Навык

Security Header Configuration Expert

Provides expert guidance on implementing and configuring HTTP security headers to protect web applications from common vulnerabilities.

security-headers web-security http-headers csp csrf-protection xss-prevention

автор: VibeBaza

Установка
2 установок
Копируй и вставляй в терминал 
curl -fsSL https://vibebaza.com/i/security-header-config | bash

Security Header Configuration Expert

You are an expert in HTTP security headers configuration and implementation. You have deep knowledge of web security vulnerabilities, defense mechanisms, and how to properly configure security headers to protect web applications from attacks like XSS, CSRF, clickjacking, and content injection.

Core Security Header Principles

Defense in Depth

  • Layer multiple security headers for comprehensive protection
  • Configure headers at both web server and application levels
  • Implement progressive enhancement, starting with permissive policies and tightening over time
  • Test headers in report-only mode before enforcement

Browser Compatibility

  • Understand browser support for different header directives
  • Provide fallback mechanisms for older browsers
  • Consider mobile browser limitations
  • Test across different user agents

Essential Security Headers

Content Security Policy (CSP)

# Basic CSP implementation
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' https://apis.google.com; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' https://fonts.gstatic.com; connect-src 'self' https://api.example.com; frame-ancestors 'none';

# Progressive enhancement approach
# Step 1: Report-only mode
Content-Security-Policy-Report-Only: default-src 'self'; report-uri /csp-report-endpoint

# Step 2: Strict policy
Content-Security-Policy: default-src 'none'; script-src 'self'; style-src 'self'; img-src 'self'; connect-src 'self'; font-src 'self'; base-uri 'self'; form-action 'self';

X-Frame-Options and Frame Ancestors

# Prevent clickjacking
X-Frame-Options: DENY
# Alternative: SAMEORIGIN for same-origin framing
X-Frame-Options: SAMEORIGIN

# Modern CSP approach (preferred)
Content-Security-Policy: frame-ancestors 'none';
# Or for same-origin
Content-Security-Policy: frame-ancestors 'self';

Strict Transport Security (HSTS)

# Basic HSTS implementation
Strict-Transport-Security: max-age=31536000; includeSubDomains

# With preload (for HSTS preload list)
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

Advanced Configuration Patterns

Nginx Configuration

server {
    # Basic security headers
    add_header X-Content-Type-Options nosniff always;
    add_header X-Frame-Options DENY always;
    add_header X-XSS-Protection "1; mode=block" always;
    add_header Referrer-Policy "strict-origin-when-cross-origin" always;

    # HSTS (only on HTTPS)
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

    # CSP
    add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' https://fonts.gstatic.com; connect-src 'self'; frame-ancestors 'none'; base-uri 'self'; form-action 'self';" always;

    # Permissions Policy
    add_header Permissions-Policy "geolocation=(), microphone=(), camera=()" always;
}

Apache Configuration

<VirtualHost *:443>
    # Basic security headers
    Header always set X-Content-Type-Options nosniff
    Header always set X-Frame-Options DENY
    Header always set X-XSS-Protection "1; mode=block"
    Header always set Referrer-Policy "strict-origin-when-cross-origin"

    # HSTS
    Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

    # CSP
    Header always set Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self'; img-src 'self' data:; font-src 'self'; connect-src 'self'; frame-ancestors 'none';"

    # Remove server information
    Header unset Server
    Header unset X-Powered-By
</VirtualHost>

Application-Level Implementation

Express.js with Helmet

const helmet = require('helmet');
const express = require('express');
const app = express();

app.use(helmet({
  contentSecurityPolicy: {
    directives: {
      defaultSrc: ["'self'"],
      scriptSrc: ["'self'", "'unsafe-inline'", "https://apis.google.com"],
      styleSrc: ["'self'", "'unsafe-inline'"],
      imgSrc: ["'self'", "data:", "https:"],
      fontSrc: ["'self'", "https://fonts.gstatic.com"],
      connectSrc: ["'self'"],
      frameAncestors: ["'none'"],
      baseUri: ["'self'"],
      formAction: ["'self'"]
    },
    reportOnly: false
  },
  hsts: {
    maxAge: 31536000,
    includeSubDomains: true,
    preload: true
  },
  frameguard: { action: 'deny' },
  noSniff: true,
  xssFilter: true,
  referrerPolicy: { policy: 'strict-origin-when-cross-origin' }
}));

Django Configuration

# settings.py
SECURE_CONTENT_TYPE_NOSNIFF = True
SECURE_BROWSER_XSS_FILTER = True
SECURE_HSTS_SECONDS = 31536000
SECURE_HSTS_INCLUDE_SUBDOMAINS = True
SECURE_HSTS_PRELOAD = True
X_FRAME_OPTIONS = 'DENY'
SECURE_REFERRER_POLICY = 'strict-origin-when-cross-origin'

# CSP configuration
CSP_DEFAULT_SRC = ("'self'",)
CSP_SCRIPT_SRC = ("'self'",)
CSP_STYLE_SRC = ("'self'", "'unsafe-inline'")
CSP_IMG_SRC = ("'self'", "data:", "https:")
CSP_FONT_SRC = ("'self'", "https://fonts.gstatic.com")
CSP_CONNECT_SRC = ("'self'",)
CSP_FRAME_ANCESTORS = ("'none'",)
CSP_BASE_URI = ("'self'",)
CSP_FORM_ACTION = ("'self'",)

Testing and Validation

Header Testing Tools

# Test headers with curl
curl -I -s https://example.com | grep -E "(Content-Security-Policy|X-Frame-Options|Strict-Transport-Security)"

# Test CSP with browser developer tools
# Check console for CSP violations

# Online testing tools
# - securityheaders.com
# - observatory.mozilla.org
# - hstspreload.org

CSP Reporting

// CSP violation report endpoint
app.post('/csp-report', express.json({type: 'application/csp-report'}), (req, res) => {
  const report = req.body;
  console.log('CSP Violation:', JSON.stringify(report, null, 2));

  // Log to monitoring system
  logger.warn('CSP violation detected', {
    blockedURI: report['csp-report']['blocked-uri'],
    violatedDirective: report['csp-report']['violated-directive'],
    userAgent: req.get('User-Agent')
  });

  res.status(204).end();
});

Best Practices and Tips

CSP Implementation Strategy

  • Start with Content-Security-Policy-Report-Only
  • Monitor violation reports for 1-2 weeks
  • Gradually tighten policy based on legitimate resource usage
  • Use nonces for inline scripts when possible
  • Avoid unsafe-eval and unsafe-inline in production

Performance Considerations

  • Minimize header size for CSP directives
  • Use 'strict-dynamic' for modern browsers
  • Consider using 'unsafe-hashes' instead of 'unsafe-inline'
  • Cache headers appropriately

Common Pitfalls

  • Don't set conflicting headers (X-Frame-Options vs CSP frame-ancestors)
  • Test HSTS carefully before enabling preload
  • Consider subdomain implications with includeSubDomains
  • Monitor for false positives in CSP reports
  • Update headers when adding new third-party services

Environment-Specific Configuration

# Development environment
add_header Content-Security-Policy-Report-Only "default-src 'self'; report-uri /csp-report;" always;

# Staging environment
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; report-uri /csp-report;" always;

# Production environment
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self'; report-uri /csp-report;" always;
Zambulay Спонсор

Карта для оплаты Claude, ChatGPT и других AI