The security of headers and online credibility is not an issue that web system owners and developers take much into consideration and this is a very serious mistake. The image below illustrates that over 80% of sites surveyed in an online tool that indicates the level of care taken on this subject is low:
When you open any website on your mobile device or computer, a considerable amount of information is transmitted over the internet. And when you “log in” to a system, the information trafficked is more sensitive, because user name, location, email address, passwords, encryption keys, etc. are trafficked over the internet. The owners of these systems, as well as the developers must be very careful to avoid leakage of this information through the HTTP protocol. The recommendation is clear: the interface should reduce to a minimum the possibilities of dissemination of such information. History shows that mistakes in this point usually cause major privacy problems and generate highly negative publicity for the company and developers, putting their online credibility on the line.
A server is in a position to save personal data about a user’s requests that may identify their reading patterns or subjects of interest. This information is clearly of a confidential nature and its handling may be restricted by law in some countries. Systems that use the HTTP protocol to receive data are responsible for ensuring that such material is not distributed without the permission of any individuals who are identifiable by the results published.
Therefore, the concern about security of headers for those who maintain a system on the Internet should focus not only on the creation and publication of their system, but also on information security issues and privacy policies.
Just to illustrate, it is estimated that 90% of websites in existence today have one or more vulnerabilities, according to research by ptsecurity and Comparitech.
This terribly exposes the data of millions of people, besides millions in monetary values. But what leads a website to have vulnerabilities? There are a few factors. From the initial phase of the project, through the choice of hosting service, integrations with analysis and pixelation tools, everything needs to be very well designed, thinking about performance (see more about performance in this article), usability and information security.
Security of Headers
While there is communication between an application on a web server and the client browser, various messages travel over the Internet. We call these messages “packets”. These packets contain, in their beginning, certain markers that are called “headers” or, also known as, HTTP protocol header fields. These fields define how a web communication operation will happen.
Obviously, the implementation of HTTP headers alone does not make an application secure. However, when implemented correctly, they considerably improve the protection of applications against some types of attacks.
Despite being a very simple configuration to be done, it is still very common to find large applications that do not have the HTTP headers implemented correctly. Or they have them implemented, but configured incorrectly. It is worth remembering that even with the increased use of HTTP protocol version 2.0, these headers will still be widely used.
We recommend that these headers are configured by the web server, for example in Apache, Nginx, Microsoft IIS or equivalent web server configurations.
Increase your online credibility
Headers are messages inserted in the response to HTTP requests. Below we list the types of headers we can (and should) configure in our environment.
X-XSS-Protection header
This header serves to inform modern browsers that they should apply filters against Cross Site Scripting or XSS attacks. Newer browsers, such as Google Chrome and Internet Explorer, already have tools that seek to filter the content of a page to prevent Cross Site Scripting (XSS) attacks from occurring.
X-Content-Type-Options header
This header is used to prevent browsers from interpreting the page content and thus prevents the execution of possible malicious code. A good example to illustrate the use of this header is when we upload a text file containing javascript code, and the browser interprets and executes the code even though it is only a text file.
Strict-Transport-Security HTTP header
This header is used to force the application to use the SSL/TLS secure communication protocol. This prevents the application from having mixed content, i.e. application pages will not transmit or consume resources from pages that use the HTTP protocol without encryption. This header also forces a check of the SSL/TLS certificate to ensure everything is correct. With the use of this header Man in the Middle attacks are prevented. However, this header can only be implemented if 100% of the application is using SSL/TLS.
X-Frame-Options header
This header prevents the browser from displaying certain types of content based on elements defined in the Document Object Model (DOM). By not allowing the rendering of certain external content we protect the application against clickjacking attacks.
Content Security Policy (CSP) header
This header implements policies that serve to validate the rendering of the page and protect against content injection attacks such as Cross Site Scripting (XSS) [2]. This header has many policies that should be studied individually so that no problems occur in the application.
There are many materials on the internet about this subject. Below are some links to study:
- HTTP head
- Cross-site scripting
- Transport Layer Security (TLS)
- Man-in-the-middle/li> attack
- HTTP Strict Transport Security (HSTS) preload list
- Clickjacking
- Content-Security-Policy
Our team masters the latest techniques and tools to not only optimize your website’s performance and help your business grow and appear, but can help take care of your website’s headers security.
