wiki : Technical documentation > Security headers
Security Headers
Introduction
HTTP headers are meta-information transmitted between the client and the server along with the data of a request or response. They are presented in the form of a name and a value separated by a colon. This value consists of one or more instructions called directives.
Security headers are a subset of HTTP headers added to responses and focused on security. They provide indications mainly intended for web browsers on how to behave regarding a page or document.
Thus, they offer an additional layer of security to applications and help protect against the most common attacks such as XSS or clickjacking attacks.
Some of them are not specifically identified as security headers but are also included in this group because they contribute to the security of an application (notably the Cache-Control header).
The OWASP Secure Headers Project
The OWASP (Open Worldwide Application Security Project) foundation, through the OWASP secure headers project, aims to promote security headers to increase the overall security level of applications on the Internet. The dedicated website can be found at this address : https://owasp.org/www-project-secure-headers/
On this site, OWASP has listed security headers classified by status. The possible statuses are :
- working draft
- active
- almost deprecated
- deprecated
From this list, OWASP has extracted a selection of headers to add to the responses generated by applications and offers recommended settings for each of them.
Security Headers in Lutèce
For Lutèce, the choice of security headers to add is based on this selection recommended by the OWASP secure headers project within the limits imposed by the application and its needs.
Only headers with the status "active" are retained. For obsolescence reasons, those with the status "almost deprecated" and "deprecated" are excluded. For the only header with the status "working draft," namely Permissions-Policy, OWASP advises not to implement it as long as it is in this state. It may be subject to change, and only browsers based on the Chromium engine support some of its features.
There are 2 types of headers in Lutèce : page-type headers and REST API-type headers.
Page-Type Headers
Page-type headers are added to pages sent by the server. They provide indications to the browser on how to behave regarding the returned page.
In Lutèce, there are currently 5 categories of pages to which security headers are added :
- Category "all pages"
This category includes headers that are systematically added to every page of the application accessed by the user. Other more specific headers can also be added at the same time, such as those that follow.
- Category "FO pages with authentication"
This category includes Front office pages that require user authentication. Note that some Front office pages, such as the login or logout page, are not part of it. The headers applied to this category of pages mainly aim to prevent confidential data from being stored in the cache.
- Category "BO pages with authentication"
This category is the back office counterpart of the previous category.
- Category "FO logout page"
This category corresponds to the Front office logout page. Currently, the headers added to the pages in this category aim to clear data that may have been stored on disk or in the cache, especially during navigation while the user was connected to the Front office.
- Category "BO logout page"
This category is the back office counterpart of the previous category.
REST API-Type Headers
Although primarily intended for browsers, headers can also be useful in the case of REST API calls. In the configuration proposed by the OWASP secure headers project, it is indicated that it is proposed both in the context of a web application and an API. In Lutèce, REST API calls are made between services, and many of these headers are therefore not useful in this context.
As part of its cheat sheet series, OWASP offers a note on REST API security available at this address : https://cheatsheetseries.owasp.org/cheatsheets/REST_Security_Cheat_Sheet.html. In the Security Headers chapter, it indicates a configuration that is better suited to REST API calls. The configuration for Lutèce was defined following this note.
Configuration
A security headers management interface has been added to the System menu of the back office. It allows listing headers, creating, modifying, deleting, or enabling/disabling a header. Regarding the addition of headers to pages or REST API calls, the application uses the servlet filter mechanism to identify them and consults the configuration set up with the interface to determine which headers should be added to a response.
It is highly recommended to keep enabled the various headers enabled by default when initializing the Lutece site.