HTTP Headers to Help Secure Your Website

by Expert ‎12-14-2010 11:04 AM - edited ‎10-20-2011 10:01 AM (35,853 Views)

Web security is a seemingly never ending battle between hackers and webmasters. Hckers are relentless and very cunning and don't need our help in comprimising our own websites. Yet, almost 40,000 web sites have been documented as being vulnerable to cross site script attacks (XSS). These attacks leave your users open to cookie theft, information theft, account hijacking, and more.

 

There are lots of ways a web developer can protect a site's users and multiple layers of protection should always be in place as no one method is fool proof or completely secure by itself. One weopon developers ahve at their disposals are the users' web browsers themselves. Modern browsers come with some pretty powerful protection...if you tell them you want them used for your website. Fortunately doing so is easy to do and I'm going to show you how.

 

Here's the The Code

 

Let's start by taking a look at the headers we will send out with each page request. There are lots of ways to set headers for a web application depending on which web server you are using and what programming language your web site is built in. Since the Apache web server is by far the most common and offers the easiest way for us to do this we'll use it as our example below.

 

# Don't allow any pages to be framed by my site or any others
# Defends against CSRF. Current only support by Firefox 4 but the
# other browser will add support soon.
Header set X-Frame-Options DENY

# Only allow JavaScript from the same domain to be run.
# Also, don't allow inline JavaScript to run.
Header set X-Content-Security-Policy "allow 'self';"

# Turns on IE 8 XSS prevention tools
Header set X-XSS-Protection "1; mode=block"

# Don't send out the Server header. This way no one knows what
# version of Apache and PHP I am using and try to exploit it.
Header unset Server

 

To use these headers place the code above in a text document and save it in your web root. Be sure to name the file .htaccess. If you already have a .htaccess file in your web root then you can append this code to the bottom of that file.

 

Now let's break these headers down individually and see what they actually do for us.

 

X-Frame-Options

 

This header tells a web browser whether or not to allow a web page to be framed in another web page. This includes <frame> and <iframe> tags. The primary purpose of this feature is to prevent malicious web sites from attempting clickjacking attempts on your users.

 

There are two possible values for this header:

 

  1. DENY - This setting prevents any pages served from being placed in a frame even if it is on the same website it originates from. should be used if you never intend for your pages to be used inside of a frame.
  2. SAMEORIGIN - This setting allows pages to be served in a frame of a page on the same website. If an external site attempts to load the page in a frame the request will be denied.

 

In our example above we set this to DENY to prevent our pages from being served in any frames, even from our own website.

 

This header works in Internet Explorer 8.0, Firefox 3.6.9, Opera 10.50, Safari 4.0, and Chrome 4.1. You can read more about this header at the Mozilla Developer Network page for the X-Frame-Options response header.

 

X-Content-Security-Policy

 

This header is designed to specify how content interacts with your website. I know that sounds very broad but this security feature covers a lot of ground and a lot of content. It can control how videos are handled on your website to JavaScript.

 

In our example above we set this to "allow 'self';" to prevent our pages from loading any external JavaScript or running any inline JavaScript. This will make our website safer from cross site scripting attacks as it makes it much more difficult for an attacker to run JavaScript in our users' browsers through a framed page on our website or a SQL injection.

 

You can read more about this header at the Mozilla Wiki page for Content Security Policy. There are a lot of settings available for this header and is too much for the scope of this blog post. But the Mozilla Wiki page contains lots of information about possible settings and how to use them to help protect your website.

 

X-XSS-Protection

 

This header is exclusive to Internet Explorer 8. This header turns on cross site scripting protection in IE 8 (which apparently is off by default as it could potentially break some websites). It has no effect on any other web browser including earlier version of Internet Explorer. To turn on the XSS filter simply use the header shown above: X-XSS-Protection "1; mode=block". If you wish to prevent this filter from ever being turned on for your website's content you can turn it off by setting the headers value to "0";

 

You can read more about this header at the The Windows Internet Explorer Weblog.

 

unset Server

 

This one is a bonus header as it doesn't affect the browser at all but is quite useful so I figured I'd mention it as well. It's also different from the rest as we are unsetting a header as opposed to setting a header with a custom value. The Server header sends out information about the webserver beinjg used to serve up the requested web page. It usually includes which web server is being used and the version. It may also include other information such as what modules are enabled and what programming language is being used on the web page.

 

This information is harmless in-and-of itself as there's nothing inherently insecure about it. However, if you are not using the latest version of the webserver or any software being reported in that header, you may be using software that has a known vulnerability in it. If an attacker can determine that you are using a specific version of that software then they know how to attack your web server or web site. By removing this header we make it much more difficult for an attacker to exploit your system.

 

Keep in mind, though, that the attacker can still probe your server and software to determine what software you are running. But by doing so they expose themselves and make it easier for you to detect and counter their attacks.

 

Conclusion

 

Security is not something to be taken lightly and we must always strive to improve our security without inconveniencing our users. Fortunately modern web browsers offers us some easy to implement tools to help protect our users without affecting the user experience at all. But rememeber, these tools should only be part of a comprehensive security system, not the only protection you use for your website.

---------------------------------------------------------------------------------------------------


John Conde is a certified Authorize.Net developer

Comments
by DetatiDev
on ‎05-17-2011 09:58 AM

If using Apache 2.x in a WinX platform, you must be sure the Apache server has the headers_module installed;
uncomment this line in the httpd.conf file -

...

LoadModule headers_module modules/mod_headers.so

...

Otherwise you will get server errors when adding these lines to the .htaccess file.

by hanasazi
‎03-25-2012 01:27 PM - edited ‎03-25-2012 01:27 PM

The X-Content-Security-Policy completely breaks my cart, as well as other things in my site! I went to the page you referenced at Mozilla to see what could be done and found several options that can be added, but am not sure if this is current, as the page states that the information is deprecated, and refers viewers to newer info at https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html. I'm not well versed in the language this document refers to but will try to work it out. I just wanted to mention this in case you want to update your post to include the updated info source for those who will know what to do with it.