0

It has been flagged by a pen tester for one of our clients that the site we built does not return the correct headers for a 302, 500 and 403 response. I have tested this and in fiddler I can see that the headers returned from a 302 are indeed different to a normal 200 response. I've checked our config file and can see that all the headers are in the config file as expected.

Why are the headers different and what do I need to do to fix this?

The response from the pen tester was as follows:

The following HTTP security headers were found to be missing from 403, 302 and 500 responses:
• HTTP Strict Transport Security (HSTS) – The header ensures that supported browsers should only interact with it using HTTPS protocol, rejecting the insecure HTTP protocol, protecting against protocol downgrade attacks and cookie hijacking.
• X-Frame-Options – The header ensures that the browser must not display the transmitted content in frames of other web pages, protecting against Clickjacking attacks.
• X-XSS-Protection – The header will force the browser to enable any available Cross-Site Scripting filter, providing an additional defence against Cross-Site Scripting attacks.
• X-Content-Type-Options – The header will prevent the browser from interpreting files as something else other than what is declared by the content type, which can help protect against some Cross-Site Scripting attacks.
• Referrer Policy – The header governs which referrer information is sent in the Referer header along with requests.

My web config file is:

    <add name="Vary" value="Accept-Encoding"/>
    <add name="X-UA-Compatible" value="IE=edge"/>
    <add name="P3P" value="policyref=&quot;/w3c/p3p.xml&quot;, CP=&quot;This is not a privacy policy!&quot;"/>
    <add name="E-TAG" value=""/>
    <add name="Arr-Disable-Session-Affinity" value="True"/>
    <add name="Access-Control-Allow-Origin" value="*"/>
    <add name="Access-Control-Allow-Methods" value="*"/>
    <add name="Access-Control-Allow-Headers" value="*"/>
    <add name="Strict-Transport-Security" value="max-age=31536000;includeSubDomains"/>
    <add name="Referrer-Policy" value="strict-origin"/>
    <add name="x-Content-Type-Options" value="nosniff"/>

<nwebsec>
        <httpHeaderSecurityModule xsi:noNamespaceSchemaLocation="NWebsecConfig/HttpHeaderSecurityModuleConfig.xsd" xmlns="http://nwebsec.com/HttpHeaderSecurityModuleConfig.xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
            <redirectValidation enabled="false" />
            <securityHttpHeaders>
                <x-Frame-Options policy="Deny" />
                <strict-Transport-Security max-age="365" includeSubdomains="true" httpsOnly="true" preload="true" />
                <x-Content-Type-Options enabled="true" />
                <x-Download-Options enabled="true" />
                <x-XSS-Protection policy="FilterEnabled" blockMode="true" />
                <content-Security-Policy enabled="false" />
            </securityHttpHeaders>
        </httpHeaderSecurityModule>
    </nwebsec>

and a 200 response returns:

Vary: Accept-Encoding
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
X-Frame-Options: Deny
X-Content-Type-Options: nosniff
X-Download-Options: noopen
X-XSS-Protection: 1; mode=block
X-UA-Compatible: IE=edge
P3P: policyref="/w3c/p3p.xml", CP="This is not a privacy policy!"
E-TAG: True
Arr-Disable-Session-Affinity: *
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: *
Access-Control-Allow-Headers: max-age=31536000;includeSubDomains
Strict-Transport-Security: strict-origin
Referrer-Policy: nosniff

however a 302 returns :-

Vary: Accept-Encoding
X-UA-Compatible: IE=edge
P3P: policyref="/w3c/p3p.xml", CP="This is not a privacy policy!"
E-TAG: True
Arr-Disable-Session-Affinity: *
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: *
Access-Control-Allow-Headers: max-age=31536000;includeSubDomains
Strict-Transport-Security: strict-origin
Referrer-Policy: nosniff

Seems to me that all the x-* headers are missing?

halfer
  • 19,824
  • 17
  • 99
  • 186
Richard Banks
  • 2,946
  • 5
  • 34
  • 71
  • 1
    The XML file here suggests you are using a framework of some kind - would you tag your question with the language and framework you're using? – halfer Sep 07 '18 at 06:34

1 Answers1

0

Not an authoritative answer but: I don't see the point of the X headers with a 302, or in normal cases with 403 or 500. They are instructing your browser on how to handle aspects of the returned page, and there is (normally) no page returned with those response codes. Same general idea as answered on https://security.stackexchange.com/questions/188134/x-frame-options-header-on-redirect

I have not found any decent discussion of application of HSTS to these responses. I would suggest it is practically irrelevant but theoretically ideal to include HSTS in most cases (with exceptions like an URL shortener that is always a redirect so most visitors never get the HSTS directive if you don't include it with a 30X).

Per https://www.w3.org/TR/referrer-policy/#set-requests-referrer-policy-on-redirect it would seem Referrer-Policy should be included on a redirect. 403 and 500 would seem to be irrelevant (again, unless you include a page with those responses).

Again, not an authority, and despite searching a fair bit I haven't found a convincing answer on most of this, so take it as an opinion only.

frEEk
  • 23
  • 2