Review HTTP headers to improve security
Bug #1531987 reported by
Kristina Hoeppner
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Mahara |
Fix Released
|
High
|
Aaron Wells | ||
1.10 |
Fix Released
|
High
|
Aaron Wells | ||
15.04 |
Fix Released
|
High
|
Aaron Wells | ||
15.10 |
Fix Released
|
High
|
Aaron Wells |
Bug Description
We need to review our HTTP headers to improve security and check which ones we should include per default and which ones might need to be configurable. The review will include but is not limited to:
- Strict-
- Content-
- X-Frame-Options
- X-XSS-Protection
- X-Content-
- Server
- X-Powered-By
- X-Permitted-
- Caching headers
Initial reports for X-XSS-Protection header by SaifAllah benMassaoud and Zeeshan.
description: | updated |
Changed in mahara: | |
assignee: | nobody → Aaron Wells (u-aaronw) |
status: | Confirmed → In Progress |
Changed in mahara: | |
status: | In Progress → Fix Committed |
Changed in mahara: | |
status: | Fix Committed → Fix Released |
To post a comment you must log in.
Looking into the list above I've done some initial research as to what these headers are used for to see if we need to add them
* Strict- Transport- Security
- Would need to be turned on for sites running https
- Could be problems for sites with 3rd party content - but most of that should be sorted out now
- Could be a problem with self-signed certificates
* Content- Security- Policy style/image/ ajax/font/ object sources
- helps you reduce XSS risks on modern browsers by declaring what dynamic resources are allowed to load via a HTTP Header
- deals with restricting script/
- Probably not useful for mahara as we allow the fetching of things via the external media block
* X-Frame-Options
- currently set to: sameorigin
* X-XSS-Protection
- The role of this header is to re-enable the filter for this particular website if it was disabled by the user
- Deals with reflected XSS vulnerabilities
- When set as: X-XSS-Protection: 1; mode=block it will prevent page loading
* X-Content- Type-Options
- only options at the moment is 'nostiff'
- prevents Internet Explorer and Google Chrome from MIME-sniffing a response away from the declared content-type
* X-Powered-By
- Exposes what php version you are using
- You can set expose_php = Off in your php.ini if you don't want it to send X-Powered-By header.
* X-Permitted- Cross-Domain- Policies /www.perpetual- beta.org/ weblog/ security- headers. html#rule- 8470-2- establish- a-cross- domain- meta-policy domain- policy xmlns:xsi="http:// www.w3. org/2001/ XMLSchema- instance" xsi:noNamespace SchemaLocation= "http:// www.adobe. com/xml/ schemas/ PolicyFile. xsd"> access- from domain= "twitter. com" /> "api.twitter. com" /> "search. twitter. com" /> "static. twitter. com" /> cross-domain- policies= "master- only"/> http-request- headers- from domain= "*.twitter. com" headers="*" secure="true"/> domain- policy>
- setting: 'master-only' Used by Adobe Flash
- More info: https:/
- a 2014 example from twitter
<?xml version="1.0" encoding="UTF-8"?>
<cross-
<allow-
<allow-access-from domain=
<allow-access-from domain=
<allow-access-from domain=
<site-control permitted-
<allow-
</cross-
* Caching headers
- Currently is like this: Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
- other options worth adding:
- private - A proxy will not cache a page if it is marked as "private"
- no-transform - option may be important for mobile users. Some mobile providers will compress or alter content, in particular images, to save bandwidth when re-transmitting content over cellular networks.