aelius Posted March 1, 2014 Report Share Posted March 1, 2014 There are many things to consider when securing a web application but a definite "quick win" is to start taking advantage of the security HTTP response headers that are supported in most modern browser. It doesn't matter which development platform you use to build your application, these headers will make a notable difference for the security of your website anyway!The screenshot shows what the security headers look like. The security headers are included in the web server's response to a browser — instructing the browser to enable (or disable) certain security features. They're invisible to the user, but you can have look at them with tools such as Fiddler or the developer tools that are built into the major browsers. In IE or Chrome press F12, in Opera (Ctrl+Shift+i), in Firefox (Ctrl+Shift+k), for Safari have a look here to enable the developer tools.A great thing about these response headers is that they're very easy to get started with. In many cases you might not even have to change a single line of code in your application as you can set the headers either through your application's configuration, or they can likely be set by whatever web server you use.If you're building ASP.NET applications I would like to point you to NWebsec, an ASP.NET security library that lets you easily configure these headers for your application. Go and have a look at the documentation, it explains how you can configure the headers through web.config. Don't worry, if you're the MVC kind of person you can use filter attributes instead. You'll find the library on NuGet so you'll be up and running in a matter of minutes! Disclaimer: I built it, so I think it's pretty cool. A quick note: Last year, I gave a lightning talk at the ROOTs conference about the role browsers play for your online security. There I also discussed security headers. Slides and video are online if you want to check them out: "The browser - your best friend and worst enemy" (slides / video).Now let's have a look at the headers and how they can improve the security of your website.The security headersHere's the security headers that are supported by some or all of the major browsers at the time of writing.- X-Frame-Options- Strict-Transport-Security- X-Content-Type-Options- X-Download-Options- X-XSS-Protection- X-Content-Security-Policy / X-Content-Security-Policy-Report-Only- X-WebKit-CSP / X-WebKit-CSP-Report-OnlyWe'll have a look at each header and discuss their merits. I've included some important references for each header so you can study them in more detail if you'd like. To remove any doubt that these headers help prevent attacks that are both real and practical, I've also included some videos showing how some of the attacks work.Read more: Security through HTTP response headers Quote Link to comment Share on other sites More sharing options...
bcman Posted March 1, 2014 Report Share Posted March 1, 2014 Also a very good web app to test your website's security through the headers: https://securityheaders.com/ 1 Quote Link to comment Share on other sites More sharing options...
tromfil Posted March 2, 2014 Report Share Posted March 2, 2014 Alt? idee bun? este s? te ui?i la siteurile mai m?ricele care pun accent pe securitate ?i faci un mix din headerele lor. Normal, nu copy paste. 1 Quote Link to comment Share on other sites More sharing options...
