SANS ISC: HTTP headers fun

• SANS Site Network
  • Current Site
  • Internet Storm Center
  • Other SANS Sites Help
  • Graduate Degree Programs
  • Security Training
  • Security Certification
  • Security Awareness Training
  • Penetration Testing
  • Industrial Control Systems
  • Cyber Defense Foundations
  • DFIR
  • Software Security
  • Government OnSite Training

SANS ISC InfoSec Forums

Not sure if you have seen our latest pet project - HTTP Headers. This is ISC's effort to track HTTP response headers by major sites on the Internet. Our main goal at this point is to monitor the use of security related headers. However, we are collecting all headers in part to monitor changes over time in the way administrators configure web servers.

Browsers have been somewhat ignored in the past when it came to web application defense. In part, because an application can't count on the user using any particular browser (or any browser for that matter). However, attacks on the other hand increasingly use the browser as an offensive tool to reflect attacks via cross site scripting, cross site request forging or click jacking. In all these attacks the browser is playing a major role.

The different attention to browsers is understandable. An attacker can be perfectly happy if an attack only works for a small percent of the population. If only users with Internet Explorer 6 on Windows XP are affected: Still a successful attack. For the defender on the other hand, the picture is different: If a particular browser protection is only enabled in 90% of browsers: One out of 10 visitors will still be affected by the attack.

This changes however if one is willing to accept browser defenses as an added defensive layer instead of a replacement for good application security. In addition, standards are emerging to make it easier for browser to provide meaningful protection. But none of this will work if it is not used.

We periodically reach out to the sites listed in the Alexa Top sites and track the HTTP headers returned by the web servers. We intend to track the changes over time and see how security related HTTP headers are used in real-world sites.

Some of the preliminary findings are as follows,

• Only very few sites use the X-FRAME-OPTIONS header. This is a reliable way to deal with Clickjacking attacks in newer browsers, but it will also block framing of web sites by friendly sites. The option allows for very little adjustment as it is currently implemented.
• X-XSS-Protection is used rarely by top sites (about 450 of the top sites). This is a IE 8+ supported header to enable/disable XSS protection feature on the browser. Only a few sites out of the hundreds turn off XSS protection by setting the value of this header to 0. Vast majority of the sites using this header enable the protect by setting value to 1 and mode=block, which makes the page blocked from the browser instead of browser sanitizing the content of the page.
• Set-Cookie2 is only used by two sites that we query. This is a largely ignored way of setting cookie, as specified in RFC 2965.
• X-Hacker caught our eyes. This is actually a job ad from the guys who developed Wordpress blogging software.

If you spot any interesting security related headers on our list and want to share with us. Please write in using the ISC contact form.