flare and select the desired site.
  • Go to the “Crypto” tab and click “Enable HSTS.”



Select the settings you need, and the changes will take effect immediately.

Microsoft IIS


Launch IIS Manager and add the header by going to “HTTP response headers” for the corresponding site.



Restart the site.

X-frame-options


Title X-Frame-Options to reduce the vulnerability of your site for the Click-Jacking -atak. This heading instructs the browser not to load your page in frame / iframe. Not all browsers support this option, so check the title for compatibility before adding it.

There are three configuration options.
Parameter valueContent
SAMEORIGINAllows loading content in frame / iframe only if the frame and the page loading it are located on the same domain.
DENYPrevents loading content in frame / iframe.
ALLOW-FROMAllows loading content in frames only for a specific URI.

Let's look at how to add a “ DENY ” configuration to prevent embedding.

Apache


Add the following line to httpd.conf and reload the web server to verify:

Header always append X-Frame-Options DENY

Nginx


Add the following to nginx.conf in the Server directive:

add_header X-Frame-Options “DENY”;

A reboot is required to verify the results.

F5 LTM


Create the following iRule for the corresponding virtual server:

when HTTP_RESPONSE {
HTTP::header insert "X-FRAME-OPTIONS" "DENY"
}

You do not need to reboot anything, changes occur automatically.

Wordpress


This title can also be used in WordPress. Add the following to the wp-config.php file:

header(‘X-Frame-Options: DENY’);

If you do not want to make changes to the file, then you can use the plugin according to this instruction .

Microsoft IIS


To add a header, open “HTTP response headers” for the corresponding site.



In order for the changes to appear, you need to restart the site.

X-Content-Type-Options


You can prevent attacks using MIME type spoofing by adding this HTTP response header. The header contains instructions for determining the type of file and does not allow sniffing of content. When configuring, you only need to add one parameter: “nosniff”.

Let's see how to add this header.

Apache


Add the following line to the httpd.conf file:

Header set X-Content-Type-Options nosniff

Remember to restart the Apache web server for the configuration to take effect.

Nginx


Add the following line to the nginx.conf file in the Server directive:

add_header X-Content-Type-Options nosniff;

As usual, you will need to restart Nginx to check the results.

Wordpress


If you use WordPress, then you can use the Security Headers plugin to use this header.

Microsoft IIS


Open IIS and go to the “HTTP response headers” section.
Click “Add,” enter a name and value.



Click OK and restart IIS to verify the result.

HTTP Public Key Pinning


Reduce the risk of a MITM attack (“man in the middle”) with certificate binding. To do this, add the HPKP (HTTP Public Key Pinning) header .

You can bind a public key root certificate or an intermediate certificate. At the time of writing, HPKP support is provided in Firefox and Chrome with the SHA-256 hash algorithm .

There are four configuration options.
Parameter valueContent
report-uri = ”url”Send the report to a specific URL if the link did not succeed. This is an optional parameter.
pin-sha256 = ”sha256key”Define a binding.
max-age =The instructions for the browser to remember the time in seconds during which the site will be accessible only using one of the attached certificates.
IncludeSubDomainsApply for subdomains.

As an example, let's look at the HPKP header for facebook.com:

public-key-pins-report-only:max-age=500; pin-sha256="WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18="; pin-sha256="r/mIkG3eEpVdm+u/ko/cwxzOMo1bk4TyHIlByibiA5E="; pin-sha256="q4PO2G2cbkZhZ82+JgmRUyGMoAeozA+BSXVXQWB8XWQ="; report-uri=http://reports.fb.com/hpkp/

If you intend to use this on your site, I recommend referring to the manual written by Scott Helme .

Content Security Policy


To prevent XSS attacks, clickjacking, and code injection , you can add a Content Security Policy (CSP) response header. CSP contains instructions for downloading content from authorized sources.

Not all browsers support CSP , so you'll have to check this before using. There are three options for using CSP headers:
  1. Content-Security-Policy - Level 2 / 1.0;
  2. X-Content-Security-Policy - not recommended;
  3. X-Webkit-CSP - not recommended.

If you are still using an outdated option, then you should think about switching to an updated one.

You can set many parameters for the CSP header, and you can learn them at OWASP . I propose to consider the two most common.
Parameter valueContent
default-srcDownload everything from a specific source.
script-srcDownload only scripts from a specific source.

Consider the permission to download any content from the current domain for different web servers.

Apache


Add the following line to the httpd.conf file and restart the web server:

Header set Content-Security-Policy "default-src 'self';"

Nginx


Add the following to the Server section in the nginx.conf file:

add_header Content-Security-Policy "default-src 'self';";

Microsoft IIS


Go to the "HTTP response headers" for the corresponding site in IIS Manager and add the following settings:



I hope that the instructions for using the headers will allow you to increase the safety and security of your web application. If you are looking for a secure IIS web server, then pay attention to WebKnight WAF , where you can implement the above configurations and more.

The last paragraph, for which Chandan Kumar writes these articles , and I translate them:
we will be glad to see you among the visitors of HOSTING.cafe (search for virtual servers , shared hosting and not only) or POISK.hosting (collection of reviews about hosters).

Read Next