# HTTP Headers
HTTP headers can be used to enhance the security of a web application on many different levels.
A05:2021# Background
# Context
OWASP (opens new window), Mozilla (opens new window), as well as different sources in the literature, define HTTP headers, that increase security:
| Header | Description | Recommended Configuration |
|---|---|---|
| HTTP Strict Transport Security (HSTS) | Enforces HTTPS. preload (opens new window) even enforces it on the first open of the website | max-age: 6307200, includeSubDomains, |
| X-Frame-Options | Disallows iframe's from rendering to prevent Clickjacking. However: Only relevant in older browsers that don't use the Content-Security-Policy | deny / sameorigin |
| X-Content-Type-Options | Will prevent browser from MIME-sniffing | nosniff |
| Content-Security-Policy | Allows setting of Directives, which define what content can be loaded from which source | As restrictive as possible. Whitelisting! |
| Referrer-Policy | Sets the Referer header | no-referrer / same-origin |
| Cache-Control | Defines how long data is cached | no-cache, no-store, must-revalidate, max-age=0 |
| Pragma | No-chache alternative for HTTP/1.0 | no-cache |
# Problems
- Not setting certain HTTP headers reduces the security
- Offers vulnerabilities to further attacks
# Solutions
- Use libraries that offer secure default configurations
- Usage of Security Headers (opens new window)
# Technology
In Express one can use helmet (opens new window) and in Spring Boot one can use Spring Security (opens new window). The following table contains their configurations.
| Header | Express helmet | Express nocache | Spring Boot Spring Security |
|---|---|---|---|
| HSTS | max-age=15552000; includeSubDomains | max-age=31536000; includeSubDomains | |
| X-Frame-Options | sameorigin | deny | |
| Content-Security-Policy | default-src ’self’; base-uri ’self’; block-all-mixed-content; font-src ’self’ https: data:; frame-ancestors ’self’; img-src ’self’ data:; object-src ’none’; script-src ’self’; script-src-attr ’none’; style-src ’self’ https: ’unsafe-inline’; upgrade-insecure-requests | ||
| Referrer-Policy | no-referrer | ||
| X-XSS-Protection | 0 | 1; mode=block | |
| Cache-Control | no-store, no-cache, muste-revalidate, procy-revalidate | no-cache, no-store, max-age=0, must-revalidate | |
| Expires | 0 | 0 | |
| Pragma | no-cache | no-cache | |
| X-Content-Type-Options | no-sniff | no-sniff | |
| X-Download-Options | noopen | ||
| X-Permitted-Cross-Domain-Policies | none | ||
| X-DNS-Prefetch-Control | off | ||
| Expect-CT | max-age=86400 |
# Express
When using Express, the library helmet (opens new window) should be used in combination with the library nocache (opens new window). Furthermore, the HSTS header's max-age could be increased and preload could be added. No further configurations are required.
# Spring Boot
DANGER
Spring Security's default configuration includes some mistakes:
- The Content-Security-Policy is missing completely!
- Further headers are missing
- X-XSS-Protection header is configured incorrectly, that can cause security issues (see (opens new window))