Enable Security Headers

Security headers can effectively prevent a variety of hacking attempts. You should consider headers like Strict-Transport-Security, Content-Security-Policy, X-Frame-Options or X-XSS-Protection.

Security Assessment

CVSS Vector: AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

Vulnerability Information

Security headers can effectively prevent a variety of hacking attempts. You should consider headers like Strict-Transport-Security, Content-Security-Policy, X-Frame-Options or X-XSS-Protection.

Guides

Use the following guides to set correct security headers for your web application:

• Webserver Configuration (Apache, nginx)
• HTTP Strict Transport Security (HSTS)
• X-Frame-Options
• X-XXS-Protection
• X-Content-Type-Options
• Content-Security-Policy
• Referrer-Policy

Webserver Configuration

To configure your webserver to contain all described headers, use the following configurations. Below, you find further descriptions of the single headers.

Apache

On Apache you need to update your configuration to include the correct  Header directives. Add this to the virtual host configuration in /etc/apache2/sites-enabled/domain.conf or /etc/httpd/sites-enabled/domain.conf:

<VirtualHost *:443>
    Header always set Strict-Transport-Security "max-age=31536000"
    Header always set X-Frame-Options "deny"
    Header always set X-XSS-Protection "1; mode=block"
    Header always set X-Content-Type-Options "nosniff"
    Header always set Content-Security-Policy "default-src: 'self'"
    Header always set Referrer-Policy "strict-origin-when-cross-origin"
</VirtualHost>

nginx

On Nginx you need to update your configuration file which is usually located at /etc/nginx/nginx.conf, /etc/nginx/sited-enabled/yoursite.com (Ubuntu / Debian) or /etc/nginx/conf.d/nginx.conf (RHEL / CentOS) to include the correct header with the add_header directives:

server {
    add_header Strict-Transport-Security "max-age=63072000; includeSubdomains;" always;
    add_header X-Frame-Options "deny" always;
    add_header X-XSS-Protection "1; mode=block" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header Content-Security-Policy "default-src: 'self'" always;
    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
}

HTTP Strict Transport Security (HSTS)

The HSTS header enforces HTTPS connections. This prevents downgrade attacks to an insecure HTTP connection. See Enable HSTS for the correct settings.

X-Frame-Options

The X-Frame-Options header declares whether this site may be embedded as a frame into other websites. The values are:

https://github.com/crashtest-security/gist/blob/master/ssl_tls_vulnerabilities/enable_security_headers/x_frame_options

Setting this header e.g. todenywill protects the website against clickjacking attacks where an attacker overlays an iframe of your webpage with arbitrary content to bait his victims in clicking on certain links on your website.

X-XXS-Protection

Modern web browsers are shipped with an Cross-Site-Scripting (XSS) filter. This filter can detect certain XSS attacks and prevent them. To configure the browser filter behaviour, use the X-XSS-Protection header.

https://github.com/crashtest-security/gist/blob/master/ssl_tls_vulnerabilities/enable_security_headers/x_xxs_protection

Setting this header e.g. to1; mode=block will tell the browser that it should not render the webpage in case that it detects an attack.

X-Content-Type-Options

Browsers try to detect the MIME-type of files that are sent by the webserver. If an attacker manages to upload a malicious (executable) file to a webserver, which only sends images, the MIME-type can provide some protection, as it tells the browser that it should expect an image and not an executable file. Therefore, the browser must not try to detect the MIME-type, but only use the webserver provided MIME-type. To enforce this behaviour, use the X-Content-Type-Options header and set it to nosniff.

https://github.com/crashtest-security/gist/blob/master/ssl_tls_vulnerabilities/enable_security_headers/x_content_type_options

Content-Security-Policy

The Content-Security-Policy (CSP) header tells the browser from which domain further resources such as scripts, images or stylesheets may be loaded. This can prevent various Cross-Site-Scripting (XSS) and other Cross-Site-Injection attacks. The policy needs to be hand-crafted for the particular usage, as it may easily prohibit analytic scripts, fonts or other resources that are loaded from a third party.

https://github.com/crashtest-security/gist/blob/master/ssl_tls_vulnerabilities/enable_security_headers/content_security_policy

A very simple and restrictive policy can be: default-src 'self'. Make sure to test your configuration thoroughly as you may not want to block your analytics script or other third party resources.

Referrer-Policy

The Referrer-Policy header defines how much information about the referrer is sent, when the user clicks on a link. The referrer may leak sensitive information such as user specific URLs. Therefore the referrer-policy might be set to some more restrictive value. A relatively secure setting is strict-origin-when-cross-origin.

https://github.com/crashtest-security/gist/blob/master/ssl_tls_vulnerabilities/enable_security_headers/referrer_policy

For more information about Crashtest Security visit crashtest-security.com