Improving AppSec with advanced security headers

Security headers, an essential part of any robust security posture, offer powerful protection against a wide range of attacks, from cross-site scripting (XSS) to clickjacking. While basic headers provide a solid foundation, advanced configurations and newer headers can elevate application security to meet modern threats.?

We’ve already covered securing your AppSec with robust security headers in a previous edition of All Things AppSec. In this edition, we’ll explore additional header configurations, emerging headers, and best practices to strengthen your web applications.?

Enhancing Content Security Policy (CSP) with granular controls?

The Content Security Policy (CSP) header is one of the most powerful tools for preventing cross-site scripting (XSS) and related attacks by controlling which sources of content are allowed on a page. Here are some advanced CSP directives to help you fine-tune security:?

• script-src-attr and style-src-attr: These directives allow developers to restrict inline scripts and styles on a page, further reducing the risk of XSS attacks. For example, script-src-attr 'self' ensures that only inline scripts originating from your domain are executed.?

• report-uri and report-to: CSP reporting allows you to receive real-time alerts when violations occur, helping you detect and address potential issues. Use report-uri to specify the endpoint for these reports.?

• frame-ancestors: By controlling which domains are allowed to embed your site within frames, this directive protects against clickjacking attacks. Only authorized sites can frame your content, reducing the risk of malicious overlays.?

Example Implementation:?

Content-Security-Policy: default-src 'self'; script-src 'self' beaglescripts.com; style-src 'self'; report-uri /csp-report-endpoint;? ?        

Strengthening HTTPS Connections with HTTP Strict Transport Security (HSTS)?

The HTTP Strict Transport Security (HSTS) header instructs browsers to only interact with your site over HTTPS, protecting against man-in-the-middle (MITM) attacks and protocol downgrades. Advanced configurations of HSTS help enforce this strict security rule:?

• Preloading HSTS: Adding your domain to the HSTS preload list ensures that browsers only access your site over HTTPS, even on the first visit. This extra layer is essential for public-facing websites where security is paramount.?

• Extended max-age: Setting the max-age directive to a long duration (e.g., one year) reduces the chance that visitors will connect over insecure HTTP due to a temporary configuration change.?

Example Implementation:?

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload? ?        

Restricting browser features with permissions-policy?

The Permissions-Policy header (formerly Feature-Policy) enables you to control which browser features are available on your site. By limiting access to APIs like geolocation, camera, and microphone, you can prevent unauthorized use of sensitive resources:?

• Fine-grained control: Define policies on a per-feature basis. For example, you may allow geolocation access only from trusted subdomains.?

• Enhanced privacy: Limit access to features like fullscreen or payment APIs to prevent unexpected actions by potentially malicious scripts.?

Example Implementation:?

Permissions-Policy: geolocation=(), microphone=(), camera=()? ?        

Using Expect-CT for certificate transparency?

Expect-CT is a security header that requires browsers to verify a domain’s certificates against Certificate Transparency logs. By using this header, you can help detect unauthorized certificates that could be used for MITM attacks:?

• Enforced validation: Enabling the enforce directive requires that only logged and validated certificates are accepted, providing stronger authentication and reducing the risk of certificate forgery.?

• Real-time reporting: Using the report-uri directive, you can track and respond to certificate issues as they arise.?

Example Implementation:?

Expect-CT: max-age=86400, enforce, report-uri="https://example.com/report"? ?        

Cross-Origin Resource Policy (CORP)?

Cross-Origin Resource Policy (CORP) protects resources from being accessed by external domains unless specifically permitted. This header is particularly useful for protecting sensitive content, such as images and media files, from unauthorized use by other websites.?

• Restricting Content to Same-Origin: The same-origin directive limits access to resources on your site, preventing other domains from loading them.?

• Cross-Origin Embedding Control: You can also use cross-origin if you want to selectively allow certain domains to access specific resources.?

Example Implementation:?

Cross-Origin-Resource-Policy: same-origin? ?        

Controlling data sharing with referrer-policy?

The referrer-policy header allows you to control what information is sent in the HTTP Referrer header, providing privacy and protecting sensitive information. This header is critical when users navigate from a secure page to a non-secure one:?

• No referrer on secure pages: By setting no-referrer, you can prevent the transmission of URL data when transitioning from HTTPS to HTTP, protecting sensitive information.?

• Selective referrer settings: Directives like strict-origin-when-cross-origin allow referrer data to be shared within the same domain but restrict it across domains.?

Example Implementation:?

Referrer-Policy: no-referrer? ?        

Additional headers to consider for enhanced security?

Several other headers can further strengthen your application’s security:?

• X-content-type-options: This header prevents browsers from MIME-sniffing, or attempting to determine the MIME type of a file based on its content. By setting this to nosniff, you reduce the risk of attacks where browsers misinterpret files as scripts or HTML.?

Example Implementation:?

X-Content-Type-Options: nosniff? ?        

• X-frame-options: Use this header to protect your application from clickjacking by controlling which domains are allowed to embed your site in iframes. You can set it to DENY, SAMEORIGIN, or specify trusted domains with ALLOW-FROM.?

Example Implementation:?

X-Frame-Options: SAMEORIGIN? ?        

Best practices for implementing and maintaining security headers?

Security headers require periodic review and updates as your application grows and security standards evolve. Follow these best practices to ensure your headers remain effective:?

• Automate testing in CI/CD: Integrate header validation checks in your CI/CD pipeline to identify misconfigurations early in the development process.?

• Monitor with real-time reporting: Use report-uri endpoints where possible to monitor and log violations. These reports can help you track potential security incidents and understand where your policies may need adjustments.?

• Regular audits: Conduct periodic audits to ensure that all security headers are configured correctly. Tools like Beagle Security can provide insights into your headers and recommend improvements.?

• Stay updated on emerging headers: Security headers are continuously evolving, with new ones being developed to address emerging threats. Keep an eye on developments in this area to incorporate new headers that enhance security.?

Wrapping up?

Security headers are powerful tools that can drastically improve your web application’s security. By implementing and fine-tuning headers such as CSP and HSTS and leveraging newer ones like Permissions-Policy and Expect-CT, you can better protect against modern threats.?

However, security headers are only as effective as the effort you put into maintaining and updating them. Regular audits, real-time monitoring, and automated testing are essential to keep your defenses current and robust. With the right tools and practices, you can keep your web application’s security posture resilient against an ever-evolving threat landscape.?

If you have any questions or insights on using security headers, we’d love to hear from you! How have security headers improved your application’s security, and what challenges have you faced??