This page contains a list of very useful security headers. These headers can be used as an additional measure of security against an array of web application attacks. This content was contributed by bitcomsec.org. You can find out more from their site at:

http://blog.bitcomsec.org/post/72218879334/using-secure-headers-to-protect-your-users-and-bitcoin

http://blog.bitcomsec.org/post/72291759802/example-implementation-of-security-based-header

Table of Contents

[TOC]

What are security headers?

HTTP header fields are components of the message header of requests and responses in the Hypertext Transfer Protocol (HTTP). They define the operating parameters of an HTTP transaction. (from Wikipedia)

Please note that certain web browsers do not offer full support of some of these headers. These headers should not be your applications mitigation method for attacks such as Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Clickjacking, and others.

X-FRAME-OPTIONS

The above Headers provides protection against Clickjacking - an attack method involving the use of hidden iframes. These hidden iframes can be ‘redressed’ to align perfectly with a login form and intercept your authentication credentials. Use of these headers can DENY your site from being used in an iframe. Here are examples:

X-Frame-Options: SAMEORIGIN (allow iframes from same origin)

X-Frame-Options: DENY (deny all iframes)

X-Frame-Options: Allow-From: domain.com (allows iframes from specific domain)

X-XSS-Protection: 1; mode=block

This Header was implemented by IE8+ back in 2008, and although some browsers have adapted it most of them probably do not enforce it. By setting this option you enforce whatever browser the user is using to activate its features, if it has implemented it into its core.

X-Content-Type-Options: nosniff

Another implementation by IE, and adapted by Chrome, to combat drive-by downloads for files with arbitrary names that can be executed by the browsers as executable or dynamic HTML files. The issue itself is called “mime sniffing”

Strict-Transport-Security: max-age=16070400; includeSubDomains

This feature does a great job at forcing browsers to use https:// for all future requests. There are times when you setup a site to work under HTTPS but your application ends up sending sensitive information over plaintext protocol because of programming or human error. With this enabled, plaintext communications will be kept to an absolute minimum.

Content-Security-Policy, X-Content-Security-Policy, X-WebKit-CSP

This powerful header allows you to specifically define what dynamic resources your site is allowed to load and execute on your users web browsers. Implementing this header on big sites becomes problematic because of all the testing you need to do to ensure you do not break your web application. However, implementing it can be rather painless and empowering for your organization using CspBuilder.info.

CspBulder.info provides you with a strict CSP header to implement on your site - with one catch, instead of blocking requests it allows them but reports any issues to the CspBuilder.info website instantly. Example:

Content-Security-Policy-Report-Only: default-src ‘none’; script-src ‘none’; style-src ‘none’; img-src ‘none’; connect-src ‘none’; font-src ‘none’; object-src ‘none’; media-src ‘none’; frame-src ‘none’; sandbox; report-uri http://cspbuilder.info/report/[ example id]/

The header above blocks all external requests from being made - no remote javascript loading, images, frames, objects, connections, scripts. All errors will reported to your dynamically generated cspbuilder.info URL. Run your site for a day during heavy traffic and when you’re ready to see your custom generated CSP header go to the URL you were given. In this case: http://cspbuilder.info/report/[example id]/

Now grab your new CSP headers, and implement it into your server setup. It’ll now block external loads, and a large portion of attacks.

Using the aforementioned headers will provide you a much better chance at protecting your users from the client-side of security. Even with this in mind, you should not entirely focus merely on Headers for security - they are just one tool out of many against client-side attacks. The first step is to ensure your web-application is secure, handles authentication and tokens properly, sanitizes user input properly and provide your users with a safe environment to use your services without losing confidence in you.

Setting Headers for Apache+Mod_Headers

# Clickjacking protection: allow iframes from same origin
Header always append X-Frame-Options SAMEORIGIN 
Header always append Frame-Options SAMEORIGIN
# Enforce HTTPS connections for all requests, including subdomains
Header always append STRICT-TRANSPORT-SECURITY max-age=16070400; includeSubDomains
# IE8+ and variants, XSS Protection
Header always append X-XSS-Protection 1; mode=block
# Protection from drive-by dynamic/executable IE files
Header always append X-Content-Type-Options nosniff
# Strict Content Security Policy, deny all external requests
# for custom CSP headers use: http://cspbuilder.info/
Header always append Content-Security-Policy default-src 'none'; 
script-src 'self'; connect-src: 'self'; img-src: 'self'; style-src: 'self';
Header always append X-Content-Security-Policy default-src 'none'; 
script-src 'self'; connect-src: 'self'; img-src: 'self'; style-src: 'self';
Header always append X-WebKit-CSP default-src 'none'; script-src 'self'; 
connect-src: 'self'; img-src: 'self'; style-src: 'self';

Setting Headers for Nginx

# Clickjacking protection: allow iframes from same origin
add_header X-Frame-Options SAMEORIGIN;
add_header Frame-Options SAMEORIGIN;
# Enforce HTTPS connection for all requests, including subdomains
add_header STRICT-TRANSPORT-SECURITY max-age=16070400;includeSubDomains;
# IE+ and variants, XSS Protection
add_header X-XSS-Protection 1;mode=block;
# Protection from drive-by dynamic/executable IE files
add_header X-Content-Type-Options nosniff;
# Strict Content Security Policy, deny all external requests
# for custom CSP headers use: http://cspbuilder.info
add_header Content-Security-Policy default-src 'none'; script-src 'self'; connect-src: 'self'; img-src: 'self'; style-src: 'self';
add_header X-Content-Security-Policy default-src 'none'; script-src 'self'; connect-src: 'self'; img-src: 'self'; style-src: 'self';
add_header append X-WebKit-CSP default-src 'none'; script-src 'self'; connect-src: 'self'; img-src: 'self'; style-src: 'self';

Setting Headers for PHP

# Clickjacking protection: allow iframes from same origin
header('X-Frame-Options: SAMEORIGIN');
header('Frame-Options: SAMEORIGIN');
# Enforce HTTPS connections for all requests, including subdomains
header('STRICT-TRANSPORT-SECURITY: max-age=16070400;includeSubDomains');
# IE8+ and variants, XSS Protection
header('X-XSS-Protection: 1;mode=block');
# Protection from drive-by dynamic/executable IE files
header('X-Content-Type-Options: nosniff');
# Strict Content Security Policy, deny all external requests
# for custom CSP headers use: http://cspbuilder.info
header("Content-Security-Policy: default-src 'none'; script-src 'self'; connect-src: 'self'; img-src: 'self'; style-src: 'self'");
header("X-Content-Security-Policy: default-src 'none'; script-src 'self'; connect-src: 'self'; img-src: 'self'; style-src: 'self'");
header("X-WebKit-CSP default-src: 'none'; script-src 'self'; connect-src: 'self'; img-src: 'self'; style-src: 'self'");