You are here: Foswiki>Tasks Web>Item12914 (17 Aug 2015, GeorgeClark)Edit Attach

Item12914: Add security related HTTP headers following various best practices

Priority: Enhancement
Current State: Confirmed
Released In: n/a
Target Release: minor
Applies To: Engine
Reported By: GeorgeClark
Waiting For:
Last Change By: GeorgeClark
Originally proposed by MichaelDaum:

Foswiki should add security http headers:

  • deny iframing
  • strict transport security: load all content from https
  • content policy: there are a couple of options here; unfortunately foswiki as it is right now can't be configured to the best security here
  • content type options: IE-only header to disable mime sniffing
  • download options: IE-only header that prevents it from opening a html document right after downloading
  • xss protection: IE-only header to turn on its xss filters (IE >= 8)


-- GeorgeClark - 26 May 2014

Add Foswiki::cfg{SecurityHeaders}{...specific header...} for each of the recommended headers. In some corporate settings, these may be undesirable, so they should be configurable. Also some of these have options that should be configurable. And others only apply to attachments. We should also be able to add headers to mask the server signature. All of this needs some more in-depth exploration.

I'm not quite sure where to do this. I'm thinking creating a Foswiki::SecurityHeaders module. One method apply($response) which applies all configured headers to the response object, called from Foswiki::writeCompletePage()

This probably isn't the correct approach from an OO perspective.

Another idea might be to make it pluggable. SecurityHeaders::ContentPolicy, etc. Some of these seem to be a moving target, so a pluggable implementation probably makes more sense.

-- GeorgeClark - 26 May 2014

Config spec and perl impl from NatSkinPlugin:

# ---+++ HTTP Security Headers
# Enable security headers for secure web applications. See also
# Set the X-Frame-Options header to "DENY":
# This header can prevent your application responses from being loaded within
# frame or iframe HTML elements. This is to prevent clickjacking
# requests where your application response is displayed on another website,
# within an invisible iframe, which then hijacks the user's request when they
# click a link on your website.
$Foswiki::cfg{DenyFrameOptions} = 1;

# **STRING**
# Require all resources to be loaded via SSL.
# This header instructs the requester to load all content from the domain via
# HTTPS and not load any content unless there is a valid ssl certificate. This
# header can help prevent man-in-middle attacks as it ensures that all HTTP
# requests and responses are encrypted. The Strict-Transport-Security header has
# a max-age parameter that defines how long in seconds to enforce the policy for. 
$Foswiki::cfg{StrictTransportSecurity} = "max-age=3600";

# Set the content security policy.
# The CSP header sets a whitelist of domains from which content can be safely
# loaded. This prevents most types of XSS attack, assuming the malicious content
# is not hosted by a whitelisted domain. For example this specifies that all
# content should only be loaded from the responding domain: "default-src 'self'"
# WARNING: Enabling this setting will currently render your Foswiki non-operational 
# as it relys on unsafe inline css and js.
$Foswiki::cfg{ContentSecurityPolicy} = ""; 

# **STRING**
# IE-only header to disable mime sniffing.
# This is an IE only header that is used to disable mime sniffing. The
# vulnerability is that IE will auto-execute any script code contained in a file
# when IE attempts to detect the file type.
$Foswiki::cfg{ContentTypeOptions} = "nosniff"; 

# **STRING**
# IE-only header that prevents it from opening an HTML file directly on download.
# This is another IE-only header that prevents IE from opening an HTML file
# directly on download from a website. The security issue here is, if a browser
# opens the file directly, it can run as if it were part of the site.
$Foswiki::cfg{DownloadOptions} = "noopen"; 

# **STRING**
# IE-only header to force it to turn on its XSS filter (IE >= 8)
# This header was introduced in IE8 as part of the
# cross-site-scripting (XSS) filter functionality (more here). Additionally it
# has an optional setting called "mode" that can force IE to block the entire
# page if an XSS attempt is detected.
$Foswiki::cfg{XSSProtection} = "1; mode=block"; 

Perl Impl:

sub modifyHeaderHandler {
  my ($headers, $query) = @_;

  # force IE to the latest version; use chrome frame if available
  my $xuaCompatible = $Foswiki::cfg{XuaCompatible};
  $xuaCompatible = 'ie=edge,chrome=1' unless defined $xuaCompatible;
  $headers->{"X-UA-Compatible"} = $xuaCompatible if $xuaCompatible;

  # enable security headers
  $headers->{"X-Frame-Options"} = "DENY" if $Foswiki::cfg{DenyFrameOptions};
  $headers->{"Strict-Transport-Security"} = $Foswiki::cfg{StrictTransportSecurity} if $Foswiki::cfg{StrictTransportSecurity};
  $headers->{"X-Content-Type-Options"} = $Foswiki::cfg{ContentTypeOptions} if $Foswiki::cfg{ContentTypeOptions}; 
  $headers->{"X-Download-Options"} = $Foswiki::cfg{DownloadOptions} if $Foswiki::cfg{DownloadOptions};
  $headers->{"X-XSS-Protection"} = $Foswiki::cfg{XSSProtection} if $Foswiki::cfg{XSSProtection};

  if ($Foswiki::cfg{ContentSecurityPolicy}) {
    $headers->{"Content-Security-Policy"} = $Foswiki::cfg{ContentSecurityPolicy};

    # deprecated header
    # $headers->{"X-Content-Security-Policy"} = $Foswiki::cfg{ContentSecurityPolicy};
    # $headers->{"X-Webkit-Csp"} = $Foswiki::cfg{ContentSecurityPolicy};

-- MichaelDaum - 27 May 2014

Do any of the headers need to be programmatically modified? If not, why not just:
$Foswiki::cfg{ExtraHTTPHeaders} = %hash mapping header name to value, could be per-script
then add that hash to the headers? KISS.

-- CrawfordCurrie - 27 Sep 2014

Just one big hash, that's not KISS for the user to maintain correctly. Better give him a bunch of toggle switches to choose from and the system will take care of creating correct HTTP headers.

-- MichaelDaum - 27 Sep 2014

Deferring this to 1.2.1, or 2.0.

-- GeorgeClark - 24 Apr 2015

ItemTemplate edit

Summary Add security related HTTP headers following various best practices
ReportedBy GeorgeClark
Codebase trunk
SVN Range
AppliesTo Engine
Priority Enhancement
CurrentState Confirmed
TargetRelease minor
ReleasedIn n/a
Topic revision: r6 - 17 Aug 2015, GeorgeClark - This page was cached on 13 May 2020 - 15:54.

The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License    Legal Imprint    Privacy Policy