
How widely used are security-based HTTP response headers? - bikeshack
https://scotthelme.co.uk/how-widely-used-are-security-based-http-response-headers/
======
STRML
It's unfortunate that response headers on a secure website need to be bloated
so much to receive benefits that should be default on modern sites. I imagine
a world where you specifically have to opt-in to unsafe behavior, not the
other way around, but of course this would break many existing sites.

For those of you looking at this, I've found the X-Frame-Options (to prevent
clickjacking via iframe) and Content-Security-Policy (to restrict eval, inline
JS, JS and embed sources and more) to be the most useful headers by far. If
you can run CSP without 'unsafe-eval' or 'unsafe-inline' and restrict all
sources to your local domain, your site's security will be much better for it
as an entire range of attacks is eliminated on modern browsers.

Of course they are all worth looking at. Scott's header test
([https://securityheaders.io](https://securityheaders.io)) is a great check
for your own sites.

~~~
JoshTriplett
> I've found the X-Frame-Options (to prevent clickjacking via iframe)

I wish some way existed to prevent clickjacking (e.g. via invisible iframe)
without actually banning frames. There are useful applications for framing
another site that can't be achieved by any other means, apart from writing a
browser extension. And framing a site _without_ making it invisible seems like
unfortunate collateral damage.

~~~
hannob
Dan Kaminsky is working on something:
[http://dankaminsky.com/2015/08/09/defcon-23-lets-end-
clickja...](http://dankaminsky.com/2015/08/09/defcon-23-lets-end-
clickjacking/)

------
idlewords
CSP breaks bookmarklets in Firefox, which makes it rather user-hostile. This
is properly Mozilla's fault, but they've shown no interest in fixing it.

[https://bugzilla.mozilla.org/show_bug.cgi?id=866522](https://bugzilla.mozilla.org/show_bug.cgi?id=866522)

~~~
Scott_Helme_
Interesting, I don't use Firefox enough to have noticed this. Would it be
possible to whitelist this functionality in your CSP in the short term without
adversely affecting the strength of your policy?

~~~
hyperpape
Idlewords runs Pinboard, a bookmarking site, so I'm guessing he's worried
about the impact of other people turning on CSP. I don't use Pinboard, but I
believe I've encountered the problem using the Instapaper bookmarklet.

------
jacquesm
HN uses x-frame-options:"DENY" to good effect which takes care of a fair
number of click-jack tricks, it also uses strict-transport-security.

But there is only so much you can do with headers, the real risks are in the
documents themselves.

How about a <nojs> </nojs> pair in the primary document disabling any kind of
javascript execution in the space between the tags. And those tags should
_only_ work in the primary document.

~~~
dantillberg
> How about a <nojs> </nojs> pair in the primary document disabling any kind
> of javascript execution in the space between the tags.

But wouldn't folks still be able to inject scripts by just writing
`</nojs><script>alert('hi')</script><nojs>`?

------
martinrue
For people using Node/Express, Helmet is a useful little library that lets you
add these security headers and CSP pretty easily:
[https://github.com/helmetjs/helmet](https://github.com/helmetjs/helmet)

~~~
gkop
This is the counterpart for Ruby:
[https://github.com/twitter/secureheaders](https://github.com/twitter/secureheaders)

------
dantillberg
This post encouraged me to go through my own website and add a moderately
strict CSP header, sans 'unsafe-inline' scripts/styles. Thanks!

~~~
Scott_Helme_
If you like, you could also add reporting to your CSP and get live feedback on
it with [https://report-uri.io](https://report-uri.io)

It's free to sign up and use.

------
nly
I've found HPKP and HSTS easy to trivial, but gave up on deploying CSP. It's
major refactoring when so much stuff directly includes 3rd party CSS and
script, or just injects static CSS and JS in to pages inline.

~~~
lol768
You might find the Content-Security-Policy-Report-Only header useful for
identifying CSP issues and deploying policies without actually blocking
anything.

------
A010
I gone through his previous blog post and found the changing Server: header
field. Why have to waste time for rebuilding nginx from source for that? Why
not just insert 'server_tokens off' in your nginx.conf?

~~~
nly
Because it doesn't eliminate the Server header, "off" will return "Server:
nginx". Just one of several "fuck you" features in nginx.

~~~
Scott_Helme_
Sadly nly is right. The only other option to change this is the
ngx_headers_more module, but that still requires a rebuild. I suppose that way
you at least get a little more functionality for your troubles.

~~~
nly
You also need that module to do per URI/path/regex match headers properly,
because add_header + location blocks are woefully insufficient thanks to the
way they are processed. This is one reason I gave up on CSP under nginx.

------
jasonlfunk
Can you help me understand the graphs? What is being plotted on the X axis?

~~~
cbr
I think popularity, from most to least?

~~~
Scott_Helme_
Yes, sorry that wasn't clear. I scanned the sites in groups of 4,000. The x
axis is each group in descending order from the top of the Alexa list to the
bottom.

------
greggman
I'd really like to know if any of you have used the report feature. It seems
like any report you got would show you a bug in your code. What were the bugs?
How many reports did you get?

~~~
Scott_Helme_
To be honest, most of the reports I get for my sites aren't legitimate issues.
Malware on the endpoint makes changes to pages (like inserting ads) that
generate reports, certain browser features trigger changes that cause reports.
There are also browser plugins and addons that make changes which also cause
reports to be sent. You can always create a report only CSP which will send
reports but not block actions on the page and use my service at
[https://report-uri.io](https://report-uri.io) to gather the reports for you
to look at them. All free and no risk of breaking anything, if you're
interested.

