[et_pb_section fb_built=”1″ _builder_version=”4.17.3″ _module_preset=”default” custom_padding=”0px||||false|false” global_colors_info=”{}”][et_pb_row _builder_version=”4.17.3″ _module_preset=”default” global_colors_info=”{}”][et_pb_column type=”4_4″ _builder_version=”4.17.3″ _module_preset=”default” global_colors_info=”{}”][et_pb_image src=”https:\/\/www.dsecbypass.com\/wp-content\/uploads\/2022\/06\/entete_http-300×195.png” alt=”HTTP headers” title_text=”entete_http” _builder_version=”4.17.4″ _module_preset=”default” width=”50%” module_alignment=”center” global_colors_info=”{}”][\/et_pb_image][et_pb_text _builder_version=”4.17.4″ _module_preset=”default” global_colors_info=”{}”]<\/p>\n
HTTP headers are sent to browsers by web servers in their responses to users’ HTTP requests. They are not directly visible in the browser but they are essential: they define cookies, govern the interpretation of content and cache settings, but also the security of the browser.<\/p>\n
Certain HTTP headers are to be included in order to follow good security practices: they make it possible to reinforce the security of the web browsers of the users of your websites. Moreover, in the event of absence, the security auditors and vulnerability scanners will almost systematically raise it as a weakness.<\/p>\n
HTTP headers can be viewed in the browser inspector (F12), network <\/em>tab, or with the following Linux curl<\/em> command:<\/p>\n curl -I https:\/\/www.dsecbypass.com\/<\/p>\n<\/blockquote>\n <\/p>\n [\/et_pb_text][et_pb_text module_id=”wpscan” _builder_version=”4.24.3″ _module_preset=”default” hover_enabled=”0″ global_colors_info=”{}” sticky_enabled=”0″]<\/p>\n Here is the list of security HTTP headers along with their description as documented by Mozilla<\/a>.<\/p>\n The X-Content-Type-Options header:<\/strong><\/p>\n The “X-Content-Type-Options<\/em>” response HTTP header is a marker used by the server to indicate that MIME types advertised in Content-Type<\/em> headers should be tracked and not changed.<\/span><\/p>\n The X-XSS-Protection header:<\/strong><\/p>\n The “X-XSS-Protection<\/em>” HTTP response header is a feature of Internet Explorer, Chrome, and Safari that prevents pages from loading when they detect Cross-Site Scripting (XSS) attacks. These protections are largely useless in modern browsers when sites implement a strong content security policy (CSP) that disables the use of inline (“unsafe-inline”) JavaScript. <\/span>Valid parameters for this header are:<\/p>\n Note:<\/span> even though this feature can protect users of older web browsers that don’t yet support CSP, in some cases, XSS protection can create XSS vulnerabilities in otherwise safe websites. Set it to 0 or remove it.<\/p>\n The X-Frame-Options header:<\/strong><\/p>\n The HTTP response header “X-Frame-Options”<\/em> can be used to indicate whether or not a browser should be allowed to render a page into an HTML <frame>, <iframe>, <embed> or <object>. Sites can use it to prevent clickjacking<\/em>attacks, by ensuring that their content is not embedded in other sites. <\/span>Valid values \u200b\u200bfor this header are:<\/p>\n Be careful, this header can block features of your site if misconfigured.<\/p>\n The HTTP Strict Transport Security (HSTS) header:<\/strong><\/p>\n The “Strict-Transport-Security<\/em>” HTTP response header (often abbreviated as HSTS) informs browsers that the site should only be accessed using HTTPS and that any future attempts to access it using HTTP should be automatically converted to HTTPS. When implemented well, it makes Man-in-The-Middle attacks more difficult to perform. The parameters of this header are: Please note, this header must be configured if the HTTPS<\/a> version of the website is accessible. The Content-Security-Policy (CSP) header:<\/strong> The “Content-Security-Policy<\/em>” HTTP response header allows website administrators to control what resources the browser is allowed to load for a given page. With few exceptions, policies mostly involve specifying server origins and script endpoints. This helps guard against cross-site scripting (XSS) attacks. The “Content-Security-Policy<\/em>” header should replace in the future part of the security HTTP headers mentioned above since it allows a very granular control of the accessible resources. <\/span><\/p>\n The values<\/a> \u200b\u200bof this header are multiple and more complex to configure: they are defined in the next chapter of this article. [\/et_pb_text][et_pb_text _builder_version=”4.23.2″ _module_preset=”default” global_colors_info=”{}”]<\/p>\n Content-security-policy<\/em> can be used to block, for example, all scripts that are not called from a specific domain name.<\/p>\n The list of parameters and their values is available in the Mozilla documentation<\/a>.<\/p>\n By default, this header risks breaking certain functionalities of your websites: it is not uncommon to include scripts from certain CDNs or to have script blocks written directly in the HTML page (“inline<\/em>“).<\/p>\n The benefit\/effort ratio of implementing the CSP header is not high enough<\/a> in the following cases (other security measures will have more impact):<\/p>\n Complex applications with a history of XSS vulnerabilities, which use languages and frameworks without sufficient protections<\/em> against XSS. CSP is an additional security mechanism, not a substitute for secure, well-designed source code<\/em>. In such cases, spending time improving the security posture of the application (adopting more secure frameworks<\/em>, reviewing critical parts of the code) is the best approach.<\/span><\/p>\n<\/li>\n<\/ul>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n For other cases where implementing CSP is an effective security improvement, a good practice is to rewrite the web application code to make it easier to migrate to a strict CSP header: Google offers<\/a> some rules to follow to make it easier to transition.<\/p>\n If the application code is not mastered or its change is too expensive, it is possible to configure the CSP header in a more flexible but less secure way by using tools: the Firefox Laboratory<\/a> extension allows you to generate a CSP header compatible with your website. You must visit all the pages of your website to ensure that no resource is forgotten.<\/p>\n Once configured, it is possible to test the security of the content-security-polic<\/em>y HTTP header using Google’s online evaluator:https:\/\/csp-evaluator.withgoogle.com\/<\/a>. If the header has been built according to the content of the website, it is very likely that the security is not optimal: to improve security, the web applications must be adapted.<\/p>\n Finally, the report-to<\/em>\/report-uri<\/em> parameters can be configured in such a way as to detect breaches of the security policy dictated by the CSP header: whether accidental, following an oversight, or voluntary when of an XSS type attack for example.<\/p>\n [\/et_pb_text][et_pb_text module_id=”virus” _builder_version=”4.24.3″ _module_preset=”default” hover_enabled=”0″ global_colors_info=”{}” sticky_enabled=”0″]<\/p>\n Note<\/span>: the configurations below add the X-Content-Type-Options, X-Xss-Protection, X-Frame-Options<\/em> and Strict-Transport-Security<\/em> headers. The Content-Security-Policy<\/em> header should be added on a case-by-case basis after considering its deployment.<\/p>\n Apache<\/strong><\/p>\n In the Apache VHOST of the website add the following HTTP headers (mod_headers<\/em> enabled):<\/p>\n Header always set X-Content-Type-Options: “nosniff”<\/p>\n Header always set X-XSS-Protection: “0”<\/p>\n Header always set X-Frame-Options: “sameorigin”<\/p>\n Header always set Strict-Transport-Security: “max-age=31536000; includeSubDomains”<\/p>\n<\/blockquote>\n <\/p>\n Nginx<\/strong><\/p>\n In the nginx VHOST of the website add the following HTTP headers:<\/p>\n add_header X-Content-Type-Options “nosniff” always;<\/p>\n add_header X-Xss-Protection “0” always;<\/p>\n add_header X-Frame-Options “SAMEORIGIN” always;<\/p>\n add_header Strict-Transport-Security “max-age=31536000; includeSubDomains” always;<\/p>\n<\/blockquote>\n IIS<\/strong><\/p>\n Add to the web.config<\/em> file under the IIS installation root directory: <\/span><\/p>\n <system.webServer><\/span><\/p>\n <httpProtocole> <\/span><\/p>\n <customHeaders> <\/span><\/p>\n <add name=”Strict-Transport-Security” value=”max-age=31536000″\/> <\/span><\/p>\n <add name=”X-Content-Type-Options” value=”nosniff”\/><\/span><\/p>\n <add name=”X-Xss-Protection” value=”0″\/><\/span><\/p>\n <add name=”X-Frame-Options” value=”SAMEORIGIN”\/><\/span><\/p>\n <\/customHeaders> <\/span><\/p>\n <\/httpProtocole> <\/span><\/p>\n <\/system.webServer> <\/span><\/p>\n<\/blockquote>\n <\/span><\/p>\n In any case, restart the web servers for the new configuration to take effect.<\/span><\/p>\n <\/p>\n [\/et_pb_text][\/et_pb_column][\/et_pb_row][et_pb_row _builder_version=”4.17.3″ _module_preset=”default” global_colors_info=”{}”][et_pb_column type=”4_4″ _builder_version=”4.17.3″ _module_preset=”default” global_colors_info=”{}”][et_pb_text _builder_version=”4.23.2″ _module_preset=”default” global_colors_info=”{}”]<\/p>\n \ud83d\udee1\ufe0f DSecBypass accompanies you on the security audits of your websites<\/a>, HTTP header configuration faults are among the problems reported. Do not hesitate to contact <\/a>us for additional information and\/or a personalized quote \ud83d\udcdd.<\/span><\/p>\n [\/et_pb_text][\/et_pb_column][\/et_pb_row][et_pb_row _builder_version=”4.17.3″ _module_preset=”default” global_colors_info=”{}”][et_pb_column type=”4_4″ _builder_version=”4.17.3″ _module_preset=”default” global_colors_info=”{}”][et_pb_button button_url=”https:\/\/www.dsecbypass.com\/en\/contact\/” button_text=”CONTACT US” button_alignment=”center” _builder_version=”4.17.4″ _module_preset=”default” custom_button=”on” button_text_size=”13px” button_bg_color=”#4328b7″ button_border_width=”10px” button_border_color=”#4328b7″ button_border_radius=”0px” button_letter_spacing=”2px” button_font=”Titillium Web|700||on|||||” background_layout=”dark” global_colors_info=”{}”][\/et_pb_button][\/et_pb_column][\/et_pb_row][\/et_pb_section]<\/p>\n","protected":false},"excerpt":{"rendered":" HTTP headers are sent to browsers by web servers in their responses to users’ HTTP requests. They are not directly visible in the browser but they are essential: they define cookies, govern the interpretation of content and cache settings, but also the security of the browser.\n
2. HTTP security headers<\/h2>\n
\n
\n
<\/span><\/p>\n\n
<\/span><\/p>\n
<\/span><\/p>\n
<\/span><\/p>\n2. Implementing the CSP header<\/h2>\n
\n
3. Webservers configuration<\/h2>\n
\n
\n
\n
\nCertain HTTP headers must be included in order to follow good security practices: they make it possible to reinforce the security of the web browsers of the users of your websites. Moreover, in the event of absence, the security auditors and vulnerability scanners will almost systematically raise it as a weakness.<\/p>\n","protected":false},"author":4,"featured_media":1929,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"on","_et_pb_old_content":"","_et_gb_content_width":"","footnotes":""},"categories":[34],"tags":[],"class_list":["post-1943","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog-en"],"_links":{"self":[{"href":"https:\/\/www.dsecbypass.com\/en\/wp-json\/wp\/v2\/posts\/1943","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.dsecbypass.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.dsecbypass.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.dsecbypass.com\/en\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.dsecbypass.com\/en\/wp-json\/wp\/v2\/comments?post=1943"}],"version-history":[{"count":19,"href":"https:\/\/www.dsecbypass.com\/en\/wp-json\/wp\/v2\/posts\/1943\/revisions"}],"predecessor-version":[{"id":3469,"href":"https:\/\/www.dsecbypass.com\/en\/wp-json\/wp\/v2\/posts\/1943\/revisions\/3469"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.dsecbypass.com\/en\/wp-json\/wp\/v2\/media\/1929"}],"wp:attachment":[{"href":"https:\/\/www.dsecbypass.com\/en\/wp-json\/wp\/v2\/media?parent=1943"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.dsecbypass.com\/en\/wp-json\/wp\/v2\/categories?post=1943"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.dsecbypass.com\/en\/wp-json\/wp\/v2\/tags?post=1943"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}