2

Recently, some of our servers were being flagged for not implementing proper HTTP headers in a Qualys scan.

One of the sites that I visit regularly - http://pentestit.com has some good HTTP headers implemented:

HTTP/1.1    200 OK
Date    Mon, 26 Jun 2017 23:05:15 GMT
Content-Type    text/html; charset=UTF-8
Transfer-Encoding   chunked
Connection  keep-alive
Set-Cookie  __cfduid=d7bd211d03cddfc95f5d3b27f75db3e151498518314; expires=Tue, 26-Jun-18 23:05:14 GMT; path=/; domain=.pentestit.com; HttpOnly
X-XSS-Protection    1;mode=block
Referrer-Policy no-referrer-when-downgrade
Link    <http://wp.me/8tJeS>; rel=shortlink
Vary    Accept-Encoding
X-Mod-Pagespeed pentestit.com
Cache-Control   max-age=0, no-cache, no-store, must-revalidate
X-Content-Type-Options  nosniff
X-Frame-Options SAMEORIGIN
X-UA-Compatible IE=Edge,chrome=1
Pragma  no-cache
Content-Language    en
Server  cloudflare-nginx
CF-RAY  3753cf6c01ed6c88-SJC

Except for Content-Security-Policy, it seems to be doing everything correctly.

What are your views about being failed for incorrect HTTP headers? I tried searching for information related to this, but was unable to find anything.

I think this should be definitely PCI fail as it tends to follow the OWASP top 10 which has A5-Security Misconfiguration (https://www.owasp.org/index.php/Top_10_2017-A5-Security_Misconfiguration).

My question is - should I be failed for not implementing correct HTTP and NOT HTTPS headers? I am doing every other thing correctly, but missing a few HTTP headers.

Metahuman
  • 493
  • 1
  • 5
  • 12
  • 1
    I'm not sure I understand what you're asking. Are you asking 1) "Why did my server fail?" 2) "Does pentestit.net have a problem?" 3) "*Should* I fail for bad headers?" or 4) "How do I fix my server?" – Bobson Jun 27 '17 at 02:33
  • Do you the headers implemented on your webapp? One of the key ones is ‘X-Frame-Options SAMEORIGIN/ALLOW-FROM’ this is for 3rd payment systems that are embedded in iframes. – TheJulyPlot Jun 27 '17 at 06:54
  • OP seems to be asking if failing Qualys' HTTP header scan should lead to a failing PCI-DSS test, since it qualifies as an OWASP Top 10 vulnerability. I'm inclined to agree with you, Metahuman, if this is indeed the question. Please edit your question to be more clear, as it is currently [being closed](https://security.stackexchange.com/review/close/102941). – Jedi Jun 27 '17 at 15:42
  • @Bobson, yes what I meant to ask was the question 3 - Should I be failed for bad headers. Editing the question. – Metahuman Jun 27 '17 at 18:18
  • Can you provide the Qualys QID in case that makes it clearer what they're objecting to? – gowenfawr Jun 28 '17 at 12:38
  • @gowenfawr QID 11827 is the Qualys QID. – Metahuman Jun 28 '17 at 18:03

1 Answers1

1

Some headers are a bigger problem than others. e.g., if you aren't planning to serve any IE browsers, I wouldn't worry much about X-Content-Type-Options: no-sniff.

The effectiveness of some are debatable. e.g., X-XSS-Protection (did I just provoke a comment war? :) ).

Some headers are definitely useful nearly for every application. e.g, HTTPOnly;secure

Other headers are important based on the sensitivity of your application - e.g., strict-transport-security.

In general though, most of these are low-barrier security protections (CSP & HSTS/HPKP need prep, yes) and there is no good reason not to use them.

Sas3
  • 2,638
  • 9
  • 20
  • Yes I agree with you. But I wanted to know if failing a PCI test for not using these headers is valid or not? – Metahuman Jun 27 '17 at 23:28
  • If PCI DSS compliance is important for your app, i.e., you are storing/transmitting/processing payment card information, then yes, both in principle as well as per PCI controls requirement - it would be valid to treat it as a non-compliance. – Sas3 Jun 28 '17 at 01:12