10-09-2019, 09:25 AM
Hi. We have a customer that has performed a penetration test for one of our web applications and claims in one finding that several security-related HTTP header are missing, these are Strict Transport Security, XSS Protection, Content Type Options and Content Security Policy. They recommend that at least the three first are set in order to consider the finding as fixed. We do however set these three at the beginning of a session according to recommendations in a previous forum thread, but I guess that these do not carry over to every response sent by the web application. Our current code looks like this:
If you test our web application with SSL Labs, it has always (since we first implemented this) recognized that we use HTTP Strict Transport Security and given us an A+ rating. This leads to a number of questions:
I would be much grateful for feedback on this. The tester regard this as a Medium severity finding that we need to fix in the near future.
Best regards
Magnus Oskarsson
Code:
procedure TBaseClientServerController.IWServerControllerBaseNewSession(aSession: TIWApplication);
...
begin
if Assigned(aSession) and Assigned(aSession.Response) and (SSLOptions.Port <> 0) then
SetCustomHeadersForHSTS(aSession);
...
end;
{Impl. from Hafedh TRIMECHE, see https://forums.embarcadero.com/thread.jspa?messageID=677727#677727}
procedure SetCustomHeadersForHSTS(aSession:TIWApplication);
type
TCustomHeader=
record
Key ,
Value : UnicodeString;
end;
const
CustomHeaders : array[1..5] of TCustomHeader =
(
(Key:'Strict-Transport-Security' ; Value:'max-age=31536000; includeSubDomains'),
(Key:'Pragma' ; Value:'no-cache'),
(Key:'Cache-Control' ; Value:'no-cache, no-store, must-revalidate, private'),
(Key:'X-Content-Type-Options' ; Value:'nosniff'),
(Key:'X-XSS-Protection' ; Value:'1; mode=block')
);
var
iHeaders : Integer;
begin
aSession.Response.Expires := EncodeDate(1000,1,1);//31/12/1899 00:00:00;
aSession.Response.AllowCaching := False;
aSession.Response.CacheControlEnabled := False;
for iHeaders:=Low(CustomHeaders) to High(CustomHeaders) do
begin
if CustomHeaders[iHeaders].Value<>'' then
begin
aSession.Response.Headers.Values[CustomHeaders[iHeaders].Key] := ' '+CustomHeaders[iHeaders].Value;
end;
end;
end;
If you test our web application with SSL Labs, it has always (since we first implemented this) recognized that we use HTTP Strict Transport Security and given us an A+ rating. This leads to a number of questions:
- Is it sufficient to set these all these headers at the beginning of an IW session (which would imply that the tester's conclusion is wrong)?
- Or should one or more of these headers be set for every response?
- If Yes on 2, which are the appropriate ServerController properties and event(s) to use? Example code?
- For the fourth header, Content Security Policy, the tester writes the following: "Content Security Policy requires careful tuning and precise definition of the policy. If enabled, CSP has significant impact on the way the browser renders pages (e.g., inline JavaScript is disabled by default and must be explicitly allowed in the policy). CSP prevents a wide range of attacks, including Cross-Site Scripting and other Cross-Site injections.". They recommend using this if this does not interfere with the application, and gives an example header like this: "Content-Security-Policy: default-src 'self'". What is the consequence of using this in an IntraWeb application? I it something we should attempt?
I would be much grateful for feedback on this. The tester regard this as a Medium severity finding that we need to fix in the near future.
Best regards
Magnus Oskarsson