Enterprise cloud app adoption is continuing to increase across various functions, and to stay ahead of the curve, IT leaders must understand the susceptibility of these applications to attacks that could compromise data. In the past decade, a myriad of techniques have been developed to compromise web applications — from cross site scripting (XSS) and SQL injection to phishing and clickjacking. As web applications have become more sophisticated, so have modern web browsers, which has spawned several new HTTP response headers to help enhance a website’s security.
IT Business Edge recently spoke with Ravi Balupari, director of engineering and cloud security research at Netskope, on how the advances being made in the realm of HTTP protocol can address new emerging threats across the universe of cloud applications. He discusses here five HTTP security headers that IT leaders must incorporate in their enterprise data security strategy to address any potential threats.
Tips for Securing Web Browsers
Click through for five HTTP security headers that IT leaders can use to help secure enterprise data, as identified by Ravi Balupari, director of engineering and cloud security research at Netskope.
HTTP Strict Transport Security (HSTS)
HSTS headers protect against Man-in-the-Middle attacks. If a website uses an HSTS header, the header enforces that all domain content is downloaded over HTTPS. HSTS headers can also refuse to connect in case of certificate errors and warnings.
Content Security Policy (CSP)
A Content Security Policy (CSP) provides a mechanism to instruct browsers on what to trust. By using CSP, a whitelist policy is enforced on the content being delivered, ensuring that content can only be delivered by certain specified domains. CSP is especially important in preventing cross-site scripting (XSS) attacks, in which a browser is tricked into delivering malicious content by bypassing the origin policy. The root cause in XSS attacks is the browser’s inability to distinguish between scripts that are part of an application and scripts that have been injected by a third party.
X-Frame-Options is a solution for preventing Clickjacking attacks, a malicious technique that tricks a web user into clicking on something different from what the user perceives they are clicking on, resulting in leaking confidential information. Inclusion of the X-Frame-Options header in an HTTP response enforces the browser to evaluate a request of framing a page.
Most browsers employ MIME sniffing, a technique that guesses the content type returned by a server. In certain scenarios, browsers can be manipulated into making an incorrect guess about the content type, allowing attackers to execute malicious code on a victim’s browser. X-Content-Type-Options prevents the browser from guessing about the MIME type and thus, protects against MIME content-sniffing attacks.
The XSS-Protection header provides the ability to turn on a browser’s XSS protection. This enables XSS protections and instructs the browser to block a response in the event a XSS reflection attack is detected.