Security Headers

HTTP Strict Transport Security (HSTS) header missing in response

HTTP Strict Transport Security (HSTS) is a web security policy mechanism whereby a web server declares that complying user agents (such as a web browser) are to interact with it using only secure HTTP (HTTPS) connections. The HSTS Policy is communicated by the server to the user agent via a HTTP response header field named "Strict-Transport-Security". HSTS Policy specifies a period of time during which the user agent shall access the server in only secure fashion.

Risk

The lack of HSTS allows downgrade attacks, SSL-stripping man-in-the-middle attacks, and weakens cookie-hijacking, SSL-stripping man-in-the-middle attacks, and weakens cookie-hijacking protections. A Malicious user able to modify a legitimate user's network traffic.

Solution

Add the following in the website's web.config

<system.webServer>
    <httpProtocol>
        <customHeaders>
            <add name="Strict-Transport-Security" value="max-age=15552001; include Subdomains; preload" />
        </customHeaders>
    </httpProtocol>
</system.webServer>

Server Information Disclosure in Response Headers

Server Information Disclosure can be used to gain information about a computer system on a network and the services running on its open ports. An Intruder can gain information about systems on a network host that are running versions of applications and operating systems with known exploits.

Risk

An attacker might use the disclosed information to harvest specific security vulnerabilities for the version identified.

Solution

Add the following in the website's web.config

<system.webServer>
    <security>

        <requestFiltering removeServerHeader="true">
    </security>
</system.webServer>

Content Security Policy missing in Response Headers

The HTTP Content-Security-Policy response header allows website administrators to control resources the user agent is allowed to load for a given page. With a few exceptions, policies mostly involve specifying server origins and script endpoints. This helps guard against cross-site scripting attacks (Cross-site_scripting).

The policy can either be in the index.html file or web.config file. Specifying the same in both the files will result in conflict, which can lead the website to not load correctly.

index.html

<meta
  http-equiv="Content-Security-Policy"
  content="default-src 'self'; img-src https://*; child-src 'none';" />

web.config

<system.webServer>
    <httpProtocol>
        <customHeaders>
            <add name="Content-Security-Policy" value="default-src 'self';" />
        </customHeaders>

        <requestFiltering removeServerHeader="true">
    </httpProtocol>
</system.webServer>

Origin Header Validation and CORS

CORS, or Cross-Origin Resource Sharing, is a security mechanism that prevents web pages from making requests to a different domain than the one that served the web page. By default, web browsers enforce the same-origin policy, which means web pages can only make requests to resources within the same domain. CORS allows controlled exceptions to this policy, enabling web servers to specify who can access their resources.

As of now, there is no use case to support CORS in SheetKraft. Since the default policy of the browser is to disallow CORS, we do not believe there is any need to implement a CORS policy. Hence, we don't utilize the Origin request header, and as a result, we do not perform any validation on it.