Welcome to WebmasterWorld Guest from 54.145.117.60

Forum Moderators: phranque

Featured Home Page Discussion

HTTPS Security Headers

Headers to expect from an SSL site

     
11:14 am on Oct 23, 2017 (gmt 0)

Senior Member from GB 

WebmasterWorld Senior Member dstiles is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:May 14, 2008
posts:3165
votes: 8


The headers below SHOULD be set up for HTTPS sites to be REASONABLY secure and may be used to verify sites if required. Settings are taken from my own SSL web sites. Some sites may need different values (eg to enable in-line javascript). I recommend Scott Helme's site for details.

httpOnlyCookies true
requireSSL true

Name: Strict-Transport-Security
Value: max-age=15552001; includeSubDomains; preload

Name: X-Frame-Options
Value: DENY

Name: X-Xss-Protection
Value: 1; mode=block

Name: X-Content-Type-Options
Value: nosniff

Name: X-Permitted-Cross-Domain-Policies
Value: none

Name: Referrer-Policy
Value: strict-origin-when-cross-origin

Name: Content-Security-Policy
Value: default-src 'self'; style-src 'self' 'unsafe-inline';
(for javascript add: script-src 'self' 'unsafe-inline';)

Public Key Pinning (HPKP) - I haven't set up this one yet but it's recommended for "serious" sites. It requires changing every time the SSL cert is updated.

And coming soon...

Expect-CT
12:17 pm on Oct 23, 2017 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Sept 25, 2005
posts:1569
votes: 213


It's important to note that after implementing HTTP Strict Transport Security (HSTS), you've basically dropped HTTP entirely (for all subdomains, too, if you set includeSubDomains), and it's practically impossible to revert that change once browsers have picked up on it, particularly when you've made it onto the preload lists. So tread carefully, and don't set any headers manually before understanding the implications.

Wasn't aware of Expect-CT yet, thanks.
3:10 pm on Oct 23, 2017 (gmt 0)

Senior Member from GB 

WebmasterWorld Senior Member dstiles is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:May 14, 2008
posts:3165
votes: 8


True it doesn't permit HTTP access but setting up the headers correctly should allow a NEW browser access to connect and be automaticaly switched to HTTPS.
6:19 pm on Oct 23, 2017 (gmt 0)

Moderator from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:10114
votes: 550


Great post dstiles. I use *versions* of these headers, except for CSP (possibly the most important one) because my host has trouble with it.

Expect-CT [scotthelme.co.uk] allows a site to determine if they are ready for the upcoming Chrome requirements and/or enforce their Certificate Transparency (CT) policy.

Here's a couple tools for checking security headers:
[observatory.mozilla.org...]
[securityheaders.io...]

Also, Web Security Guidelines Wiki:
[wiki.mozilla.org...]
3:00 am on Oct 24, 2017 (gmt 0)

Moderator from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:10114
votes: 550


BTW - most all security certificate agencies are announcing their support for CT.

We are dedicated to transparency in our operations and in the certificates we issue. We submit all certificates to Certificate Transparency logs as we issue them. You can view all issued Letís Encrypt certificates via these links:
[letsencrypt.org...]
3:07 am on Oct 24, 2017 (gmt 0)

Moderator from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:10114
votes: 550


Examples of how this would be done on Apache shared hosting via htaccess file:

Header set Content-Security-Policy "default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self';"
Header set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
Header set X-Robots-Tag "notranslate, noarchive"
Header set X-Frame-Options "deny"
Header set X-Content-Type-Options "nosniff"
Header set X-XSS-Protection "1; mode=block"
Header set Referrer-Policy "no-referrer"
Header set Expect-CT "max-age=0; report-uri=https://example.com/ct/reportOnly"
Note: exact syntax would depend on server config

- - -
1:23 pm on Oct 24, 2017 (gmt 0)

Senior Member from GB 

WebmasterWorld Senior Member dstiles is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:May 14, 2008
posts:3165
votes: 8


I use IIS web servers - I wish I didn't but too late!

In IIS...

Secure cookies: in Configuration Editor section system.web/httpcookies set
httpOnlyCookies true
requireSSL true
(and select Lock from right-hand menu)

The other headers are set in the HTTP Response Headers section of the IIS manager. These values can all be set either on individual sites or globally in the parent Server section (between Start Page and Application Pools in the left pane).

As far as I know, character case is unimportant but it probably is better to conform to the case as published.

I did set up some parameters globally on a 2012 server with mixed SSL and non-SSL sites. The latter seemed to ignore some settings and if a site was later converted to SSL they had to be re-entered correctly.
8:18 pm on Oct 30, 2017 (gmt 0)

Senior Member from GB 

WebmasterWorld Senior Member dstiles is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:May 14, 2008
posts:3165
votes: 8


Public Key Pinning (HPKP)

Further to my original post Google, the originator of this, has declared it is dropping it because it's potentially dangerous to web sites. This was after a report by Scott Helme.
12:02 am on Oct 31, 2017 (gmt 0)

Moderator from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:10114
votes: 550


RE: HPKP

I read that concern so I avoided it.
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

Featured Threads

Free SEO Tools

Hire Expert Members