browser security headers add a layer of defense on client side besides server side control. If the implementation is done on the respective browser, it is executed. Otherwise, it is ignored.It can be checked at caniuse.com. Not many websites utilize it.
Browser headers implemented in most of the modern browsers-
HSTS (HTTP transport security)-
HSTS secure transport layer, making data inaccessible to attackers between client and server.
It works only on HTTPS.
If initial request is sent from the browser on HTTP, a redirection URL with 301 will be received by the browser. After that content is requested on https. Initial request on HTTP is susceptible to man in the middle attack. The insecure request can be gathered from the client and sent to the server securely and secure response can be received and sent to client insecurely.
How HSTS solve this problem –
Strict-Transport-Security: max-age=31536000; includeSubdomains; preload;
- Declares that client should only interact with a site over HTTPS
- Protects against downgrade
- relies on trust on first use(TOFU), need a first successful secure connection
Internal redirect happens after the first request
max-age – period for which browser can not make HTTP request for the website 31536000ms – 1yr. After receiving it starts again for 1 year.
While using HSTS all resources like CSS or images should also be served on HTTPS. The browser will not request anything for that website on HTTP.
includeSubdomains – all sub domains will be https only.
** Make sure that everything is going to be https always. Otherwise, you will have to redirect to original site and it will have to send new header without includeSubdomains
PRELOAD HSTS – trust on first use is not full proof. Man in middle attack can be used on the first request. Preloading HSTS is also an option. It hard codes in the browser. So chrome, Mozilla, and other browsers will come with this preloaded web sites which will run on HTTPS only.
hstspreload.appspot.com can be used to submit preload.Criteria and preload response prevent someone else from submitting it.
HPKP(HTTP public key pinning) –
Allow website to instruct the browser to expect similar certificate in future. It relies on TOFU(Trust on first use). It whitelists the allowed stuff in the certificate. Once whitelist is in place, it will protect.
Rogue SSL certificate issued so that man in middle sends valid certificate. The browser takes the valid certificate, shows green pedlock as it is a valid certificate.
Example – Public-Key-Pins: pin-sha256=[pin1], pin-sha256=[pin2], max-age=2592000,report-uri=[uri]; includeSubdomains
pin-sha256 – thumbprints at least 2 certificates, so that if one compromised can be thumbprint of CSR gives insurance by multiple pins.
report-uri – on the violation, report to this URL. should be different from the same url, an attacker can block
max-age: 2592000, 1 month
includeSubdomains – use wild card or multi domain otherwise denial of service