« previous next »
Pages: [1]

Author Topic: Are your HTTP headers secure?  (Read 11661 times)

bill

  • Devil's Avocado
  • Global Moderator
  • Hero Member
  • *****
  • Posts: 1286
  • Avast!
    • View Profile
    • Email
Are your HTTP headers secure?
« on: January 28, 2016, 01:25:48 AM »
I need to get this implemented on my sites: Content Security Policy (CSP)
Looks like a great way to thwart cross-site scripting attcks.

This guy has a scanner https://securityheaders.io/ that grades your headers just like SSL Labs does for certs. He also has a CSP policy builder https://report-uri.io/home/generate/ but there are a lot of options in there that I'd need to look into.

Anyone here use a CSP?
Logged

ergophobe

  • Inner Core
  • Hero Member
  • *
  • Posts: 9292
    • View Profile
Re: Are your HTTP headers secure?
« Reply #1 on: January 28, 2016, 05:07:37 PM »
Sorry, but no.

Interesting though. I am not a server admin, but still... I don't know about any of that stuff.

It appears I'm not alone. Most sites I checked get an F on that scanner.

Google gets an E

Even security-related sites fared poorly

OWASP - D

Norton - B (no CSP)

Kaspersky - D

Trend Micro - F
Logged

bill

  • Devil's Avocado
  • Global Moderator
  • Hero Member
  • *****
  • Posts: 1286
  • Avast!
    • View Profile
    • Email
Re: Are your HTTP headers secure?
« Reply #2 on: January 29, 2016, 06:37:32 AM »
I was actually surprised at how few sites had implemented a CSP. It looks easy enough to do for simple sites. Some of the rules could get complicated if your site is pulling in content from a lot of different sources.
Logged

ergophobe

  • Inner Core
  • Hero Member
  • *
  • Posts: 9292
    • View Profile
Re: Are your HTTP headers secure?
« Reply #3 on: January 29, 2016, 05:05:55 PM »
I need to put this on my list.

Most of this (all the headers the scanner checks for) look reasonable enough on a simple site.
Logged

Rupert

  • Inner Core
  • Hero Member
  • *
  • Posts: 3355
  • George in a previous life.
    • View Profile
    • SuitsMen
Re: Are your HTTP headers secure?
« Reply #4 on: January 30, 2016, 06:06:30 AM »
https://www.hsbc.co.uk/1/2/  F

Meanwhile, partially related:
http://www.telegraph.co.uk/finance/personalfinance/bank-accounts/12129786/HSBC-online-banking-fails-again-after-succumbing-to-cyber-attack.html

Quote
The website was hit by a denial of service attack, caused by a deliberate overload of traffic to the online system by cyber attackers.
Logged
... Make sure you live before you die.

bill

  • Devil's Avocado
  • Global Moderator
  • Hero Member
  • *****
  • Posts: 1286
  • Avast!
    • View Profile
    • Email
Re: Are your HTTP headers secure?
« Reply #5 on: February 04, 2016, 08:52:05 AM »
A CSP certainly wouldn't hamper a DoS or DDoS in any way. Those are an entirely different animal to deal with. The problem with a DoS is usually that the media picks up on it and unnecessarily freaks everyone out...but that's usually the purpose of such an attack.
Logged
Pages: [1]
« previous next »