Security-related HTTP headers

Security-related HTTP headers

As Web security issues become more and more serious, various browsers have strengthened their security policies and introduced many new HTTP headers. Recently, When I scanned the daily report and logged on to the system, I had to go through these things for a day, so I recorded them here.

First, let's talk about cross-origin requests.
To make the description simple, assume that A user is A, his browser is B, his website is C, and C needs to access the resources of another website D. E, attackers have an attack on website F.
When the domain name, port, or protocol of C and D are different, access to E is called a cross-origin request.
Cross-origin:

Http://example.com, http://www.example.com and http://abc.example.com http://www.example.com: 80 and http://www.example.com: 8080 http://www.example.com and https://www.example.com

When cross-origin is not used, the browser does not impose too many security restrictions on it. However, because cross-origin requests pose security risks, the following restrictions are imposed by default:

Only GET, HEAD, and POST requests are allowed. You can only manually set the Accept, Accept-Language, Content-Language, and Content-Type headers. Only application/x-www-form-urlencoded, multipart/form-data, and text/plain values are allowed for the Content-Type header.

Requests that meet these restrictions are called simple requests.

Although these restrictions ensure security, they also greatly restrict the use cases. The first batch of headers mentioned in this article is used to address these cross-origin request restrictions. They start with "Access-Control-". The two most important headers are:

Access-Control-Allow-Origin: the URI from which the request can be accessed.
This should be the most important header. When cross-origin AJAX is used, the caller E needs to output this header to specify the website from which the request can be accessed. If this header is not output, only access from the same domain name is allowed.
If it is a public service that allows arbitrary calls, set it to "*". If you want to strictly set the websites that can be used, set it to http://www.example.com (http and https cannot be mixed ).
If this header is not correctly set, user A can initiate A cross-origin request to access resource E without the knowledge of user A when accessing the attacked website F. Access-Control-Allow-Credentials: allows this request to use cookies.
This is another extremely important header. In general, cross-origin AJAX does not attach the user's Cookie or allow setting the user's Cookie. Therefore, it is not convenient to perform operations that require cookies such as logon.
To use it, C needs to set the withCredentials attribute when constructing the XMLHttpRequest object:

var xhr = new XMLHttpRequest();xhr.open('GET', url, true);xhr.withCredentials = true;xhr.onreadystatechange = handler;xhr.send();

If jQuery is used, you need to set it as follows:

$.ajax({    'url': url,    'type': 'GET',    'xhrFields': {'withCredentials': true},    'success': handler})

Then, when D outputs the response, Set this header value to true to use Set-Cookie to Set the cookie (because the cookie can be Set on the root domain, therefore, you can set cookies across subdomains ).

Another concept is preflighted request. When the restrictions of simple request are not met, the browser will first initiate an OPTION request to this address, ask whether the request is available, and then initiate the actual request.
It will use these headers:

Access-Control-Request-Method and Access-Control-Allow-Methods: declare the HTTP methods used and allowed.
Common cross-origin requests only support the GET, HEAD, and POST methods. If you want to use other methods, you must set Access-Control-Request-Method to DELETE and other methods during Access, e. Return all supported Methods (separated by commas) in Access-Control-Allow-Methods. Access-Control-Request-Headers and Access-Control-Allow-Headers: declare the HTTP headers used and allowed.
Similar to the previous group, it is used to support other request headers. Access-Control-Max-Age: Tell the browser how long it will take to directly use the cached results without sending the same preflighted request.

In addition, a very important header is called Content-Security-Policy, which defines the resources that can be loaded on the page. Currently, there are two levels of levels.
Among them, level 1 can use these commands (multiple commands are separated by semicolons ):

Default-src: the default load policy. Script-src: JavaScript that allows loading this field. Style-src: Allows loading CSS for this field. Img-src: allows images in this region to be loaded. Connect-src: Allows AJAX and WebSocket requests for this domain. Font-src: allows the font of this field to be loaded. Object-src: the object, embed, or applet object that can be loaded into this domain. Media-src: allows you to load the audio or video objects of this domain. Frame-src: the frame or iframe that allows loading this domain. Sandbox: Enable sandbox for this resource. Report-uri: The value is URI. If the requested resource is not allowed by the policy, report the log to this uri post.

Among them, *-src has available command values (multiple command values are separated by spaces ):

(Null): Any content is allowed. 'None': NO content is allowed. 'Self ': Allows content of the same source. Data: allows the data protocol. Www.example.com: content of www.example.com is allowed. Https://www.example.com: contents that allow https://www.example.com. * .Example.com: allows the content of example.com and its subdomains. 127.0.0.1: *: allow the content of all 127.0.0.1 ports. Https: HTTPS content is allowed. 'Unsafe-inline': Allow inline content 'unsafe-eval': Allows methods such as eval to generate executable code from strings.

For example, if you want to insert JavaScript scripts for other domain names, and you want to allow Google statistics, you can set:

Content-Security-Policy: script-src 'self' *.google-analytics.com

If you are afraid of any problems after enabling the service, you can use the Content-Security-Policy-Report-Only header. It does not actually intercept, but will still send a report to report-uri in case of problems.

Level 2 mainly adds the following:

 

Child-src: replace frame-src (applicable to multi-level nesting ). Frame-ancestors: replace X-Frame-Options (see the following figure) to limit which pages can be nested (applicable to multi-level nesting ). Form-action: You can submit forms to these URIs. Referrer: available values include no-referrer, no-referrer-when-downgrade, origin, origin-when-cross-origin, and unsafe-url. Upgrade-insecure-requests: replaces all HTTP requests on the page with HTTPS requests.

In addition, the script-src command also adds nonce and hash values to prevent accidental inline JavaScript insertion.

The former needs to output a random nonce attribute (assuming nonce = "abcd") to the inline script tag, and specify Content-Security-Policy in the header: script-src 'nonce-abcd '. The latter needs to calculate the hash value for the content (including the blank part) in the inline script label, and supports sha256, sha384, and sha512 (assuming abcd ...), specify Content-Security-Policy: script-src 'sha256-abcd... '.

There are also some messy headers:

Strict-Transport-Security: enforces HTTPS access.
After a user accesses the HTTPS page of the website, the header is set. When the user accesses the HTTP page of the website, the header is automatically converted to an HTTPS request.
It can set three values:
Max-age: the duration of the statement. IncludeSubDomains: This rule is also enabled for subdomains. Preload: saves time. A batch of lists limit that some websites only allow HTTPS access. You do not need to access the HTTPS page once. It is safer and more efficient than force redirect from the server to HTTPS. However, in case of HTTPS certificate problems, you cannot temporarily downgrade to the HTTP page. X-Frame-Options: sets whether the page can pass the frame, iframe, and object labels, including other pages.
The optional values include:
DENY: sameorigin not allowed: only for the same domain ALLOW-FROM: only for a certain domain. X-XSS-Protection: enables XSS Protection.
The optional values include:
0: Disabled. 1: enabled. 1; mode = block: enabled, and stops page rendering when XSS attacks are detected. X-Content-Type-Options: the value can be nosniff, which is used to disable browser Type prediction and avoid loading images as JavaScript code.