These docs are for v1.1. Click to read the latest docs for v1.2.

Missing Security Headers

Severity: Medium
Test name: Headers Security Check
Summary

Browsers support many HTTP headers that can improve web application security. The HTTP security headers are exchanged between a web client (usually browser) and a server to specify the security-related details of the HTTP communication. Some HTTP headers that are indirectly related to privacy and security can also be considered as the HTTP security headers.

By enabling certain headers in your web application and server settings, you can increase your web application resistance to many common attacks. Implementing the right headers is a crucial aspect of a best-practice application setup.

List of the most important HTTP Security Headers:

  • Strict-Transport-Security: enforces usage of HTTPS instead of HTTP communication
  • X-Frame-Options: manages possibility to load the current page into any iframe
  • X-Content-Type-Options: controls the MIME Type Sniffing function in web browsers
  • Content-Security-Policy: controls permitted content sources and many other parameters
  • X-Permitted-Cross-Domain-Policies: manages cross-domain requests from Flash and PDF documents
  • Referrer-Policy: determines which information from the Referer header should be included in the requests
  • Clear-Site-Data: clears the browsing data (cookies, storage, cache) associated with the requested website. This header can be used during a logout process to ensure that the browsing data on the client side is removed.
  • Cross-Origin-Embedder-Policy: prevents a document from loading any cross-origin resources that are not permitted for the document
  • Cross-Origin-Opener-Policy: ensures that a top-level document does not share a browsing context group with cross-origin documents
  • Cross-Origin-Resource-Policy: allows defining a policy that lets websites and applications enable protection from certain requests received from other origins
Impact

This vulnerability may expose the application to the following attack vectors:

  • Cross-Site Scripting (XSS)
  • Clickjacking
  • Code injection

An attacker may:

  • Download malware or execute malicious script on the user's machine
  • Redirect to the malicious web pages
  • Gain credentials or sensitive information
Location
  • The issue can be found in the server configuration.
  • The issue can be found in the source code on the server side.
Remedy suggestions

Verify that the HTTP Response Headers are configured correctly. If necessary, apply changes to the web server configuration and the application source code.

Proposed values for the most important HTTP Security Headers:

  • Strict-Transport-Security: max-age=31536000 ; includeSubDomains
  • X-Frame-Options: deny
  • X-Content-Type-Options: nosniff
  • Content-Security-Policy: default-src 'self' data:; object-src 'none'; child-src 'self'; frame-ancestors 'none'; upgrade-insecure-requests; block-all-mixed-content
  • X-Permitted-Cross-Domain-Policies: none
  • Referrer-Policy: no-referrer
  • Clear-Site-Data: "cache","cookies","storage".
    Note: This header can be used during a logout process to ensure that the browsing data on the client side is removed.
  • Cross-Origin-Embedder-Policy: require-corp
  • Cross-Origin-Opener-Policy: same-origin
  • Cross-Origin-Resource-Policy: same-origin

Web server syntax:

  • Apache: Header always set [HEADER_NAME] [PROPOSED_VALUE]
  • Nginx: add_header [HEADER_NAME] [PROPOSED_VALUE] always;

To find the detailed recommendations on correct configuration and all possible values of the HTTP Response Headers, see the References section below.

Classification
  • CWE-693
  • CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
References