Web security: more headers

Sixth post in the web security series.

Some more HTTP headers that can be used to increase your web application security.

X-Frame-Options

X-Frame-Options is a header sent by the server to tell the web browser what do to in case of the web application is displayed inside a frame (this is in order to prevent clickjacking).

The possible values for this header are:

• DENY (the web application must not be displayed inside a frame)
• SAMEORIGIN (it can be displayed if the container is from the same domain)
• ALLOW-FROM (it can be displayed if the container is one of the given origins)

This header is widely supported but will be soon obsolete. The same behavior will be possible with the frame-ancestor directive in CSP2 (I will talk about CSP in a later post).

X-XSS-Protection

A XSS filter is included in Internet Explorer since version 8. The filter (which obviously help preventing XSS attacks) can be disabled by the user. IE also provided the X-XSS-Protection header that can be send by servers to control the filter state. This header is now also supported in some other web browsers.

The values are:

• 0 (disable the protection, you should not use that)
• 1 (enable the protection)
• 1; mode=block (enable the protection and prevent rendering the page if a XSS attack is detected, you should use this value)

X-Content-Type-Options

This header has only one value possible: nosniff. Some web browsers (Internet Explorer…) sometimes try to detect the type of file they are downloading from the file extension instead of the content type header sent by the server. This behaviors can be used for some attacks where the web browser try to execute a file that was not supposed to be executed.

So this header tells teh web browser to use the content type sent by the server (which also means that your web server must send the proper content type).

Works with Internet Explorer and Google Chrome.