Over the past few months, I’ve focused my attention upon how you can be safer while browsing the Internet. One of the most important recommendations that I have made is for you to reduce (or eliminate) the loading and execution of unsafe content. So I’ve recommended ad blockers, a plethora of browser add-ons, and even the hardening of your premise-based services (e.g., routers, NAS systems, IoT devices, and DNS). Of course, this only addresses one side of the equation (i.e., the demand side). In order to improve the ‘total experience’ for your customers, you will also need to harden the services that you provide (i.e., the supply side). And one of the most often overlooked mechanisms for improvement is the proper use of HTTP security headers.
Background
According to the Open Web Application Security Project (OWASP), content injection is still the single largest class of vulnerabilities that content providers must address. When coupled with cross-site scripting (XSS), it is clear that hostile content poses an existential threat to many organizations. Yes, consumers must block all untrusted content as it arrives at their browser. But every site owner should first ensure that they inform every client about the content that they will be sending. Once these declarations are made, the client (i,e, browser) can then act to trust or distrust the content that they receive.
The notion that a web site should declare the key characteristics of its content stream is nothing new. What we now call a content security policy (CSP) has been around for a very long time. Indeed, the fundamental descriptions of content security policies were discussed as early as 2004. And the first version of the CSP standard was published back in 2012.
CSP Standards Exist – But Are Not Universally Used
According to the White Hat 2018 “Website Security Statistics Report”, a number of industries still operate chronically vulnerable websites. White Hat estimates that 52% of Accommodations / Food Services web sites are “Always Vulnerable”. Moreover, an additional 7% of these websites are “Frequently Vulnerable” (ie., vulnerable for at least 263 days a year). Of course, that is the finding for one sector of the broader marketplace. But things are just as bad elsewhere. In the healthcare market, 50% of websites are considered “Always Vulnerable” with an additional 10% classified as “Frequently Vulnerable”.
Unfortunately, few websites actually use one of the most potent elements in their arsenal. Most website operators have established software upgrade procedures. And a large number of them have acceptable auditing and reporting procedures. But unless they are subject to regulatory scrutiny, few organizations have even considered implementing a real CSP.
Where To Start
So let’s assume that you run a small business. And you had your daughter/son, niece/nephew, friend of the family, or kid next door build your website. Chances are good that your website doesn’t have a CSP. To check this out for sure, you should go to https://securityheaders.com and see if you have appropriate security headers for your website.
In my case, I found that my website security posture was unacceptably low. [Note: As a National Merit Scholar and Phi Beta Kappa member, anything below A+ is unacceptable.] Consequently, I looked into how I could get a better security posture. Apart from a few minor tweaks, my major problem was that I didn’t have a good CSP in place.
Don’t Just Turn On A Security Policy
Whether you code the security headers in your .htaccess file or you use software to generate the headers automatically, you will be tempted to just turn on a security policy. While that is a laudable sentiment, I urge you not to do this – unless your site is not live. Instead, make sure that you use your proposed CSP in “report only” mode – as a starting point.
Of course, I chose the engineer’s path and just set up a default-src directive to allow only local content. Realistically, I just wanted to see content blocked. So I activated my CSP in “blocking” mode (i.e., not “report only”) mode. And as expected, all sorts of content was blocked – including the fancy sliders that I had implemented on my front page.
I quickly reset the policy to “report only” so that I could address the plethora of problems. And this time, I worked each problem one at a time. Surprisingly, it really did take some time. I had to determine which features came from which external sources. I then had to add these sources to the CSP. This process was very much like ‘whitelisting’ external sources in an ad blocker. But once I found all of the external sources, I enabled “blocking” mode. This time, my website functioned properly.
Bottom Line
In the final analysis, I learned a few important things.
- Security headers are an effective means of informing client browsers about the characteristics of your content – and your content sources. Consequently, they are an excellent means of displaying your content whitelist to any potential customer.
- Few website builders automatically generate security headers. There is no “Great and Powerful Oz” who will code all of this from behind the curtains – unless you specifically pay someone to do it. Few hosting platforms do this by default.
- Tools do exist to help with coding security headers – and content security policies. In the case of Wrodpress, I used HTTP Headers (by Dimitar Ivanov).
- While no single security approach can solve all security issues, using security headers should be added to the quiver of tools that you use when addressing website content security.
If you are interested in using a CSP for your website, I should probably note a few important things:
– Check out your site and its HTTP headers at https://securityheaders.com
– If you use a commercial CMS, you may have problems with a strong CSP. I use WordPress. And I had problems with plugins that mandated inline scripting. These included: Contact Form 7, Jetpack, Simple Share Buttons, and Soliloquy. I updated my suppliers and requested software upgrades that did not require inline scripting. In the meantime, I updated my CSP as follows: 1) I added ‘unsafe-inline’ in the script-src directive, and 2) I added ‘unsafe-inline’ in the style-src directive.
– Allowing inline scripts and styles is definitely not a best practice. But I double-checked a large number of key e-commerce sites. Almost all of them do allow inline content. THIS NEEDS TO CHANGE. But by explicitly allowing this, I can use the other advantages of a CSP. And I can hopefully work with the vendors so that I can use an SHA-256 validation.
– You might need to ignore X-Frame-Options – depending upon your plugins. I needed to add the Ignore X-Frame-Options Firefox addon so that site comments would once again work.
There are always challenges whenever you implement more restrictive policies. And implementing your CSP will be no different. I suggest setting aside ample time to test every feature of your (or your client’s) website – even if you have only a few plugins/add-ons to evaluate. Don’t just dismiss the testing. It could save you countless hours of re-work. And it could help to ensure that your clients’ experiences are exceptional.
As noted in the text of the post, you might want to run your CSP in report-only mode before you go public. After turning my CSP on, things looked great. Well, that changed when I went to do my very next post. Apparently, WordPress makes some assumptions about every new post. And these assumptions bit me in the arse. Apparently, the “New Post” page uses
https://code.jquery.com, https://use.fontawesome.com, and https://www.mojomarketplace.com. And since these were not part of the CSP that I tested, I could not compose any new content – until I updated the CSP. Takeaway: Make sure that you do comprehensive testing whenever you implement/update a CSP. Had I done so, I would have avoided quite a bit of frustration.