OWASP Secure Headers Project

OWASP Secure Headers Project

The OWASP Secure Headers Project describes HTTP response headers that your application can use to increase the security of your application. Once set, these HTTP response headers can restrict modern browsers from running into easily preventable vulnerabilities. The OWASP Secure Headers Project intends to raise awareness and use of these headers.

Introduction

HTTP headers are well-known and also despised. Seeking a balance between usability and security, developers implement functionality through the headers that can make applications more versatile or secure. But in practice how are the headers being implemented? What sites follow the best implementation practices? Big companies, small, all or none?

Description

We aim to publish reports on header usage stats, developments and changes, code libraries that make these headers easily accessible to developers on a range of platforms, and data sets concerning the general usage of these headers.

The OWASP Secure Headers Project is migrating to this new OWASP website. For now you can still access the old website here https://wiki.owasp.org/index.php/OWASP_Secure_Headers_Project.

 

用第三方站点扫描看结果https://securityheaders.com/?q=cnblogs.com&hide=on&followRedirects=on

 

Response Headers

Working draft

• Permissions Policy

Active

• HTTP Strict Transport Security
• X-Frame-Options
• X-Content-Type-Options
• Content-Security-Policy
• X-Permitted-Cross-Domain-Policies
• Referrer-Policy
• Clear-Site-Data
• Cross-Origin-Embedder-Policy
• Cross-Origin-Opener-Policy
• Cross-Origin-Resource-Policy

Almost deprecated

• Feature-Policy
• Expect-CT

Deprecated

• Public-Key-Pins
• X-XSS-Protection

 

X-XSS-Protection

Deprecated.

⚠️ Warning: The X-XSS-Protection header has been deprecated by modern browsers and its use can introduce additional security issues on the client side. As such, it is recommended to set the header as X-XSS-Protection: 0 in order to disable the XSS Auditor, and not allow it to take the default behavior of the browser handling the response. Please use Content-Security-Policy instead.

This header enables the cross-site scripting (XSS) filter in your browser.

Values

Value	Description
0	Filter disabled.
1	Filter enabled. If a cross-site scripting attack is detected, in order to stop the attack, the browser will sanitize the page.
1; mode=block	Filter enabled. Rather than sanitize the page, when a XSS attack is detected, the browser will prevent rendering of the page.
1; report=http://[YOURDOMAIN]/your_report_URI	Filter enabled. The browser will sanitize the page and report the violation. This is a Chromium function utilizing CSP violation reports to send details to a URI of your choice.

Example

X-XSS-Protection: 0

 

References

• https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html
• https://www.chromestatus.com/feature/5021976655560704
• https://bugzilla.mozilla.org/show_bug.cgi?id=528661
• https://blogs.windows.com/windowsexperience/2018/07/25/announcing-windows-10-insider-preview-build-17723-and-build-18204/
• https://github.com/zaproxy/zaproxy/issues/5849
• https://scotthelme.co.uk/security-headers-updates/#removing-the-x-xss-protection-header
• https://portswigger.net/daily-swig/google-chromes-xss-auditor-goes-back-to-filter-mode
• https://owasp.org/www-community/attacks/xss/
• https://www.virtuesecurity.com/blog/understanding-xss-auditor/
• https://www.veracode.com/blog/2014/03/guidelines-for-setting-security-headers
• http://zinoui.com/blog/security-http-headers#x-xss-protection

 

作者:Chuck Lu    GitHub