Confirmed users
461
edits
SummerOfCode/2013/SecurityReport/WeeklyUpdates/2013-07-22: Difference between revisions
Jump to navigation
Jump to search
SummerOfCode/2013/SecurityReport/WeeklyUpdates/2013-07-22 (view source)
Revision as of 08:21, 24 July 2013
, 24 July 2013→This Week
No edit summary |
|||
| Line 4: | Line 4: | ||
* This week I collected information about various security related headers and added reporting about them in the security report tool. | * This week I collected information about various security related headers and added reporting about them in the security report tool. | ||
** CSP | ** CSP Headers | ||
*** Websites can set any one of these header to send CSP policy. CSP policy is used to protect web users from content injection attacks and it loads resources only from trusted sources. | *** Websites can set any one of these header to send CSP policy. CSP policy is used to protect web users from content injection attacks and it loads resources only from trusted sources. | ||
*** CSP specification is under development and websites use different headers to send their CSP policy. For example, "X-Content-Security-Policy", "Content-Security-Policy", "X-WebKit-CSP". | *** CSP specification is under development and websites use different headers to send their CSP policy. For example, "X-Content-Security-Policy", "Content-Security-Policy", "X-WebKit-CSP". | ||
*** According to standard website should send CSP policy using "Content-Security-Policy" header. and other two headers are browser specific. | *** According to standard website should send CSP policy using "Content-Security-Policy" header. and other two headers are browser specific. | ||
*** I added observer on "http-on-receive-response" to monitor HTTP/S responses. In that listener I check for the presence of various HTTP headers. | *** I added observer on "http-on-receive-response" to monitor HTTP/S responses. In that listener I check for the presence of various HTTP headers. | ||
** X-Frame-Options Header | |||
*** I also read about "X-Frame-Options" header and checked whether it is used by website or not. If not then appropriate message is displayed in the security report tool's "Sec-Headers" Tab. Absent of "X-Frame-Option" header means site is vulnerable to Clickjacking attacks. | *** I also read about "X-Frame-Options" header and checked whether it is used by website or not. If not then appropriate message is displayed in the security report tool's "Sec-Headers" Tab. Absent of "X-Frame-Option" header means site is vulnerable to Clickjacking attacks. | ||