{"id":61,"date":"2011-03-31T09:09:48","date_gmt":"2011-03-31T17:09:48","guid":{"rendered":"http:\/\/blog.mozilla.org\/webappsec\/?p=61"},"modified":"2011-03-31T09:09:48","modified_gmt":"2011-03-31T17:09:48","slug":"enabling-browser-security-in-web-applications","status":"publish","type":"post","link":"https:\/\/blog.mozilla.org\/security\/2011\/03\/31\/enabling-browser-security-in-web-applications\/","title":{"rendered":"Enabling Browser Security in Web Applications"},"content":{"rendered":"

HTTPOnly, Secure Flag, Strict Transport Security, X-Frame-Options, Content Security Policy<\/em><\/p>\n

The vast majority of application security occurs within the application’s code. However, there are a few key security controls that are enabled by the web application dictating security properties to the web browser. These security properties enable the browser to impose additional security controls on items such as cookie handling, framing, and even the processing of JavaScript.\u00a0 These controls provide an additional layer of defenses which will either eliminate certain attack vectors or, at a minimum, minimize the impact of particular client-side attack types.<\/p>\n

Some of these defensive controls have been around for awhile and others are newly supported in Firefox 4 and other modern browsers.\u00a0 Mozilla has been rolling out these controls across all of our websites with a high degree of success.\u00a0 It should be noted that these controls are not a substitute for secure development practices. Instead, they are another layer of defense that can be used to protect users and data in the event of an unknown gap elsewhere in your application.<\/p>\n

 <\/p>\n

HTTPOnly<\/strong><\/span><\/p>\n

Benefit<\/strong>: Minimizes impact of cross site scripting vulnerability by preventing JavaScript access to the session cookie.<\/p>\n

Limitations<\/strong>: Does not prevent against any other malicious actions from XSS (phishing, malicious redirects, etc)<\/p>\n

Example within HTTP Response:<\/strong>
\nCookie: sessiondID=kljahsdf123; HTTPOnly;<\/p>\n

Additional Reading:<\/strong>
\nhttp:\/\/www.owasp.org\/index.php\/HttpOnly<\/a><\/p>\n

 <\/p>\n

Secure Flag<\/strong><\/span><\/p>\n

Benefit<\/strong>: Instructs the browser to never send the cookie over a HTTP request. The cookie can only be sent over HTTPS. This works even if the user manually types in a request for HTTP. The HTTP request will be sent, but the browser will not send any cookies marked as “SECURE”<\/p>\n

Limitations<\/strong>: The HTTP Request is still sent and this could be manipulated by a man in the middle to perform convincing phishing attacks (See Strict Transport Security for solution).<\/p>\n

Example within HTTP Response:<\/strong>
\nCookie: sessiondID=kljahsdf123; SECURE;<\/p>\n

Additional Reading:<\/strong>
\nhttp:\/\/code.google.com\/p\/browsersec\/wiki\/Part2<\/a>
\nhttps:\/\/developer.mozilla.org\/en\/DOM\/document.cookie<\/a><\/p>\n

Note: When setting both HTTPOnly and SECURE flags you will simply have both values for the cookie:
\nCookie: sessiondID=kljahsdf123; HTTPOnly; SECURE;<\/p>\n

 <\/p>\n

Strict Transport Security<\/strong><\/span><\/p>\n

Benefit<\/strong>: Instructs the browser to never send requests to the domain over HTTP. Requests can only be sent over HTTPS.\u00a0 Think of this as the Secure flag for the entire request. This will protect the user even if they manually type in HTTP into the URL. The browser will upgrade this to HTTPS, assuming the site has previously enabled HSTS, and only the HTTPS request will be sent over the network.<\/p>\n

Limitations<\/strong>: Only supported in most recent browser versions; however, support is quickly growing.<\/p>\n

Example within HTTP Response:<\/strong>
\nStrict-Transport-Security: max-age=60000<\/p>\n

Additional Reading:<\/strong>
\nhttps:\/\/developer.mozilla.org\/en\/Security\/HTTP_Strict_Transport_Security<\/a><\/p>\n

 <\/p>\n

X-Frame-Options<\/strong><\/span>
\nBenefit<\/strong>: Instructs the browser to disallow framing of a domain or limit framing to only sites of the same domain.\u00a0 This prevents clickjacking attacks and other malicious framing actions.<\/p>\n

Limitations<\/strong>: Not supported in very old browser versions.<\/p>\n

Example within HTTP Response:<\/strong>
\nX-Frame-Options: DENY
\nor
\nX-Frame-Options: SAMEORIGIN<\/p>\n

Additional Reading:<\/strong>
\nhttps:\/\/developer.mozilla.org\/en\/The_X-FRAME-OPTIONS_response_header<\/p>\n

 <\/p>\n

Content Security Policy (CSP)<\/strong><\/span>
\nBenefit<\/strong>:\u00a0 CSP provides some amazing benefits. After a website is setup appropriately (no use of inline JavaScript) and a policy has been established, CSP will effectively prevent XSS where attacker controlled data is embedded in the HTML document.\u00a0 This works since the policy has established what JavaScript code is allowed and any other JavaScript that may make its way into the webpage via user input is flagged by the browser and blocked.<\/p>\n

Limitations<\/strong>: Supported in Firefox 4 and plans for support in Chrome.\u00a0 It is still possible to introduce XSS vulnerabilities by not properly validating and sanitizing JSON content, or by including attacker controlled data in dynamically generated Javascript code.\u00a0 Also, even if CSP is only supported by a portion of users it can act as an alerting system via the the report-uri to detect and report CSP violations that could be an attack.<\/p>\n

Example within HTTP Response:<\/strong>
\nX-Content-Security-Policy: allow ‘self’ *.mydomain.com<\/p>\n

Additional Reading:<\/strong>
\nhttps:\/\/developer.mozilla.org\/en\/Introducing_Content_Security_Policy<\/a>
\nhttps:\/\/developer.mozilla.org\/en\/Security\/CSP\/Using_Content_Security_Policy<\/a><\/p>\n

 <\/p>\n

Michael Coates
\nWeb Security Nomad
\nhttp:\/\/people.mozilla.org\/~mcoates\/<\/a><\/p>\n

 <\/p>\n","protected":false},"excerpt":{"rendered":"

HTTPOnly, Secure Flag, Strict Transport Security, X-Frame-Options, Content Security Policy The vast majority of application security occurs within the application’s code. However, there are a few key security controls that … Read more<\/a><\/p>\n","protected":false},"author":1438,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[121],"tags":[],"coauthors":[],"yoast_head":"\nEnabling Browser Security in Web Applications - Mozilla Security Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/blog.mozilla.org\/security\/2011\/03\/31\/enabling-browser-security-in-web-applications\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"mozilla\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/2011\/03\/31\/enabling-browser-security-in-web-applications\/\",\"url\":\"https:\/\/blog.mozilla.org\/security\/2011\/03\/31\/enabling-browser-security-in-web-applications\/\",\"name\":\"Enabling Browser Security in Web Applications - Mozilla Security Blog\",\"isPartOf\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/#website\"},\"datePublished\":\"2011-03-31T17:09:48+00:00\",\"dateModified\":\"2011-03-31T17:09:48+00:00\",\"author\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/70ae25c16f09d053c6d8b5eac29dbda9\"},\"breadcrumb\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/2011\/03\/31\/enabling-browser-security-in-web-applications\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/blog.mozilla.org\/security\/2011\/03\/31\/enabling-browser-security-in-web-applications\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/2011\/03\/31\/enabling-browser-security-in-web-applications\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/blog.mozilla.org\/security\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Enabling Browser Security in Web Applications\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#website\",\"url\":\"https:\/\/blog.mozilla.org\/security\/\",\"name\":\"Mozilla Security Blog\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/blog.mozilla.org\/security\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/70ae25c16f09d053c6d8b5eac29dbda9\",\"name\":\"mozilla\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/image\/98138a294cb6e19a68b02ef8ca9be2dc\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/75d2017e019c87560fe5d148a64659dc?s=96&d=identicon&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/75d2017e019c87560fe5d148a64659dc?s=96&d=identicon&r=g\",\"caption\":\"mozilla\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Enabling Browser Security in Web Applications - Mozilla Security Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/blog.mozilla.org\/security\/2011\/03\/31\/enabling-browser-security-in-web-applications\/","twitter_misc":{"Written by":"mozilla","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/blog.mozilla.org\/security\/2011\/03\/31\/enabling-browser-security-in-web-applications\/","url":"https:\/\/blog.mozilla.org\/security\/2011\/03\/31\/enabling-browser-security-in-web-applications\/","name":"Enabling Browser Security in Web Applications - Mozilla Security Blog","isPartOf":{"@id":"https:\/\/blog.mozilla.org\/security\/#website"},"datePublished":"2011-03-31T17:09:48+00:00","dateModified":"2011-03-31T17:09:48+00:00","author":{"@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/70ae25c16f09d053c6d8b5eac29dbda9"},"breadcrumb":{"@id":"https:\/\/blog.mozilla.org\/security\/2011\/03\/31\/enabling-browser-security-in-web-applications\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/blog.mozilla.org\/security\/2011\/03\/31\/enabling-browser-security-in-web-applications\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/blog.mozilla.org\/security\/2011\/03\/31\/enabling-browser-security-in-web-applications\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/blog.mozilla.org\/security\/"},{"@type":"ListItem","position":2,"name":"Enabling Browser Security in Web Applications"}]},{"@type":"WebSite","@id":"https:\/\/blog.mozilla.org\/security\/#website","url":"https:\/\/blog.mozilla.org\/security\/","name":"Mozilla Security Blog","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/blog.mozilla.org\/security\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/70ae25c16f09d053c6d8b5eac29dbda9","name":"mozilla","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/image\/98138a294cb6e19a68b02ef8ca9be2dc","url":"https:\/\/secure.gravatar.com\/avatar\/75d2017e019c87560fe5d148a64659dc?s=96&d=identicon&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/75d2017e019c87560fe5d148a64659dc?s=96&d=identicon&r=g","caption":"mozilla"}}]}},"_links":{"self":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts\/61"}],"collection":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/users\/1438"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/comments?post=61"}],"version-history":[{"count":0,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts\/61\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/media?parent=61"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/categories?post=61"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/tags?post=61"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/coauthors?post=61"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}