# HTTP Headers

HTTP headers can be used to enhance the security of a web application on many different levels.

A05:2021

# Background

# Context

OWASP (opens new window), Mozilla (opens new window), as well as different sources in the literature, define HTTP headers, that increase security:

Header Description Recommended Configuration
HTTP Strict Transport Security (HSTS) Enforces HTTPS. preload (opens new window) even enforces it on the first open of the website max-age: 6307200, includeSubDomains,
X-Frame-Options Disallows iframe's from rendering to prevent Clickjacking. However: Only relevant in older browsers that don't use the Content-Security-Policy deny / sameorigin
X-Content-Type-Options Will prevent browser from MIME-sniffing nosniff
Content-Security-Policy Allows setting of Directives, which define what content can be loaded from which source As restrictive as possible. Whitelisting!
Referrer-Policy Sets the Referer header no-referrer / same-origin
Cache-Control Defines how long data is cached no-cache, no-store, must-revalidate, max-age=0
Pragma No-chache alternative for HTTP/1.0 no-cache

# Problems

  • Not setting certain HTTP headers reduces the security
  • Offers vulnerabilities to further attacks

# Solutions

# Technology

In Express one can use helmet (opens new window) and in Spring Boot one can use Spring Security (opens new window). The following table contains their configurations.

Header Express helmet Express nocache Spring Boot Spring Security
HSTS max-age=15552000; includeSubDomains max-age=31536000; includeSubDomains
X-Frame-Options sameorigin deny
Content-Security-Policy default-src ’self’; base-uri ’self’; block-all-mixed-content; font-src ’self’ https: data:; frame-ancestors ’self’; img-src ’self’ data:; object-src ’none’; script-src ’self’; script-src-attr ’none’; style-src ’self’ https: ’unsafe-inline’; upgrade-insecure-requests
Referrer-Policy no-referrer
X-XSS-Protection 0 1; mode=block
Cache-Control no-store, no-cache, muste-revalidate, procy-revalidate no-cache, no-store, max-age=0, must-revalidate
Expires 0 0
Pragma no-cache no-cache
X-Content-Type-Options no-sniff no-sniff
X-Download-Options noopen
X-Permitted-Cross-Domain-Policies none
X-DNS-Prefetch-Control off
Expect-CT max-age=86400

# Express

When using Express, the library helmet (opens new window) should be used in combination with the library nocache (opens new window). Furthermore, the HSTS header's max-age could be increased and preload could be added. No further configurations are required.

# Spring Boot

DANGER

Spring Security's default configuration includes some mistakes:

  • The Content-Security-Policy is missing completely!
  • Further headers are missing
  • X-XSS-Protection header is configured incorrectly, that can cause security issues (see (opens new window))
Last Updated: 7/3/2022, 3:51:46 PM