Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Security reasons to maintain a whitelist of allowed HTTP response headers

Tags:

http

security

header

firewall

As a web developer, I'm increasingly debugging issues only to find that our IT department are using our firewall to filter HTTP response headers.

They are using a whitelist of known headers, so certain newer technologies (CORS, websockets, etc) are automatically stripped until I debug the problem and request whitelisting.

The affected responses are third-party services we are consuming - so if we have an internal site that uses disqus, comments cannot be loaded because the response from disqus is having it's headers stripped. The resources we are serving are not affected, as it's only traffic coming in to the office.

Are there genuine reasons to block certain headers? Obviously there are concerns such as man-in-the-middle, redirects to phishing sites etc but these require more than just an errant header to be successful.

What are the security reasons to maintain a whitelist of allowed HTTP response headers?

like image 402
Adam Hopkinson Avatar asked Nov 29 '13 10:11

Adam Hopkinson

People also ask

What is the purpose of security headers?

Security headers are directives used by web applications to configure security defenses in web browsers. Based on these directives, browsers can make it harder to exploit client-side vulnerabilities such as Cross-Site Scripting or Clickjacking.

Why are HTTP headers important?

HTTP headers let the client and the server pass additional information with an HTTP request or response. An HTTP header consists of its case-insensitive name followed by a colon ( : ), then by its value.

Are response headers secure?

HTTP Response Headers allow server to pass additional information with the response, which instruct the browser how to behave when handling sensitive contents and data's of the application. Http response security headers provide an extra protection layer which help to mitigate vulnerabilities and attacks.

How can HTTP Security headers improve web application security?

As you know, nowadays too many data breaches are happening, many websites are hacked due to misconfiguration or lack of protection. These security headers will protect your website from some common attacks like XSS, code injection, clickjacking, etc. Additionally these headers increases your website SEO score.

1 Answers

Fingerprinting could be the main reason to strip the response headers:

https://www.owasp.org/index.php/Fingerprint_Web_Server_%28OTG-INFO-002%29

It depends on the stack that you're running, and most of the time, the information included in the response headers is configurable in each server, but it requires tampering with each serving application individually (and there might be cases when the software is privative and doesn't offer the option to set the HTTP headers).

Let's go with an easy example:

In our example datacenter, we're running a set of servers for different purposes, and we have configured them properly, so that they're returning no unnecessary metadata on the headers.

However, a new (imaginary) closed-source application for managing the print jobs is installed on one of the servers, and it offers a web interface that we want to use for whatever reason. If this application returns an additional header such as (let's say) "x-printman-version" (and it might want to do that, to ensure compatibility with clients that use its API), it will be effectively exposing its version.

And, if this print job manager has known vulnerabilities for certain versions, an attacker just has to query it to know whether this particular install is vulnerable.

This, that might not seem so important, opens a window for automated/random attacks, scanning ports of interests, and waiting for the right headers to appear ("fingerprints"), in order to launch an attack with certainty of success.

Therefore, stripping most (setting policies and rules for those that we want to keep) of the additional HTTP headers might sound sensible in an organisation.

With that being clear, stripping the headers from outgoing connections responses is overkill. It's true that they can constitute a vector, but since it's an outgoing connection, this means we "trust" the endpoint. There's no straightforward reason why an attacker with control over the trusted endpoint would use the metadata instead of the payload.

I hope this helps!

like image 111
Alberto Rico Avatar answered Oct 20 '22 06:10

Alberto Rico
Sign in to Comment

Related questions

ASP.Net security using Operations Based Security
How can you programmatically check if an iframe would be blocked by a site?
Does a reverse proxy make node.js safe?
CakePHP 2.x: Embedding a login form as an element using CakeDC's User plugin and Security component
Securing Passwords in a Multi-Dev nginx setup
How to send email via Gmail SMTP in secure way
Detect Man In The Middle From An Application [closed]
Android Keystore's password protection
Accessing client certificates from an HTTP Request
Unable to produce messages to Kafka with SSL enabled
How do I expose built-in security and user management to a MVC application?
Attacks on WPF applications
How to do IPC with UAC elevation safely?
What is the best way to adapt this security system to deal with multiple inheritance?
Why does SSL handshaking sometimes kill my CPU?
Google Chrome keeps session variables after browser close

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!