1. List of useful security-related HTTP headers
주한익
joohanik@coresec.co.kr
2. List of useful security-related HTTP headers
2
헤더 이름 설명 사용예
HTTP Strict-Transport-Security
(HSTS)
HTTP Strict-Transport-Security(HSTS)는 브라우저가 서버에 연결할 때 SSL/TLS 기반
HTTP 사용을 강제하는 헤더입니다. 헤당 헤더는 쿠키 혹은 외부 링크를 악용한 웹 어플
리케이션의 세션 관련 취약점 (e.g. Session Hijacking) 피해를 완화 하거나 SSL Strip
같은 다운그래이드 공격을 방어할 수 있습니다.
Strict-Transport-Security: max-
age=16070400; includeSubDomains
X-Frame-Options
Frame-Options
클릭재킹 공격에 대한 보호를 위해 만들어진 헤더입니다. 헤더의 지시자 값에 따라
<frame>, <iframe>, <object>에 로드된 페이지의 랜더링 조건을 제어할 수 있습니다.
X-Frame-Options: deny
X-XSS-Protection
브라우저에 내장되어 있는 교차 사이트 스크립팅 필터를 활성화시키는 헤더입니다. 기
능을 제공하는 대부분의 웹 브라우저는 기본적으로 활성화 되어 있으나 사용자에 의해
비활성화 되어있을 경우 다시 활성화 시킬 수 있는 역할을 합니다.
X-XSS-Protection: 1;mode=block
X-Content-Type Options
HTTP 응답 헤더 중 하나인 Content-Type 지시자의 값을 무시하도록 동작하는 브라우
저의 MIME-sniffing 기능을 악용한 교차 사이트 스크립팅 혹은 Drive-By download
공격에 대응하기 위한 헤더입니다. "nosniff" 지시자를 제외하고는 사용할 수 있습니다.
X-Content-Type-Options: nosniff
Content-Security-Policy
X-Content-Security-Policy
X-WebKit-CSP
해당 헤더는 브라우저가 페이지에 대한 랜더링을 수행하는 정책에 영향(e.g. 명시적으
로 허용하지 않는한 인라인 자바스크립트를 동작시키지 않음)을 주는 헤더입니다. 교차
사이트 스크립팅 공격을 포함한 다양한 공격을 예방할 수 있습니다.
Content-Security-Policy: default-src
'self'; script-src 'self'
Content-Security-Policy-Report-
Only
Content-Security-Policy 헤더와 동일한 기능을 하는 헤더입니다. 다만 제한 정책에 위
반되는 경우 실제 차단을 하지 않고 지정된 경로에 리포팅 정보를 보냅니다.
Content-Security-Policy 헤더와 중복으로 사용하여 "제한 및 차단"과 "리포팅"을 동시
에 사용할 수 있습니다.
Content-Security-Policy-Report-Only:
default-src 'self'; report-uri http://
loghost.example.com/reports.jsp
https://www.owasp.org/index.php/List_of_useful_HTTP_headers
4. Strict-Transport-Security
4
* HTTP Strict Transport Security (HSTS) overview
. Web security policy mechanism which is necessary to protect secure HTTPS websites against downgrade attacks,
and which greatly simplifies protection against cookie hijacking
. It allows web servers to declare that web browser should only interact with it using secure HTTPS connections, and
never via the insecure HTTP protocol
. IETF standards track protocol and is specified in RFC 6797
. Communicated by the server to the user agent via a HTTP response header field named "Strict-Transport-Security"
http://blog.c22.cc/2010/08/27/http-strict-transport-security/http://blog.c22.cc/2010/08/27/http-strict-transport-security/
6. Strict-Transport-Security
6
* Preloading HSTS overview
. When connecting to an HSTS host for the first time, the browser won't know whether or not to use a secure
connection, because it has never received an HSTS header from that host
. Active could prevent the browser from ever connecting securely
. To mitigate this attack, Browser have added a list of hosts that want HSTS enforced by default
. When a user connects to one of these hosts for the first time, the browser will know that is must use a secure
connection
. If a network attacker prevents secure connections to the server, the browser will not attempt to connect over an
insecure protocol, thus maintaining the user's security
9. Strict-Transport-Security
9
* Limitations
. Still dependent on them adding new hosts. The only downside is that the user must add all of the hosts that they
wish to be enforced to the list manually
. The initial request remains unprotected from active attacks if it uses an insecure protocol such as plain HTTP or the
initial request was obtained over an insecure channel
. Can't prevent advanced attacks against TLS itself, such as the BEAST(Browser Exploit Against SSL/TLS) or
CRIME(Compression Ratio Info-leak Made Easy) attacks
10. X-Frame-Options
10
* Clickjacking .. How can we stop this attack?
. Tricking users into enabling their webcam and microphone through Flash
. Tricking users into making their social networking profile information public
. Making users follow someone on Twitter
. Sharing links on Facebook
http://khalil-shreateh.com/khalil.shtml/index.php/personal-security/
90-spam-and-scams-protect-yourself-from-being-a-victim-of-cyber-
fraud.html?showall=1
http://www.anzaq.com/2013/05/what-is-clickjacking.html
11. X-Frame-Options
11
* X-Frame-Options overview
. The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed
to render a page in a <frame>, <iframe> or <object>
. Sites can use this to avoid clickjacking attack, by ensuring that their contents is not embedded into other sites
. There are three possible values for X-Frame-Options (DENY, SAMEORIGIN, ALLOW-FROM uri)
. The frame-ancestors directive from the CSP Level 2 specification officially replaces this non-standard header
http://www.troyhunt.com/2013/05/clickjack-attack-hidden-
threat-right-in.html
http://wordpress.stackexchange.com/questions/81607/receiving-this-
content-cannot-be-displayed-in-a-frame-error-on-login-page
12. X-Frame-Options
12
* Limitations
. Per-page policy specification
. Problems with multi-domain sites
. ALLOW-FROM browser support
. Multiple options not supported
. X-Frame-Options Deprecated
. Proxies
. Nested Frames don't work with SAMEORIGIN and ALLOW-FROM
//friendlysite.invalid
//framed.invalid/parent
ALLOW-FROM http://friendlysite.invalid
//framed.invalid/child
SAMEORIGIN
//friendlysite.invalid 페이지에 있는 프레임이 //framed.invalid.parent 페이지를 로드할 경우 랜더링이 정상적으로 수행됨. (ALLOW-FROM으로 허용했으므로)
//framed.invalid/parent 페이지에 있는 프레임이 동일한 도메인에 있는//framed.invalid/child 페이지를 로드하더라도 랜더링이 되지 않음.
(상위레벨 브라우징 컨텍스트의 우선순위가 높게 적용되므로)
물론 //framed.invalid/child 페이지도 ALLOW-FROM http://friendlysite.invalid 지정하면 문제가 해결될 수 있으나 //frame.invalid/parent 페이지가 최상위 레벨이 될
경우 //framed.invalid/child 페이지가 로드되지 않는 문제가 발생하게 됨.
13. X-XSS-Protection
13
* XSS(Cross Site Scripting) .. How can we stop this attack?
Stored type Cross-Site Scripting
Reflected type Cross-Site Scripting
14. X-XSS-Protection
14
* X-XSS-Protection overview
. New feature to help prevent reflected cross-site scripting attacks (Internet Explorer 8)
. Detects Javascript in URL and HTTP POST requests.
. If JavaScript is detected, the XSS filter searches evidence of reflection, information that would be returned to the
attacking website if the attacking request were submitted unchanged.
. If reflection is detected, the XSS filter sanitizes the original request so that the additional Javascript cannot be
executed.
15. X-XSS-Protection
15
* Disable Internet Explorer X-XSS-Protection
. https://msdn.microsoft.com/en-us/library/dd565647(VS.85).aspx
. This feature can be disabled by setting an HTTP header (X-XSS-Protection: 0)
or
Internet Explorer options
Internet Explorer options
http://www.staysecureweb.com/get-protected-xss-cross-site-scripting-internet-explorer/
16. X-Contents-Type-Options
16
* Background of this features
. Microsoft has a feature for Internet Explorer that attempt to determine the correct content type, regardless of what is
specified by the web server .. this feature is know as MIME Sniffing
. One of the steps of this feature is that it compares the first 256 bytes of a file to a list of known file headers
. While this feature allows users to browse the web more successfully, it also introduces an attack vector
Web Browser Web Server
HTTP Request
HTTP Response
HTTP/1.1 200 OK
...
Content-Type: image/jpeg
Content-Length: 231
<html>
...
</html>
Attacker
<html>
...
</html>
file.jpg
1
2
3 . Content-Type 확장자 무시
. 파일 헤더 검사 후 타입 결정 (MIME Sniffing)
. 태그 실행 (XSS Attack)
IE6, IE7
17. X-Contents-Type-Options
17
* X-Contents-Type overview
. The only defined value, "nosniff", prevents Internet Explorer and Google Chrome from MIME-sniffing a response
away from the declared content-type
. This reduce exposure to drive-by download attacks and sites serving user uploaded content that, by clever naming,
could be treated by MSIE as executable or dynamic HTML files
18. X-Contents-Type-Options
18
* Security recommendations
. Web developers
Familiarize yourself with the risks of file uploads, implement safeguards and add relevant HTTP headers for
uploaded files if necessary
. Web server administrators
Add the X-Content-Type-Options: nosniff header to your web server. This also applies to web servers other
then Microsoft IIS
. System administrators and end users
Disable MIME Sniffing in Internet Explorer and/or set the security level to High. For IE9 MIME Sniffing can
disabled at the following location:
Internet Options -> Security level -> Miscellaneous -> Enable MIME Sniffing -> Disable
. Penetration testers
While testing file uploads in web applications, attempt to upload HTML code in files with different extensions
and don't forget to perform these test using different browsers
. Microsoft
Please change the default MIME Sniffing behavior of Internet Explorer and refrain from handling files as HTML
when the web server says otherwise. At least prevent this from happening for most 'known file types' and most
'ambiguous file types'.
http://blog.fox-it.com/2012/05/08/mime-sniffing-feature-or-vulnerability/
http://www.h-online.com/security/features/Risky-MIME-sniffing-in-Internet-Explorer-746229.html
19. Content-Security-Policy
19
* Content-Security-Policy overview
. HTTP header that allows you to create a whitelist of sources of trusted content, and instructs the browser to only
execute or render resources from those sources
. Event if an attacker can find a hole through which to inject script, the script won't match the whilelist, and therefore
won't be executed
20. Content-Security-Policy
20
* Resource directives
. script-src
Controls a set of script-related privileges for a specific page
. connect-src
Limits the origins to which you can connect (via XHR, WebSockets, and EventSource)
. font-src
Specifies the origins that can serve web fonts. Google's Web Fonts could be enabled via font-src
(https://themes.googleusercontent.com)
. frame-src
Lists the origins that can be embedded as frames. For example
frame-src https://youtube.com
would enable embedding YouTube videos, but no other origins
. img-src
Defines the origin from which images can be loaded
. media-src
Restricts the origins allowed to deliver video and audio
. object-src
Allow control over Flash and other plugins
. style-src
script-src's counterpart for stylesheets
21. Content-Security-Policy
21
* Four keywords
. 'none'
As you might expect, matches nothing
. 'self'
Matches the current origin, but not its subdomains
. 'unsafe-inline'
Allows inline Javascript and CSS
. 'unsafe-eval'
Allow text-to-Javscript mechanisms like eval
* Examples
. You have an application that loads all of it's resources from a content delivery network (https://cdn.example.net),
and know that you don't need framed content or any plugins at all
Content-Security-Policy: default-src https://cdn.example.net; frame-src 'none'; object-src 'none'
22. Content-Security-Policy
22
* Reporting
. Instruct the browser to POST JSON-formatted violation reports to a location specified in a report-uri directive
Content-Security-Policy: default-src 'self'; ...; report-uri /my_amazing_csp_report_parser;
. Can ask the browser to monitor a policy, reporting violations, but bot enforcing the restrictions
Instead of sending a Content-Security-Policy header, send a Content-Security-Policy-Report-Only header
Content-Security-Policy-Report-Only: default-src 'self'; ...; report-uri /my_amazing_csp_report_parser;
http://www.html5rocks.com/en/tutorials/security/content-security-policy/?redirect_from_locale=ko