Tuesday, 19 January 2016

Why Do So Few Use Security Headers?

In recent months I've become increasingly perplexed as to why so few websites are employing security headers.  They are not a panacea but the security benefits from their use are so large, and the effort required to employ them so small, that I can't see why they are not on the majority of sites that have data input fields..

One very recent blog entry by Paul Moore brought this into stark relief when he reported on a cross site scripting problem on ASDA's website.  The issue demonstrated in his video shows just how easily failure to conduct field validation can be exploited, and in this case with a particularly troubling persistent XSS:

All developers make mistakes and we all forget to add checks.  Either through ignorance or forgetfulness there are many entry fields on websites that do insufficient data validation.  And, on a large, complex website it is all the more likely that such mistakes will be made as different elements are delegates to small groups, although you would hope that it would be picked up in the checking process before going live.

This tendency makes it all the more effective for websites to add the security headers that would then mitigate any attempts by a hacker from exploit such a vulnerability.  These headers can be added centrally and affect the webpage functionality minimally. Even if there is a failure it tends to be graceful, and it fails rather than process malformed data input.

I have heard some say that these headers are a case of "belt and braces" so not really required.  But, if you forget to put on your belt it is good to be wearing braces.  And, if you are dealing with peoples sensitive personal data then it really behoves you to take all the protections you can.

As a user you can check if a website is employing these security headers by using the web site securityheaders.io If a website doesn't use headers then it doesn't mean they are vulnerable to a XSS attack but it should cause you to think carefully about what data you give them.  I'd also recommend that to be safe you have only the one tab open in your browser just in case they have forgotten to put on some piece of data validation.

Hardening your websites response to these requests is not difficult to do.  There is simple to follow advice and plenty of cheat sheets.  You'd imagine that this would mean the majority of websites would employ this useful measure. Not so.  I was genuinely shocked when, last year, I read the results of some work that Scott Helme did to see how widespread these security headers were being used - he scanned the top 1 million most visited websites and found only a fraction of a percent were using these headers: a few hundreds out of the millions!

Results from Scott Helme Study

Some of these omissions are trivial, and some of the newer headers one can understand might not be used.  Likewise those sites that have no input fields and will never be susceptible to XSS probably won't suffer through an absence of these headers.  But out of the 1 million sites I can't believe that only a few hundred accept data input.

If you're running a website it really is in your own interest to understand this old, well understood vulnerability, and to use these simple solutions to prevent hackers intercepting your users sensitive inputs.