Monday, May 28, 2012

Clickjacking, XSS and CSRF Increased Browser Security with HTTP Response headers

There are at the moment some HTTP Response headers that can help increasing security in web applications. Below is an example of a J2EE filter that will bring extra protection against some Clickjacking, XSS and CSRF attacks. You should be able to send these headers (or variations of them according to your use case) from any programming language/web framework.

Of course not all browsers will support this (all newest versions of modern browsers do support X-FRAME-OPTIONS for example) neither this is a recipe to completely protect your application against these type of attacks. There is a knowledge war on the web and those mastering bigger amount of information will always win.
package com.nestorurquiza.web.filter;

import java.io.IOException;

import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletResponse;

public class SecurityHeadersFilter implements Filter {

    @Override
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
        HttpServletResponse httpServletResponse = (HttpServletResponse) response;
        httpServletResponse.setHeader("X-XSS-Protection", "1; mode=block");
        httpServletResponse.setHeader("X-FRAME-OPTIONS", "SAMEORIGIN");
        chain.doFilter(request, response);
    }

    @Override
    public void destroy() {
    }

    @Override
    public void init(FilterConfig config) throws ServletException {
    }
}

4 comments:

Unknown said...

Nice, but seems there are some issue
with IE8 and X-XSS-Protection 1; mode=block
see:
https://github.com/evilpacket/helmet/issues/26=

Nestor Urquiza said...

And that is exactly why we should not keep supporting old browsers as I have posted before http://thinkinginsoftware.blogspot.com/2013/03/web-security-for-everyone-mandatory-web.html

Jorge Pinon said...

Hey Nestor. We've been using this for a while now, but now need to allow a client to include our site in an iframe, unfortunately the Allow-from uri value is not supported in Chrome for X-FRAME-OPTIONS.

Just FYI

Nestor Urquiza said...

Thanks Jorge. Good to know. Definitely a lot to do still on this area. I would move away from iframe sharing in any case. Embedded javascript should be the way to go with gadgets that consume information from external websites.
Cheers.

Followers