In our analysis of the technology used by the top websites, we have queried the data on the usage of HTTP Header security controls.
This is a breakdown of the HTTP Header security features that have been developed by different organizations. These controls can utilize features in the web browser to protect the user from browser based exploits. Unfortunately it is clear from the results that application of these security controls is at best minimal and actually closer to non existent in the top websites.
HTTP Only flag on the Set-Cookie header
Total Set-Cookie Headers: 682598
Cookies with HTTP Only Flag set: 88442
HTTPOnly is not actually a HTTP Header, but a property of the Set-Cookie header. It indicates to the browser that this cookie should only be accessed over HTTP and not from client side scripts. This is a mitigation against XSS Attacks where the evil client side javascript would attempt to steal a session cookie.
The browser must support the HTTPOnly flag for this mitigation to be effective.
Full details of the supported browsers and implementation of the HTTPOnly Cookie in dot NET, Tomcat and PHP is all covered at the wikipedia page.
X-Frame-Options HTTP Header
Number of sites with X-Frame-Options Header: 9009
This header informs the browser if a web page is allowed to be framed in another web page or not. The main purpose for this protection is to prevent malicious sites from conducting a click-jacking attack against the user.
There are two parameters available to the X-Frame-Option; the first is SAMEORIGIN that allows a page to be framed if it is within a page within the same domain. The other more restrictive parameter is DENY, which simply prevents the page from being framed.
X-XSS-Protection
Number of sites with X-XSS-Protection enabled: 25423
This header is only utilized by Internet Explorer 8 and will turn on the built in cross site scripting protection. The reason for this is that IE 8 was shipped with the cross site scripting protection turned off by default as they feared that some web sites may break if it was turned on.
To turn the protection on the server sends the header as this:
X-XSS-Protection “1; mode=block”.
X-Content-Security-Policy
Number of sites with this enabled: 36
This is a policy that informs the browser how content can interact with your website. Includes content such as videos, javascript. For example in specifying “allow ‘self’;” this will prevent the page allowing the execution of javascript from third party sources. All javascript will have to be sourced from the same domain. This helps prevent cross site scripting attacks as it raises the bar, making an attacker have to run the code from our domain name rather than any third party web site.
If specific third party resources are required, settings are available to whitelist specific domains and file types.
Mozilla has a lot of detail on this security feature, there are actually a lot of good reasons to use the X-Content-Security-Policy header.
Unfortunately it seems most web / system administrators are not aware of it or just do not care….
These stats have been quickly pulled together from the data we have been processing, some like the x-content-security-policy total of 36 seem a bit off, but I have double checked and re-ran the query. No guarantee to accuracy is provided, but its pretty close.
