Blog

When you view a website page or make a request against an application api, HTTP headers allow the client and the server to pass additional information with the request, page content, or the response.

Typical HTTP headers sent are Host, Accept-Language, etc, while typical HTTP headers received are Content-Type, Server, Content-Security-Policy, etc

You can view HTTP Headers using the browsers developer tools in Chrome or Firefox.

HTTP Security Headers are a subset of HTTP headers which can help increase the security of your web application and website. In many cases they are easy to implement and only require a slight web server configuration or application change. 

For the additional security to be realized, the browser must support the HTTP Security Headers, which most modern browsers do.  Can I Use and Mozilla are both good sites to see what features browsers support.


HTTP Security Headers to implement:

Access-Control-Allow-Origin Mozilla

Indicates whether the response can be shared with requesting code from the given origin.

Possible values:

*

- allow requesting code from any origin to access the resource

https://example.com/

- one domain

Recommended:

*

To allow Cross-origin resource sharing

X-XSS-Protection Mozilla

Stops pages from loading when they detect reflected cross-site scripting (XSS) attacks
Non standard, deprecated by Content-Security-Policy, but maybe useful for older browsers

Possible values:

0

- disables XSS filtering; never use!

1

- enable XSS filtering, sanitize, usually default in browsers

1; mode=block

- enable, block rendering of page

Recommended:

1

To silently filter XSS and not server as a simple test bed for XSS attacks

X-Content-Type-Options Mozilla

Prevents browser from MIME-type sniffing a response away from the declared ie trust the web server.

Possible values:

nosniff

- prevents browser from MIME-type sniffing a response away from the declared content-type.

Recommended:

nosniff

Good additional information on attacks mitigated (MIME Confusion Attack, Unauthorized Hotlinking) stackoverflow

X-Frame-Options Mozilla

Indicate whether or not a browser should be allowed to render a page in a <frame>, <iframe> or <object>
Non standard, deprecated by Content-Security-Policy, but useful for older browsers

Possible values:

deny

- no framessameorigin

- allow frame from origin

allow-from https://example.com/

- one domain

Recommended:

If you have no iframes, then deny

If you want your content iframed in by multiple websites, then do not send this header

Strict-Transport-Security Key CDN

Restricts web browsers to access web servers solely over HTTPS; header only has effect when requested over HTTPS

Possible values:

max-age

- defines the time in seconds for which the web server should only deliver through HTTPS.

includeSubDomains

- optional, apply to subdomains

preload

- optional, the site owner can submit their website to the preload list which is a list of sites hardcoded into Chrome as being HTTPS only; Additional details serverfault

Recommended:

If your site and all resources (images, javascript, css, etc) are available over HTTPS, as they should be, then enable; If you have mixed content, HTTP and HTTPS, then do not use this header

Given that browser will cache this header for your site, to test implementation, bump max-age up incrementally over time eg 300s=5min, 86400s=1day, 63072000s=2years required for preload

Strict-Transport-Security: max-age=300; includeSubDomains

Good additional information on why to use it stackoverflow, and what to be careful of stackoverflow

Referrer-Policy ScottHelme

Determine what information about the origin the user came from is sent to the destination site

Possible values:

no-referrer

- not referrer sent

no-referrer-when-downgrade

- do not send the referrer header when navigating from HTTPS to HTTP

same-origin

- only set the referrer header on requests to the same origin

origin

- set the referrer header to the origin, stripping any path information

strict-origin

- same as origin, but do not send HTTPS request on HTTP

origin-when-cross-origin

- send the full URL to requests to the same origin but only send the origin when requests are cross-origin

strict-origin-when-cross-origin

- same as origin-when-cross-origin, but do not send when navigating from HTTPS to HTTP

unsafe-url

- always send the referrer; do not use!

Recommended:

no-referrer-when-downgrade

To prevent any HTTPS info (referrer url) being sent over HTTP

Content-Security-Policy Key CDN Mozilla

Content-Security-Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks.  It replaces several of the above X- headers, but support depends on browser and browser versions, so you should still the above headers.

CSP makes it possible for server administrators to reduce or eliminate the vectors by which XSS can occur by specifying the domains that the browser should consider to be valid sources of executable scripts. A CSP compatible browser will then only execute scripts loaded in source files received from those white listed domains, ignoring all other script.

Note: While searching for CSP policy values, remember CSP version 2 is currently defined, and CSP version 3 is in the works.  Across the versions, policy values have been added and removed, thus support depends on browsers and browser's versions. 

An example Content-Security-Policy:

Content-Security-Policy "base-uri 'self'; object-src 'none'"

Possible policy keys:

default-src

- default policy for all resources type that are not defined (fallback)

script-src

- which scripts the protected resource can execute

object-src

- from where the protected resource can load plugins (flash, java, etc)

style-src

- which styles (CSS) the user applies to the protected resource

img-src

- from where the protected resource can load images

media-src

- from where the protected resource can load video and audio

frame-src

- from where the protected resource can embed frames

frame-ancestors

- valid parents that may embed a page using <frame>, <iframe>, <object>, <embed>, or <applet>

font-src

- from where the protected resource can load fonts

connect-src

- which URIs the protected resource can load using script interfaces

form-action

- which URIs can be used as the action of HTML form elements

script-nonce

- script execution by requiring the presence of the specified nonce (cryptographic number used once) on script elements

report-uri

- Specifies a URI to which the user agent sends reports about policy violation

Deprecated keys (you may run across in searches, but don't use)

reflected-xss

- instructs a user agent to activate or deactivate any heuristics used to filter or block reflected cross-site scripting attacks, equivalent to the effects of the non-standard X-XSS-Protection header

referrer

- determine what information about the origin the user came from is sent to the destination site

Possible values: blobfolio

*

– wildcard, i.e. anything goes

'none'

– load no resources

'self'

– same-origin is OK

data:

– data-URI, such as a base64-encoded image

https:

– any resource over HTTPS

domain.com, *.domain.com, https://domain.com

– domain.com (any protocol), all subdomains of domain.com (any protocol), domain.com (SSL) respectively

For scripts and stylesheets specifically, there are a few additional magic values:

'unsafe-eval'

– allow scripts to run eval().

'unsafe-inline'

– allow all inline scripts and/or styles.

'nonce-XXX'

– allow inline or linked assets with the nonce stackoverflow

For more options and information refer to Mozilla

Recommended values:

A minimal CSP which should not break stuff is:

Content-Security-Policy base-uri 'self'; object-src 'none'

This ensures your base uri is not change via html injection, and that your site does not allow flash or applets

Adding CSP does require you know your application or websites resources, which may be non trivial.

Adding CSP can break you application or website, by preventing resources from loading.

For example,  object-src 'none' disable embedded pdfs in Chrome.

Testing, as always, is important.  To facilitate testing, consider adding one policy at a time.

Example Content-Security-Policy of a few domains:

google.com

header not set 

amazon.com

header not set

aws.amazon.com

header not set

mail.google.com

script-src 'unsafe-inline' 'unsafe-eval' https: http:;object-src 'none';base-uri 'self';report-uri /cspreport

securityheaders.com

default-src 'self'; script-src 'self' cdnjs.cloudflare.com; img-src 'self'; style-src 'self' 'unsafe-inline' fonts.googleapis.com cdnjs.cloudflare.com; font-src 'self' fonts.gstatic.com cdnjs.cloudflare.com; form-action 'self'; report-uri https://scotthelme.report-uri.com/r/default/csp/enforce

msn.com

default-src 'self' data: 'unsafe-inline' 'unsafe-eval' https: blob:; media-src 'self' https: blob:; worker-src 'self' https: blob:; block-all-mixed-content; connect-src 'self' data: 'unsafe-inline' 'unsafe-eval' https: blob: https://*.trouter.io:443 https://*.trouter.skype.com:443 wss://*.trouter.io:443 wss://*.trouter.skype.com:443;

stackoverflow.com

upgrade-insecure-requests

Given that CSP is non trivial and policies can break the app, consider adding

report-uri "/csp-report-violation"

or use the free service report-uri

report-uri "https://report-uri.io/"

and view the results in developer tools and/or log the results

{"csp-report": {

    "document-uri": "https://example.com/signup.html",

    "referrer": "",

    "blocked-uri": "http://example.com/css/style.css",

    "violated-directive": "style-src cdn.example.com",

    "original-policy": "default-src 'none'; style-src cdn.example.com; report-uri /_/csp-reports",

    "disposition": "report"

}}

To test your changes, load you application or website in a browser and view the developer tools network tab and review the headers.

For nicer graphical view, with a warm fuzzy grade system, which others might use, visit

securityheaders.io

Examples of how to add the HTTP Security Headers

PHP:

header("X-Content-Type-Options: nosniff");

header("X-XSS-Protection: 1");

header("X-Frame-Options: sameorigin");

header("Strict-Transport-Security: max-age=31536000s; includeSubDomains");

header("Referrer-Policy: no-referrer-when-downgrade");

header("Access-Control-Allow-Origin: *");

header("Content-Security-Policy: base-uri 'self'; object-src 'none'");

PHP framework/library:

$response->headers->set('X-Content-Type-Options', 'nosniff');

$response->headers->set('X-XSS-Protection', '1');

$response->headers->set('X-Frame-Options', 'sameorigin');

$response->headers->set('Strict-Transport-Security', 'max-age=31536000s; includeSubDomains');

$response->headers->set('Referrer-Policy', 'no-referrer-when-downgrade');

$response->headers->set('Access-Control-Allow-Origin', '*');

$response->headers->set('Content-Security-Policy', "base-uri 'self'; object-src 'none'");

Apache config/.htaccess:

Header set X-Content-Type-Options nosniff

Header set X-XSS-Protection 1

Header set X-Frame-Options sameorigin

Header set Strict-Transport-Security max-age=31536000s; includeSubDomains

Header set Referrer-Policy no-referrer-when-downgrade

Header set Access-Control-Allow-Origin *

Header set Content-Security-Policy "base-uri 'self'; object-src 'none'"

nginx config

add_header X-Content-Type-Options nosniff

add_header X-XSS-Protection 1

add_header X-Frame-Options sameorigin

add_header Strict-Transport-Security max-age=31536000s; includeSubDomains

add_header Referrer-Policy no-referrer-when-downgrade

add_header Access-Control-Allow-Origin *

add_header Content-Security-Policy "base-uri 'self'; object-src 'none'"

-End of Document-

Thanks for reading

Robocopy, or "Robust File Copy", is a command-line directory and/or file replication command

From the source directory, find all shortcuts, and copy the shortcut contents to a destination directory [Wikipedia]

The most basic example
Copies files from Directory_A to Directory_B
> robocopy C:\Directory_A C:\Directory_B

Some info about Robocopy defaults:
It will only copy a file if the source and destination have different time stamps or different file sizes.
Also, data, attributes, and time stamps are copied. ACL permissions, owner information,

and auditing information are ignored. You can modify this behavior with the /copy flag.

Also note that the paths don't have a trailing backslash.

The following flurry of options will mirror files form a source directory to a destination directory, recursively, with status, summary and a log

> robocopy /b /e /xa:s /xjd /sl /a-:hs /mt /fp /mir /mt:2 /log:"C:/dev/transfer.log" /eta /tee /v /l "C:/dev/source" "D:/backup/dev/source"
 
  

And a translation of the options:

/b      - backup mode (there's a /zb option for restart mode, but it's a whole lot slower); overwrite acls

/e      - copies subdirectories (including empty directories) in addition to files

/xa:s   - exclude system files

/xjd    - exclude junction points

/sl     - copy symbolic links as links

/a-:hs  - remove hidden/system attributes from files

/fp     - full path of files in output

/mir    - MIRror a directory tree (equivalent to /e plus /purge)

/mt[:n] - Do multi-threaded copies with n threads (default 8)

/log:transfer.log - redirect output to file

/eta    - time remaining

/tee    - duplicate log to console window

/v      - verbose output + skipped

/l      - list files only (and not copy, delete, or time stamp)

Remove the option /l when ready to run

Note that the option /sl allows symbolic links to be copied, which is useful if you are using npm for node modules management or your git repository has symbolic links.

The options /eta, /tee, /v can be removed to minimize output to the console

You can also place the command within a bat file to run on double click, or some other event.

backup.bat:

echo "R: ramdrive -> C: backup"

robocopy /b /e /xa:s /xjd /sl /a-:hs /mt /fp /mir /mt:2 /log:"C:/backup/robocopy/transfer.log" /eta /tee /v /l "R:/code" "C:/backup/code"

pause

Microsoft documentation of Robocopy and other possible arguments

End of document. Thanks for reading.

From the source directory, find all shortcuts, and copy the shortcut contents to a destination directory

PowerShell is a task automation and configuration management framework from Microsoft, consisting of a command-line shell and associated scripting language. Wikipedia

# Get all shortcuts

$shortcuts = gci "$srcDir\*.lnk"

cgi = Get-ChildItem  Microsoft

Gets the items and child items in one or more specified locations.

# skip existing dirs

if (Test-Path "$destPath") {

Test-Path Microsoft

Determines whether all elements of a path exist.

# copy

copy-item -Path "$srcPath" -Destination "$destRecreatePath" -Force -Recurse -Container -Exclude $exclude

copy-item Microsoft

Copies an item from one location to another.

But alas, without any indication of progress.

So, from some help on Stack Overflow

# xcopy prompts for is this a file/dir, no progress

# robocopy asks for admin perms on ntfs/audit attribs

# copy copies with progress %

# /z   : Copies networked files in restartable mode.

cmd /c copy /z $srcFile $destFile


Some screenshots of the full script in action












And the full source is on GitHub

End of document. Thanks for reading.

While writing a simple JavaScript 'class', I wanted to toggle console.logs on for development and off for production.  Normally I would create a method to wrap console.log with a debug flag, such as:

function Awesome() {
   this.debug = true;

   this.log = function(msg) {
       if (this.debug) {
           console.log(msg);    // line 6
       }
   };   

   this.log('test');            // outputs line 6

   this.doStuff = function() {
       this.log('doing stuff'); // outputs line 6
   };
}

But the line number logged is always from within the log wrapper, this.log(),
which is not overly useful.
After some searching, I ran across this StackOverflow thread
https://stackoverflow.com/a/13815846/3893727
Basically, instead of using a logging wrapper, use a function alias.

function Awesome() {

   this.debug = true;   

   if (this.debug && window.console && console.log && console.warn && console.error) {

       this.console = {
           'log': window.console.log,
           'warn': window.console.warn,
           'error': window.console.error
       };

   } else {

       this.console = {
           'log': function(){},
           'warn': function(){},
           'error': function(){}
       };
   }

   this.console.log('test');            // outputs line 18

   this.doStuff = function() {
       this.console.log('doing stuff'); // outputs line 21
   };
}    

So now Awesome is awesome with logging showing the original line number,
which is helpful for debugging.

Of course, this.console could be renamed to anything, such as this.log, this.out, etc.
And you could add the log to the window namespace so it could be used by other functions, such as window.debug or window.log, etc

End of document. Thanks for reading.