Website Header Security Protection Growing: Study


Websites can support newer protections against clickjacking, man-in-the-middle attacks and malicious code injection by implementing security headers, but sluggish adoption and implementation errors suggests that there could be confusion about how headers work, according to a recently conducted Veracode use study.

Security headers can be coded into a website, but typically they are implemented via a website's underlying Web server and interact with a site visitor's Web browser to set restrictions and other controls on the site. Burlington, Mass.-based application security vendor Veracode, Inc. reviewed San Francisco-based commercial web traffic data provider Alexa's list of the top 1 million websites in March to determine website security header use and whether they were being properly implemented.

Chris Eng, vice president of research at Veracode, told CRN that while researchers saw an increase in security header use, they also documented incorrectly specified headers and poorly configured ones, making them useless or creating a potentially dangerous situation. The firm saw headers configured with invalid values or common misspellings impairing them or completely breaking their functionality, Eng said.

[Related: Bombarded Browsers: More Flaws, But Quicker Fixes]

"What is interesting across all of these security headers is that some people are making some very basic mistakes that are making them not work," Eng said. "It shows a lack of understanding of security headers and partly a lack of attention to detail in implementing them."

Website headers were introduced over the last several years as a way to control website content and guard against certain kinds of cyberattacks. It can prevent attackers from targeting common Web application flaws and make it more difficult to hack a website.

Veracode's scan looked for the use of the X-Frame Options header to protect against clickjacking, the strict transport security header to encrypt user sessions and prevent man-in-the-middle attacks. The firm also documented whether sites were supporting content security policy, a more complicated security header designed to allow only trusted JavaScript from executing on a site, helping prevent cross-site scripting (XSS) attacks.

The firm said nearly 13,000 sites are use X-Frame Options correctly to protect against clickjacking by enforcing how iFrames can be used. Clickjacking is an attack in which a person clicks on something transparent on a website without knowing it. It can be used to defraud advertisers or execute malicious script. About 1,000 websites added the X-Frame header since the last time Veracode conducted the analysis in November, Eng said. X-Frame Options is one of the easiest headers to implement, he said.

The Strict-Transport-Security header is designed to instruct the browser to connect over HTTPS for any requests going forward if it is implemented properly. Veracode found approximately 1,400 sites using the header. It can prevent man-in-the-middle attacks by encrypting a user's session, but Eng said some sites are setting invalid values, expiring a secure connection or limiting it to only a few minutes.

"All an attacker needs is the first load of that unencrypted page to serve up something malicious," Eng said.

Veracode said it found only 79 websites implementing Content Security Policy, a header created by Mozilla that could guard against cross-site scripting attacks. Content security headers are still in their infancy, according to Eng, who said standards are still being developed around their use.

"This is useful to prevent a malicious injection JavaScript code, but it is much more complicated to implement because it can break functionality," Eng said. "Usually sites have JavaScript all over the place because they're using it in an unstructured way."

Eng said he expects Veracode to continue to monitor the use of security headers and predicts that it should steadily increase over time. The firm also provided the raw data generated from its analysis for other researchers. Eng encourages website owners using security headers to ensure they are configured correctly by testing their implementation.

PUBLISHED APRIL 1, 2013