Skip to content

1.Headers_Policy_Cookies.md

Latest commit

 

History

History
120 lines (79 loc) · 7.38 KB

1.Headers_Policy_Cookies.md

File metadata and controls

120 lines (79 loc) · 7.38 KB

Headers

1. Content-Security Policy Header

WHAT IS?
  • Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross-Site Scripting (XSS) and data injection attacks.
  • If the site doesn't offer the CSP header, browsers likewise use the standard same-origin policy.
How it will secure web from vulns?
  • A CSP compatible browser will then only execute scripts loaded in source files received from those allowed domains, ignoring all other scripts (including inline scripts and event-handling HTML attributes).

https://content-security-policy.com/

  • The default-src directive defines the default policy for fetching resources.
  • script-src defines valid sources of JavaScript.
  • styles-src defines valid sources of stylesheets or CSS.
  • img-src defines valid sources of images.
  • object-src defines valid sources of images.
  • media-src defines valid sources of images.
  • frame-ancestors defines valid sources for embedding the resource using <frame> <iframe> <object> <embed> <applet>.
  • upgrade-insecure-requests automatically Converts urls from http to https.
How to implement fix?
  • Implement HTTP response header from server or use meta-tags in HTML.

2. HSTS Header

WHAT IS?
  • The HTTP Strict-Transport-Security response header (often abbreviated as HSTS) informs browsers that the site should only be accessed using HTTPS, and that any future attempts to access it using HTTP should automatically be converted to HTTPS.
How it will secure web from vulns?
  • check what is section.
How to implement a fix?
  • Implement HTTP response header

3. X-Content-Type-Options

WHAT IS?
  • The X-Content-Type-Options response HTTP header is a marker used by the server to indicate that the MIME types advertised in the Content-Type headers should be followed and not be changed.
How it will secure web from vulns?
  • The header allows you to avoid MIME type sniffing by saying that the MIME types are deliberately configured.
How to implement a fix?
  • Implement HTTP response header

4. X-Frame-Options (Deprecated)

WHAT IS?
  • The X-Frame-Options HTTP response header can be used to indicate whether a browser should be allowed to render a page in a <frame><iframe><embed> or <object>.
How it will secure web from vulns?
  • It will prevent browser to render certain tags (iframe, frame etc.)
How to implement a fix?
  • Implement HTTP response header

Policies

1. Same Origin Policy (https://portswigger.net/web-security/cors/same-origin-policy)

WHAT IS?

  • The same-origin policy is a critical security mechanism that restricts how a document or script loaded by one origin can interact with a resource from another origin. It helps isolate potentially malicious documents, reducing possible attack vectors.

  • Two URLs have the same origin if the protocolport (if specified), and host are the same for both.

http://normal-website.com/example/example.html

URL accessed Access permitted?
http://normal-website.com/example/ Yes: same scheme, domain, and port
http://normal-website.com/example2/ Yes: same scheme, domain, and port
https://normal-website.com/example/ No: different scheme and port
http://en.normal-website.com/example/ No: different domain
http://www.normal-website.com/example/ No: different domain
http://normal-website.com:8080/example/ No: different port

Why is the same origin policy implemented?

  • When a browser sends an HTTP request from one origin to another, any cookies, including authentication session cookies, relevant to the other domain are also sent as part of the request.
  • Without the same-origin policy, if you visited a malicious website, it would be able to read your emails from GMail, private messages from Facebook, etc.

Where is it implemented?

  • It is implemented on the browser level to guarantee no unauthorized cross-origin communication that could lead to a malicious script on one website obtaining access to sensitive data on another. Or, to put it differently, it prevents the reusing of authenticated user sessions across websites and read access to responses from different origins.

Relaxing same origin policy

  • Due to legacy requirements, the same-origin policy is more relaxed when dealing with cookies, so they are often accessible from all subdomains of a site even though each subdomain is technically a different origin.

Cookies

WHAT IS?

  • An HTTP cookie (web cookie, browser cookie) is a small piece of data that a server sends to a user's web browser.
Which flags are specific to security?
  • Certain cookies flag such as secure, httponly and samesite . A cookie with the HttpOnly attribute is inaccessible to the JavaScript Document.cookie API; it's only sent to the server.
  • Use the HttpOnly attribute to prevent access to cookie values via JavaScript.
  • A cookie with the Secure attribute is only sent to the server with an encrypted request over the HTTPS protocol. It's never sent with unsecured HTTP (except on localhost).
  • The SameSite attribute lets servers specify whether/when cookies are sent with cross-site requests. It helps to mitigate CSRF.
  • strict = If a cookie is set with the SameSite=Strict attribute, browsers will not send it in any cross-site requests.
  • Lax = Lax SameSite restrictions means that browsers will send the cookie in cross-site requests, if request is GET and the request resulted from a top-level navigation by the user, such as clicking on a link.
  • none = It disables restrictions as a result, browsers will send this cookie in all requests to the site that issued it, even those that were triggered by completely unrelated third-party sites.
How to implement a fix?
  • It can be done at the development level, setting up a flags on cookies.