Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add more HTTP security headers #322

Merged
merged 1 commit into from
Sep 2, 2015
Merged

Add more HTTP security headers #322

merged 1 commit into from
Sep 2, 2015

Conversation

swalkinshaw
Copy link
Member

The value here for X-Xss-Protection has some issues in IE8 but who cares?

We also need to look into CSP headers but that's more complicated.

@louim
Copy link
Contributor

louim commented Aug 30, 2015

I like this!

@austinpray
Copy link
Contributor

https://www.owasp.org/index.php/List_of_useful_HTTP_headers and http://blogs.msdn.com/b/ie/archive/2008/07/02/ie8-security-part-iv-the-xss-filter.aspx

This header enables the Cross-site scripting (XSS) filter built into most recent web browsers. It's usually enabled by default anyway, so the role of this header is to re-enable the filter for this particular website if it was disabled by the user. This header is supported in IE 8+, and in Chrome (not sure which versions). The anti-XSS filter was added in Chrome 4. Its unknown if that version honored this header.

So we don't need to specify X-Xss-Protection

@swalkinshaw
Copy link
Member Author

@austinpray I can't find too much information on this beyond that Chrome and Safari enable it by default. But I'm not sure if their default has "block".

@austinpray
Copy link
Contributor

I'll look into it

@austinpray
Copy link
Contributor

Internet Explorer will display a dialog box if reflective XSS was detected and sanitized or blocked. Chrome will hide the output of the reflective XSS attack in the response when it is set to 1. When it is set to 1; mode=block, Chrome will redirect the user-agent to an empty data:, URL. sauce

So it looks like the default for chrome is to sanitize and not to block. It only enables the blocking when the header is parsed:

https://code.google.com/p/chromium/codesearch#chromium/src/third_party/WebKit/Source/platform/network/HTTPParsers.cpp&cl=GROK&rcl=1440948402&l=420

image

https://code.google.com/p/chromium/codesearch#chromium/src/third_party/WebKit/Source/core/html/parser/XSSAuditor.cpp&cl=GROK&l=415&ct=xref_jump_to_def&gsn=didBlockEntirePage

image

"If the mode is set to block and a script contained bad stuff: render a console error and return an empty page to the browser"

swalkinshaw added a commit that referenced this pull request Sep 2, 2015
@swalkinshaw
Merge pull request #322 from roots/security-headers
e1b14de 
Add more HTTP security headers
@swalkinshaw swalkinshaw merged commit e1b14de into master Sep 2, 2015
@swalkinshaw swalkinshaw deleted the security-headers branch September 2, 2015 01:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@swalkinshaw @louim @austinpray