HTTP Security Headers

In this post I’ll discuss the HTTP headers we can use to improve a web site’s security and mitigate certain attack types. I’ll use this blag as my example. First up we’ll look at X-Frame-Options. This header helps prevent clickjacking by indicating to a browser that it shouldn’t render the page in a frame (or an iframe or object). We’ll use the strictest setting: DENY. Here’s how to set it in .htaccess:

Next we’ll add two Internet Explorer-only headers: X-XSS-Protection and X-Content-Type-Options. X-XSS-Protection helps mitigate Cross-site scripting (XSS) attacks. We’ll use the strictest setting again here: “1; block”. This … Continue reading HTTP Security Headers

Bootstrap’s progress bar versus Content Security Policy

Bootstrap’s progress bar component uses an inline width style. Here’s the example from their docs.

This is unfortunate for the obvious reasons (it mixes content and presentation, the value—60 in this case—is repeated) but there’s also a less obvious repercussion. Inline styles prevent us from gaining the greatest benefit from the Content Security Policy header. If we have any inline styles then we’re forced to use the ‘unsafe-inline’ source with the style-src directive. Which, as Egon says, would be bad: Inline style is treated in the same way: both the style attribute and style tags should be consolidated into external … Continue reading Bootstrap’s progress bar versus Content Security Policy