Secure HTTP Headers - Hardening Security with Headers

May 10, 2017

cybersecurityhttp headersaws amplify

Most websites are now taking advantage of the security benefits of SSL. The web is becoming progressively more encrypted and safer thanks to the adoption of HTTPS and the efforts of projects promoting it like the Electronic Frontier Foudation's Certbot initiative and the HTTPS Everywhere browser extension.

On the server side Certbot makes applying a free strong certificate from Let's Encrypt easy. Browser side, the HTTPS Everywhere extension forces HTTPS connections where available. Taking the effort to Encrypt your traffic with SSL is a good first step towards writing a secure application. Serving HTTPS security policies with the HTTP headers ensures all that effort isn't wasted.

HTTP Strict Transport Security (HSTS)

HTTPS helps defend against eavesdroppers, man-in-the-middle (mitm), and spoofing attacks. Unfortunately, that security can be bypassed in some instances if a user is maliciously served an unencrypted copy of the site. Having HSTS helps defend against this by having the browser require HTTPS. HSTS headers help mitigate some attacks involving SSL including downgrade attacks and cookie hijacking.

The HTTP Strict Transport Security (HSTS) header informs the browser that it should only make future requests with HTTPS. The header specifies a timeframe that the policy is valid within the header and optionally whether the rule should be enforced for subdomains. This header must be sent over HTTPS or it will be ignored by the browser, meaning it has to be received once over HTTPS to be effective. Because of this certain websites are whitelisted by the browser to preload the HSTS header. The list is not limited to major companies like Google, you can get a website added by submitting the domain to the preload list. The list is used by Google, Mozilla and Microsoft.

Google has also recently configured Chrome to preload HSTS headers on all domains ending in .dev and .foo forcing them to resolve to HTTPS. The .dev domain extension is popular with developers as a testing extension, forcing HTTPS helps get the point across that this domain extension is active now and being used so testing with a .dev extension is not safe since you may be accidentally sending test data to a live domain controlled by someone else. The Internet Engineering Task Force (IETF) has reserved a few top level domains for testing, if you're testing software it's recommended to use .test instead of an active domain extension.

The HSTS header can be added using one of the formats below, max-age is expressed in seconds.

  
Strict-Transport-Security: max-age={expire-time}
Strict-Transport-Security: max-age={expire-time}; includeSubDomains

X-Frame-Options

The X-Frame-Options header is an essential security header to prevent click jacking. X-Frame-Options prevents other sites from loading up your website's pages in an iframe. This prevents users from being able to be tricked into clicking the conents of your pages while browsing another site. You can block eternal domains from loading content in an iframe or all iframes from loading your sites content.

  
X-Frame-Options: DENY

Setting this header to "DENY" will prevent all sites including your own from loading your domains pages in an iframe.

  
X-Frame-Options: SAMEORIGIN

The "SAMEORIGIN" configuration will allow your domain to iframe its own content.

Set this header to DENY if you're not planning on providing content explicitly meant to be iframed into a page or eternal site. You can adjust it if you need it.

X-Content-Type-Options

The Mime or Content Type of a file is a header that tells the browser if a file is a PDF or, for example, Javascript file. MIME sniffing happens when a file doesn't have a MIME type, browsers may look into the file to attempt to figure out if what type of content it is. This can enable an attacker, under the right circumstances to "transform non-executable ccontent into executable content". Setting X-Content-Type-Options to "nosniff" stops the browser from doing MIME sniffing.

Setting Headers in Amplify

Setting up these headers in AWS Amplify can be done in the build script. Under your build settings for the frontend of the app add a customHeaders array and set the values you want.

  
version: 0.1
frontend:
  customHeaders:
    - pattern: '**/*'
      headers:
      - key: 'X-Frame-Options'
        value: 'DENY'
    - pattern: '**/*'
      headers:
      - key: 'X-Content-Type-Options'
        value: 'nosniff'
    - pattern: '**/*'
      headers:
      - key: 'Strict-Transport-Security'
        value: 'max-age=31536000;'