Utilizing Security Headers for Web Application Defense

Understand how to implement HTTP security headers that protect web applications from common vulnerabilities.

0 likes
158 views

Rule Content

{
  "title": "Utilizing Security Headers for Web Application Defense",
  "description": "Ensure web applications are protected against common vulnerabilities by implementing appropriate HTTP security headers.",
  "category": "Security",
  "severity": "High",
  "patterns": [
    {
      "pattern": "Strict-Transport-Security",
      "description": "Enforces secure (HTTPS) connections to the server to prevent man-in-the-middle attacks.",
      "recommendation": "Set the 'Strict-Transport-Security' header with a 'max-age' of at least 31536000 seconds (1 year) and include the 'includeSubDomains' directive.",
      "example": "Strict-Transport-Security: max-age=31536000; includeSubDomains"
    },
    {
      "pattern": "Content-Security-Policy",
      "description": "Controls the sources from which content can be loaded, mitigating cross-site scripting (XSS) attacks.",
      "recommendation": "Define a 'Content-Security-Policy' header that restricts sources for scripts, styles, and other resources to trusted origins.",
      "example": "Content-Security-Policy: default-src 'self'; script-src 'self' https://trusted.cdn.com"
    },
    {
      "pattern": "X-Content-Type-Options",
      "description": "Prevents browsers from interpreting files as a different MIME type to avoid MIME confusion attacks.",
      "recommendation": "Set the 'X-Content-Type-Options' header to 'nosniff' to disable MIME type sniffing.",
      "example": "X-Content-Type-Options: nosniff"
    },
    {
      "pattern": "X-Frame-Options",
      "description": "Protects against clickjacking attacks by controlling whether the browser should allow the page to be displayed in a frame.",
      "recommendation": "Set the 'X-Frame-Options' header to 'DENY' to prevent the page from being displayed in a frame.",
      "example": "X-Frame-Options: DENY"
    },
    {
      "pattern": "Referrer-Policy",
      "description": "Controls how much referrer information is included with requests to protect user privacy.",
      "recommendation": "Set the 'Referrer-Policy' header to 'no-referrer' to prevent referrer information from being sent.",
      "example": "Referrer-Policy: no-referrer"
    },
    {
      "pattern": "Permissions-Policy",
      "description": "Controls which browser features can be used on the page to enhance security.",
      "recommendation": "Define a 'Permissions-Policy' header that restricts the use of sensitive browser features.",
      "example": "Permissions-Policy: geolocation=(), microphone=()"
    }
  ],
  "references": [
    {
      "title": "OWASP Secure Headers Project",
      "url": "https://owasp.org/www-project-secure-headers/"
    },
    {
      "title": "An Overview of Best Practices for Security Headers",
      "url": "https://developer.okta.com/blog/2021/10/18/security-headers-best-practices"
    },
    {
      "title": "The 8 HTTP Security Headers Best Practices",
      "url": "https://www.globaldots.com/resources/blog/the-8-http-security-headers-best-practices/"
    }
  ]
}

Categories

Security

Tags

#web security #http headers #application defense