Web Security

*복습 자료라서 뻔한 내용은 생략

 

 

Summary.

 

1. The HTTP X-XSS-Protection response header is a feature of Internet Explorer, Chrome and Safari that stops pages from loading when they detect reflected cross-site scripting (XSS) attacks

    + These protections are largely unnecessary in modern browsers when sites implement a strong Content-Security-Policy that disables the use of inline JavaScript ('unsafe-inline')

    ex) 1이면 XSS filter ON 상태며, mode=block이면 page rendering 자체를 막음 (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection#syntax)

X-XSS-Protection: 1; mode=block

    + mode=block 이 아니라 다른 설정으로 인해 일부 페이지만 sanitized 될 경우 예상치 못한 에러 발생 가능하므로 조심 (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection#vulnerabilities_caused_by_xss_filtering)

 

 

2. The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame>, <iframe>, <embed> or <object>. Sites can use this to avoid click-jacking attacks, by ensuring that their content is not embedded into other sites

    + The Content-Security-Policy HTTP header has a frame-ancestors directive which obsoletes this header for supporting browsers

X-Frame-Options: DENY
X-Frame-Options: SAMEORIGIN

 

 

3. The X-Content-Type-Options response HTTP header is a marker used by the server to indicate that the MIME types advertised in the Content-Type headers should be followed and not be changed. The header allows you to avoid MIME type sniffing by saying that the MIME types are deliberately configured

    + This header was introduced by Microsoft in IE 8 as a way for webmasters to block content sniffing that was happening and could transform non-executable MIME types into executable MIME types

    + In the absence of a MIME type, or in certain cases where browsers believe they are incorrect, browsers may perform MIME sniffing — guessing the correct MIME type by looking at the bytes of the resource. There are security concerns as some MIME types represent executable content

X-Content-Type-Options: nosniff

 

 

 

Additional.

1. Setting X-Frame-Options inside the <meta> element is useless! For instance, <meta http-equiv="X-Frame-Options" content="deny"> has no effect. Do not use it! X-Frame-Options works only by setting through the HTTP header, as in the examples below

 

 

2. frame, iframe 태그

    + frame (deprecated): The <frame> HTML element defines a particular area in which another HTML document can be displayed

    + iframe: The <iframe> HTML element represents a nested browsing context, embedding another HTML page into the current one. Each embedded browsing context has its own session history and document. The browsing context that embeds the others is called the *parent browsing context*. The *topmost* browsing context — the one with no parent — is usually the browser window, represented by the Window object

 

 

3. HTTP Public Key Pinning (HPKP) was a security feature that used to tell a web client to associate a specific cryptographic public key with a certain web server to decrease the risk of MITM attacks with forged certificates. It has been removed in modern browsers and is no longer supported.

    + deprecated by Certificate Transparency https://developer.mozilla.org/en-US/docs/Web/Security/Certificate_Transparency

 

 

 

Reference.

• https://developer.mozilla.org/en-US/docs/Web/HTTP/Public_Key_Pinning
• https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe
• https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
• https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection