Review HTTP headers to improve security
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
| Mahara |
High
|
Aaron Wells | ||
| 1.10 |
High
|
Aaron Wells | ||
| 15.04 |
High
|
Aaron Wells | ||
| 15.10 |
High
|
Aaron Wells |
Bug Description
We need to review our HTTP headers to improve security and check which ones we should include per default and which ones might need to be configurable. The review will include but is not limited to:
- Strict-
- Content-
- X-Frame-Options
- X-XSS-Protection
- X-Content-
- Server
- X-Powered-By
- X-Permitted-
- Caching headers
Initial reports for X-XSS-Protection header by SaifAllah benMassaoud and Zeeshan.
description: | updated |
Robert Lyon (robertl-9) wrote : | #1 |
Aaron Wells (u-aaronw) wrote : | #2 |
After reviewing Robert's suggestions and some input from our security manager at Catalyst, I've decided to implement these changes in Mahara core:
1. Add the following HTTP headers to all page loads.
X-XSS-Protection: 1; mode=block (Prevents the user from disabling the browser's XSS protections)
X-Content-
X-Permitted-
2. Block the X-Powered-By header to prevent exposing the particular PHP version:
header_
3. Activate the "Strict-
*However* this one's a little tricky, because if you activate in a situation where it's not wanted, it'll screw up other sites on the same domain. For instance, if a site were serving Mahara on https on one path on a domain, and Moodle on http on another path on the same domain (i.e. https:/
So probably what we should do here, is have Strict-
4. Content-
And perhaps for a future release we can add this basic policy as a config-defaults default setting, and try to auto-detect third-party plugins or customizations that suggest the admin may need to customize it, and give them a warning if so.
Patch for "master" branch: https:/
Aaron Wells (u-aaronw) wrote : | #4 |
On further reflection, I decided not to include the "Strict-
The only way to revert Strict-
1. Wait out the max-age period
2. Have *all* your site users clear their individual browser caches
3. Have the HTTPS version of your site serve a Strict-
Of course, this difficulty in reversing it is by design. That's the whole point of this setting!
But for us, because this setting will cause nearly irreversible problems for the few sites where it is not appropriate, it would be irresponsible of us to turn it on automatically.
Changed in mahara: | |
assignee: | nobody → Aaron Wells (u-aaronw) |
status: | Confirmed → In Progress |
Reviewed: https:/
Committed: https:/
Submitter: Robert Lyon (<email address hidden>)
Branch: master
commit 29656f034ff0eef
Author: Aaron Wells <email address hidden>
Date: Thu Feb 4 16:33:11 2016 +1300
Adding some HTTP headers for security (Bug 1531987)
X-XSS-Protection: Tells the browser not to disable XSS protection
X-Content-
mimetypes of downloads
X-Permitted-
alternate crossdomain.xml files (which set the permissions on whether
this site allows itself to be accessed by scripts in Flash & PDF).
Prevents an attacker from uploading a more permissive crossdomain.xml
X-Powered-By: PHP by default sends this header with the current full
PHP version.
behatnotneeded: Selenium can't examine HTTP response headers
Change-Id: Ia2a6de971fc62b
Changed in mahara: | |
status: | In Progress → Fix Committed |
Patch for "15.10_STABLE" branch: https:/
Mahara Bot (dev-mahara) wrote : | #7 |
Patch for "15.04_STABLE" branch: https:/
Reviewed: https:/
Committed: https:/
Submitter: Robert Lyon (<email address hidden>)
Branch: 15.10_STABLE
commit eacff74e9d4d36b
Author: Aaron Wells <email address hidden>
Date: Thu Feb 4 16:33:11 2016 +1300
Adding some HTTP headers for security (Bug 1531987)
X-XSS-Protection: Tells the browser not to disable XSS protection
X-Content-
mimetypes of downloads
X-Permitted-
alternate crossdomain.xml files (which set the permissions on whether
this site allows itself to be accessed by scripts in Flash & PDF).
Prevents an attacker from uploading a more permissive crossdomain.xml
X-Powered-By: PHP by default sends this header with the current full
PHP version.
behatnotneeded: Selenium can't examine HTTP response headers
Change-Id: Ia2a6de971fc62b
(cherry picked from commit 29656f034ff0eef
Mahara Bot (dev-mahara) wrote : | #9 |
Reviewed: https:/
Committed: https:/
Submitter: Robert Lyon (<email address hidden>)
Branch: 15.04_STABLE
commit d45af6dc1626736
Author: Aaron Wells <email address hidden>
Date: Thu Feb 4 16:33:11 2016 +1300
Adding some HTTP headers for security (Bug 1531987)
X-XSS-Protection: Tells the browser not to disable XSS protection
X-Content-
mimetypes of downloads
X-Permitted-
alternate crossdomain.xml files (which set the permissions on whether
this site allows itself to be accessed by scripts in Flash & PDF).
Prevents an attacker from uploading a more permissive crossdomain.xml
X-Powered-By: PHP by default sends this header with the current full
PHP version.
behatnotneeded: Selenium can't examine HTTP response headers
Change-Id: Ia2a6de971fc62b
(cherry picked from commit 29656f034ff0eef
Mahara Bot (dev-mahara) wrote : | #10 |
Reviewed: https:/
Committed: https:/
Submitter: Robert Lyon (<email address hidden>)
Branch: 1.10_STABLE
commit ef64adaab69ddce
Author: Aaron Wells <email address hidden>
Date: Thu Feb 4 16:33:11 2016 +1300
Adding some HTTP headers for security (Bug 1531987)
X-XSS-Protection: Tells the browser not to disable XSS protection
X-Content-
mimetypes of downloads
X-Permitted-
alternate crossdomain.xml files (which set the permissions on whether
this site allows itself to be accessed by scripts in Flash & PDF).
Prevents an attacker from uploading a more permissive crossdomain.xml
X-Powered-By: PHP by default sends this header with the current full
PHP version.
behatnotneeded: Selenium can't examine HTTP response headers
Change-Id: Ia2a6de971fc62b
(cherry picked from commit 29656f034ff0eef
Changed in mahara: | |
status: | Fix Committed → Fix Released |
Looking into the list above I've done some initial research as to what these headers are used for to see if we need to add them
* Strict- Transport- Security
- Would need to be turned on for sites running https
- Could be problems for sites with 3rd party content - but most of that should be sorted out now
- Could be a problem with self-signed certificates
* Content- Security- Policy style/image/ ajax/font/ object sources
- helps you reduce XSS risks on modern browsers by declaring what dynamic resources are allowed to load via a HTTP Header
- deals with restricting script/
- Probably not useful for mahara as we allow the fetching of things via the external media block
* X-Frame-Options
- currently set to: sameorigin
* X-XSS-Protection
- The role of this header is to re-enable the filter for this particular website if it was disabled by the user
- Deals with reflected XSS vulnerabilities
- When set as: X-XSS-Protection: 1; mode=block it will prevent page loading
* X-Content- Type-Options
- only options at the moment is 'nostiff'
- prevents Internet Explorer and Google Chrome from MIME-sniffing a response away from the declared content-type
* X-Powered-By
- Exposes what php version you are using
- You can set expose_php = Off in your php.ini if you don't want it to send X-Powered-By header.
* X-Permitted- Cross-Domain- Policies /www.perpetual- beta.org/ weblog/ security- headers. html#rule- 8470-2- establish- a-cross- domain- meta-policy domain- policy xmlns:xsi="http:// www.w3. org/2001/ XMLSchema- instance" xsi:noNamespace SchemaLocation= "http:// www.adobe. com/xml/ schemas/ PolicyFile. xsd"> access- from domain= "twitter. com" /> "api.twitter. com" /> "search. twitter. com" /> "static. twitter. com" /> cross-domain- policies= "master- only"/> http-request- headers- from domain= "*.twitter. com" headers="*" secure="true"/> domain- policy>
- setting: 'master-only' Used by Adobe Flash
- More info: https:/
- a 2014 example from twitter
<?xml version="1.0" encoding="UTF-8"?>
<cross-
<allow-
<allow-access-from domain=
<allow-access-from domain=
<allow-access-from domain=
<site-control permitted-
<allow-
</cross-
* Caching headers
- Currently is like this: Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
- other options worth adding:
- private - A proxy will not cache a page if it is marked as "private"
- no-transform - option may be important for mobile users. Some mobile providers will compress or alter content, in particular images, to save bandwidth when re-transmitting content over cellular networks.