For those who do not follow myself or Franziska Bühler, we have an open source project together called OWASP DevSlop in which we explore DevSecOps through writing vulnerable apps, creating pipelines, publishing proof of concepts, and documenting what we’ve learned on our YouTube Channel and our blogs. In this article, we will explore adding security headers to our proof of concept website, DevSlop.co (the proof of concept website is no longer available). This blog post is closely related to Franziska’s post OWASP DevSlop’s journey to TLS and Security Headers. If you like this one, read hers too.
Franziska Bühler and I installed several security headers during the OWASP DevSlop Show. Unfortunately, we discovered that .Net Core apps don’t have a web.config, so the next time we published, it wiped out the beautiful headers we had added. Although that is not good news, it was another chance to learn, and it gave me a great excuse to finally write my Security Headers blog post that I have been promising. Here we go!
Our web.config looked so…. Empty.
When this article was written, I added the headers back into the app, in the startups.cs file, which didn't work out.
If you want in-depth details about what we did on the show and what each security header means, you should read Franziska’s blog post. She explains every step, and if you are trying to add security headers for the first time to your web.config (ASP.Net, not .Net CORE), you should definitely read it.
The new code for ASP.Net in your web.config looks like this:
<! — Start Security Headers →<httpProtocol><customHeaders><add name=”X-XSS-Protection” value=”1; mode=block”/><add name=”Content-Security-Policy” value=”default-src ‘self’”/><add name=”X-frame-options” value=”SAMEORIGIN”/><add name=”X-Content-Type-Options” value=”nosniff”/><add name=”Referrer-Policy” value=”strict-origin-when-cross-origin”/><remove name=”X-Powered-By”/></customHeaders></httpProtocol><! — End Security Headers →
Our new-and-improved Web.Config!
And the new code for my startup.cs (.Net CORE), looks like this (Thank you Damien Bod):
//Security headers make me happyapp.UseHsts(hsts => hsts.MaxAge(365).IncludeSubdomains());app.UseXContentTypeOptions();app.UseReferrerPolicy(opts => opts.NoReferrer());app.UseXfo(options => options.Deny());
app.UseCsp(opts => opts.BlockAllMixedContent().StyleSources(s => s.Self()).StyleSources(s => s.UnsafeInline()).FontSources(s => s.Self()).FormActions(s => s.Self()).FrameAncestors(s => s.Self()).ImageSources(s => s.Self()).ScriptSources(s => s.Self()));//End Security Headers
Our beautiful security headers!
In future, we will also add:
Secure settings for our cookies
X-Permitted-Cross-Domain-Policies: none
Expect-CT: (not currently supported by our provider)
Feature-Policy: camera ‘none’; microphone ‘none’; speaker ‘self’; vibrate ‘none’; geolocation ‘none’; accelerometer ‘none’; ambient-light-sensor ‘none’; autoplay ‘none’; encrypted-media ‘none’; gyroscope ‘none’; magnetometer ‘none’; midi ‘none’; payment ‘none’; picture-in-picture ‘none’; usb ‘none’; vr ‘none’; fullscreen *;
For more information on these security headers, I strongly suggest you read the OWASP Security Headers Guidance.
We now have good marks from all of the important places, https://securityheaders.com, https://www.ssllabs.com, and http://hardenize.com, but hope to improve our score even further.
Please use every security header that is available and applicable to you.
About
Semgrep lets security teams partner with developers and shift left organically, without introducing friction. Semgrep gives security teams confidence that they are only surfacing true, actionable issues to developers, and makes it easy for developers to fix these issues in their existing environments.
