Insecure Configuration
Fixing Security Headers
About HTTP Security Headers
What are insecure HTTP security headers?
HTTP security headers are a set of headers that can be sent by a web server to a user's web browser to help protect against various types of attacks, such as cross-site scripting (XSS), clickjacking, and cross-site request forgery (CSRF).
These headers provide additional security controls that can help to prevent attackers from exploiting vulnerabilities in web applications.
However, if these security headers are not configured correctly, they can be vulnerable to attacks that compromise the security of a website and its users. One common vulnerability is the use of insecure HTTP security headers. Insecure HTTP security headers are settings that can be configured for a security header to specify how the header should be transmitted and stored.
Some common insecure HTTP security headers include:
- "X-Frame-Options" header: This header is used to prevent clickjacking attacks by indicating whether a page can be displayed in an iframe. If the header is not set or is set incorrectly, a page can be vulnerable to clickjacking attacks.
- "Content-Security-Policy" header: This header is used to prevent XSS attacks by specifying which sources of content are allowed to be loaded by a web page. If the header is not set or is set incorrectly, a page can be vulnerable to XSS attacks.
- "X-XSS-Protection" header: This header is used to enable the browser's built-in XSS protection mechanisms. If the header is not set or is set incorrectly, a website can be vulnerable to XSS attacks.
- "Strict-Transport-Security" header: This header is used to ensure that a website is only accessed over HTTPS connections. If the header is not set or is set incorrectly, a website can be vulnerable to man-in-the-middle attacks.
- "Cross-Origin Resource Sharing (CORS)" headers: This header is used to protect against cross-site request forgery (CSRF) and other types of attacks. It specifies which origins, HTTP methods, and credentials are allowed to be accessed.
Check out this video for a high-level explanation:
What is the impact of insecure HTTP security headers?
Some of the potential consequences of using insecure HTTP security headers are:
- Increased risk of cross-site scripting (XSS) attacks: If the "Content-Security-Policy", or "X-XSS-Protection" header is not set or is set incorrectly, a website can be vulnerable to XSS attacks. This can allow attackers to inject malicious code into a website and steal sensitive information, such as login credentials or personal data.
- Increased risk of clickjacking attacks: If the "X-Frame-Options" header is not set or is set incorrectly, a website can be vulnerable to clickjacking attacks. This can allow attackers to trick users into performing actions that they did not intend to perform, such as clicking on a button that executes a malicious action.
- Increased risk of cross-site request forgery (CSRF) attacks: If the "Access-Control-Allow-Origin" header is not set or is set incorrectly, a website can be vulnerable to CSRF attacks. This can allow attackers to trick users into unknowingly performing actions on the website that they did not intend to perform.
- Increased risk of data breaches: If HTTP security headers are not configured correctly, a website can be vulnerable to data breaches. This can allow attackers to steal sensitive information, such as login credentials or personal data, and use it for malicious purposes.
How to prevent insecure HTTP security headers?
Some of the best practices to prevent insecure HTTP security headers are:
- Set the appropriate values for HTTP security headers: Each HTTP security header has a set of valid values that can be used to configure it. Ensure that the appropriate values are set for each header to provide the desired level of protection against attacks.
- Regularly review and update HTTP security header settings: Regularly review and update HTTP security header settings to ensure that they are up-to-date with the latest best practices and security recommendations.
- Use tools to validate HTTP security header settings: Use tools, such as the Mozilla Observatory, to validate the configuration of HTTP security headers and ensure that they are set correctly. These tools can also provide recommendations for improving the security of a website.
- Use a content delivery network (CDN) with built-in security features: Some CDNs offer built-in security features, such as the automatic configuration of HTTP security headers. Consider using a CDN with these features to simplify the configuration and management of HTTP security headers.
References
Taxonomies
Explanation & Prevention
Related CVEs
Training
Option A: Secure the Cross-Origin Resource Sharing (CORS) policy
Go through the issues that GuardRails identified in the PR/MR
Remove the code that has this pattern:
response.addHeader("Access-Control-Allow-Origin", "*");
Add your domain to the header.
// Replace <your trusted domain> with your actual domain:
// eg. https://guardrails.io
response.addHeader("Access-Control-Allow-Origin", "<your trusted domain>");Test it
Ship it 🚢 and relax 🌴