The reason for the web crush(es), is the timely discovery of tools written by fellow security wonks like Scott Helme who created a tool that checks the HTTP Headers for security settings. Nothing earth shattering but when it comes to defense in depth, it doesn't hurt to add a couple of more layers.
Implementing the following configuration enhancement can help any web facing application to combat the likes of cross-site-scripting attacks or clickjacking based attacks.
Cross Site Tracing – TRACE echoes back to the client whatever string is sent to the server and is meant for debugging purposes. This includes cookie and Web Authentication strings, since they are just simple HTTP headers themselves. On IIS update the verb on Request Filtering to DENY for TRACE.
Strict-Transport-Security - HTTP Strict Transport Security is an excellent feature to support on your site and strengthens your implementation of TLS by getting the User Agent to enforce the use of HTTPS. Recommended value "strict-transport-security: max-age=31536000; include Subdomains".
Content-Security-Policy - Content Security Policy is an effective measure to protect your site from XSS attacks. By whitelisting sources of approved content, you can prevent the browser from loading malicious assets.
Public-Key-Pins - HTTP Public Key Pinning protects your site from MiTM attacks using rogue X.509 certificates. By whitelisting only the identities that the browser should trust, your users are protected in the event a certificate authority is compromised.
X-Frame-Options - The X-Frame-Options header tells the browser whether you want to allow your site to be framed or not. By preventing a browser from framing the site it can defend against attacks like clickjacking. Recommended value "x-frame-options: SAMEORIGIN".
X-XSS-Protection - The X-XSS-Protection header sets the configuration for the cross-site scripting filter built into most browsers. Recommended value "X-XSS-Protection: 1; mode=block".
X-Content-Type-Options - The X-Content-Type-Options headers stops a browser from trying to MIME-sniff the content type and forces it to stick with the declared content-type. This helps to reduce the danger of drive-by downloads. Recommended value "X-Content-Type-Options: nosniff".
Server - This header seems to advertise the software being run on the server but you can remove or change this value.
X-Powered-By - The X-Powered-By header can usually be seen with values like "PHP/5.5.9-1ubuntu4.5" or "ASP.NET". Trying to minimize the amount of information you give out about your server is a good idea. This header should be removed or the value changed.
No comments:
Post a Comment