This week I decided to play around with securityheaders.io and see if I could get an A+ rating.
I already had Public Key Pinning and Strict Transport Security so those two were easy.
Then I added Xss-Protection, but I wasn't sure what exactly it did. After a bit of searching it looks like Internet Explorer (and possibly now chrome) have some system setup to detect reflected xss attacks. I'm guessing it's probably by looking through the URL for suspicious script tags or something but there doesn't seem to be any good documentation on what exactly it dose. From what I could find it was on by default in IE now anyway so to me it seemed a bit redundant but I wanted the A+ and it didn't look like it would hurt.
Next I added the X-Frame-Options I thought about this for a while, I don't really care if my site is rendered in an iframe. It's not like I've got anything worth click jacking and all the content is creative commons but then I also can't think of any good reason to allow my site to be in an iframe so in the end I decided to go with SAMEORIGIN
.
Then I added the X-Content-Type-Options again for the type of site I've got which doesn't allow users to post content it seems a bit redundant but again I don't think it will hurt.
Then lastly I got to the Content-Security-Policy this was the hardest one I think for most sites that can implement it the most effective at combating xss. I've implemented what I think should be mostly right or at least I get no errors when I browse to it with Chrome or Internet Explorer but Firefox gives me an error about the piwik analytics script. The script is in line and I don't want to include unsafe-inline
so I've done a SHA-256 hash of the script. I think I've run into Bug 1026520 - Erroneous CSP reports for hash-source.
Below is a copy of part of my Apache config.
Header always set Public-Key-Pins \
"pin-sha256=\"VOKQJ5j5cC1zM1weHSwo/iF5RGMaSVBllI1VIFKvBzU=\"; \
pin-sha256=\"pk/Xlc/DPy+/Y6kxFTlwaFu4LyIq6c5rOLbNZXk/c/w=\"; \
max-age=5184000; \
includeSubDomains"
Header always add Strict-Transport-Security "max-age=31536000"
Header always append X-Frame-Options SAMEORIGIN
Header always append X-Content-Type-Options nosniff
# This seems a bit vague and redundant, but I guess it can't hurt to add it. https://stackoverflow.com/questions/9090577
Header always set X-Xss-Protection "1; mode=block"
Header always append Content-Security-Policy: \
"default-src 'self' https://www.mightyburger.com.au https://fonts.gstatic.com; \
img-src 'self' https://www.mightyburger.com.au https://i.creativecommons.org https://licensebuttons.net; \
script-src 'self' https://www.mightyburger.com.au 'sha256-w0f3/LWV2JV80K3yqctPR1QAktxEMLuWC5eY1PF9228='; \
style-src 'self' https://fonts.googleapis.com; \
report-uri https://report-uri.io/report/a91e682bc2af2ea5e6a5e2cb539fc805"