Response headers should be configured to restrict iframe usage, prevent XSS exploits and to hide server configuration data.

The Internet is a dangerous place! With great regularity we hear about websites becoming unavailable due to denial of service attacks, or displaying modified (and often damaging) information on their home pages. In other high-profile cases millions of passwords, email addresses and credit card details have been leaked into the public domain, exposing website users to both personal embarrassment and financial risk.

Mozilla, “Web Security”

Use clickjack protection

Protect against clickjacking attacks by restricting how your pages can be embedded within iframes. Clickjacking attacks involve an attacker displaying your pages within an iframe on a site they control. For example, an attacker could overlay a UI layer over an iframe to trick visitors into triggering actions on your page as well overlaying form fields to steal data. Clickjacking has been used to exploit users into sharing links on social networks, clicking ads and stealing passwords. Protect against these attacks using the X-Frame-Options response header to restrict which hosts are allowed to embed your pages. The possible options are 1) DENY to restricts all URLs 2) SAMEORIGIN to allow only URLs from the same origin as your page 3) ALLOW-FROM to allow from a specific origin. For example, X-Frame-Options: DENY will block all iframe usage. You should use a setting that’s as restrictive as possible.

Use XSS protection

Protect against XSS attacks by enabling browser XSS safeguards. XSS attacks involve an attacker injecting code into a page that is being sent to users. Some browsers have built-in XSS protection that is enabled by adding X-XSS-Protection: 1; mode=block to the response header of each page. This setting will stop the page being rendered if the browser detects an XSS attack. Note that this should only be considered as a last resort defence against XSS attacks. Your site should be thoroughly reviewed and built with XSS safeguards in mind to prevent injection attempts from ever reaching the browser.

Hide server version data

Avoid leaking information to attackers by removing response headers that say what software is running on your web server. Many web servers give the name and versions of software that were used to respond to a request within the response headers. For example, a server might respond with the header Server: Apache/2.2.20 (Win32) PHP/5.3.10 when a page is requested. This can give hints to attackers on how to search for vulnerabilities. Response headers that can contain software version information include the Server, Powered-by, ASPNET and ASPNETMVC headers. You should configure your server to suppress headers like these. Note that a determined attacker can uncover details about your server configuration in other ways and can find exploits without knowing this information anyway. However, making life a little harder for an attacker by keeping this information hidden doesn’t usually require a lot of effort.

More articles in this series

➜  This article is from our comprehensive Web Security Best Practices guide.

➜  Previous article in this series: Content sniffing