IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [header]

129 questions
151
votes
4 answers

Which security measures make sense for a static web site?

I have a static web site. Users cannot log in or perform any other actions. Which of the common HTTP security measures make sense for my site? Do I need any of these? HTTPS Strict transport security Content security policy Certificate…
Sjoerd
  • 28,707
  • 12
  • 74
  • 102
30
votes
1 answer

Why does Chrome send four browsers in the user-agent header?

I am using Chrome in linux with Version 51.0.2704.63 (64-bit). I recorded a HTTP request of Chrome and here is part of the recording: User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.63…
drdot
  • 559
  • 2
  • 6
  • 13
25
votes
1 answer

HTTP HEAD and its security versus operational uses

Most security advice I see recommends turning off HTTP Methods like TRACE, OPTIONS, HEAD etc. So now I have turned off most of these options on my web server and leaving only GET and POST options that can be returned. The question is, now some my…
Pang Ser Lark
  • 1,929
  • 2
  • 16
  • 26
21
votes
3 answers

Does the X-Permitted-Cross-Domain-Policies header have any benefit for my website if I'm not using Adobe products?

OWASP says the X-Permitted-Cross-Domain-Policies security header gives web clients "permission to handle data across domains". It specifically states that Adobe's Flash Player and Acrobat PDF Reader use this header and that other web clients could…
Taul
  • 549
  • 1
  • 3
  • 11
20
votes
1 answer

Security Headers for a web API

I just got a setup, a golang web api behind a caddy server that has HTTPS by default via Let's Encrypt, the server proxies all requests to the web api. So I went around to test my webserver "security" on sites such as securityheaders.io. They gave…
Whiteclaws
  • 333
  • 1
  • 3
  • 6
20
votes
2 answers

What are the negative aspects of creating fake security footprints?

My take on reducing the risk of being hacked on products and installation have often been to create false footprints. From my own experience, the servers I've spent most time (and hate) on hacking have been those that have claimed to be something…
Simply G.
  • 518
  • 3
  • 12
17
votes
2 answers

How did this email list a fake recipient?

My friend recently received a suspicious email for an iTunes gift card purchase from "Apple Store" with a header that displayed a fake "To:" address for orders@apple-store.com. Unsurprisingly, this turned out to be a phishing email with a…
Stevoisiak
  • 1,515
  • 1
  • 11
  • 27
14
votes
1 answer

Vary: origin response header and CORS exploitation

Recently PortSwigger (guys behind Burp Suite) came up with a blog post discussing the security risks associated with CORS mis-configurations. http://blog.portswigger.net/2016/10/exploiting-cors-misconfigurations-for.html In summary, the blog talks…
Shurmajee
  • 7,285
  • 5
  • 27
  • 59
12
votes
2 answers

Secure HTTP Headers - where should be implemented, WAF or code level?

I have a REST API exposed to the Internet and another application with form-based authentication. These apps are behind a Web Application Firewall. Question is, where I should implement the below security HTTP headers, in the WAF or at the code…
Mathev
  • 151
  • 2
  • 7
9
votes
3 answers

Why does Chrome not allow the modification of these headers by extensions?

The Chrome WebRequests API mentions that specific request headers are not available to the onBeforeSendHeaders event, meaning that extensions cannot read and/or modify these headers. Here is an excerpt from the documentation: The following headers…
user163495
9
votes
2 answers

How does sending referrer HTTP headers protect against CSRF attacks?

How does sending referrer HTTP headers protect against CSRF attacks? I tried logging into an HTTPS site with Firefox's network.http.sendRefererHeader set to 0 (i.e., completely disabled, as a measure against tracking), and it said: Forbidden…
Geremia
  • 1,636
  • 3
  • 19
  • 33
9
votes
2 answers

Best practices when forwarding an email or copy / pasting from confidential information sources?

I get asked this a lot from older people, or for legal matters. They want to forward an email message they've received to another party, while removing any identifying information from the first party - as well as removing some lines from the body…
cloneman
  • 379
  • 2
  • 8
8
votes
2 answers

For which content types is it recommended to set X-XSS-Protection header?

One may probably suggest setting this header for all responses from a web server (I am thinking of value="1; mode=block"). However, does it make sense to set it when serving, say, images? CSS files? JSON responses made from AJAX calls? Does XSS…
oldbam
  • 183
  • 1
  • 3
7
votes
1 answer

CSP: What is script-src-attr and script-src-elem?

script-src-attr and script-src-elem directives are new additions in CSP3. I am not able to understand how are they different from the script-src directive. https://w3c.github.io/webappsec-csp/#directive-script-src-elem This documents the new…
Nitanshu
  • 173
  • 1
  • 4
7
votes
1 answer

How can I determine (as a layman) if an E-mail was set to self destruct?

I tried to access an old E-mail to print for a court case only to find there is no content. I checked on all my devices and outlook account. The E-mail in question is from a gmail user and I have subsequently learned there are ways to get the…
TheAlpine
  • 71
  • 2
1
2 3
8 9