Fundamentals Of HTTP Headers And Web Application Security - Cyber Security Blogs - Valency Networks - Best VAPT Penetration Testing Cyber Security Company - Pune Mumbai Hyderabad Delhi Bangalore Ahmedabad Kolkata India Dubai Bahrain Qatar Kuwait Singapore Australia USA UK Germany Croatia Botswana Mauritius

Author
Recent Posts

Latest posts by Soumya (see all)

SOC2 Compliance for Startups - 06/01/2020
Fundamentals Of HTTP Headers And Web Application Security - 03/01/2020
Basics Of IoT Security Threat Modelling - 03/01/2020

Fundamentals of HTTP Headers and Web Application Security

The notorious targets for all sorts of cyber attacks can be zeroed down to the web applications. The increasing pattern of cyber attacks has led us, to not just inculcate cyber security as a luxury, rather as a necessity for all the web developers and above all for those developers who are responsible for building the consumer-facing applications. In hand with the above fact, it is also true enough that as and when the world is becoming more and more interconnected, along with rise of online services there is also rise in personal and sensitive data being created in tones. All such changes give in to more vulnerabilities and risks which the cyber criminals easily exploit through techniques such as, cross-site scripting, man-in-the-middle attacks, cross-site request forgery, clickjacking, etc.
There are many things to consider while thinking about securing our web applications or sites, but a rather good place would be to start with the exploration and implementation of HTTP security headers that put in an extra layer of security. So, in order to tighten up the security of web applications, the HTTP headers can be put to leverage by just incorporating few lines of code which help in balancing both usability as well as security. These HTTP headers help prevent the modern browsers from encountering all sorts of vulnerabilities. Speaking in technical terms, the HTTP headers are just simple fields which are encoded in clear text and are said to be part of the request as well as response message headers in HTTP. Their design is such that they cause enablement of both HTTP server as well as client in order to have exchange of metadata based on parameters such as, connection that has to be established, resource that is being requested and resource that is being returned.
At times when a user wants to access a certain specific page from a server, the server in turn provides the response by giving the required content along with the response headers of HTTP which carry metadata such as status error codes, cache-control, etc. Now, a huge part of such headers are termed as security headers that provide instructions to the browsers about how it should behave while handling our website’s data as well as content. They play a major part in protecting us from threats and attacks such as, clickjacking, XSS, compromised website resources, drive-by-downloads, passive eavesdropping, compromised certificates, information disclosure to name a few. To wrap it all up it can be rightly put that these security centric headers help in empowering our browsers in making smarter decisions for the users.

⦁ X-XSS-Protection

It is a HTTP response header. This is characteristic of Internet Explorer, Chrome and Safari. Whenever there seems to be a chance of reflected XSS attacks or detection of such attacks, the browsers stop the loading of pages. This header provides a means of protection to the users who still use old browsers what lack privileges of having CSP (Content-Security-Policy) header.

Syntax:

X-XSS-Protection: 0
X-XSS-Protection: 1
X-XSS-Protection: 1; mode=block
X-XSS-Protection: 1; report=

The permitted sets of directives under this header are as follows;

0
This syntax indicates that we are disabling the XSS filtering.

1
This syntax would enable the XSS filtering privileges. This is found to be default in browsers. The browser would sanitize the pages if there is any detection of XSS attacks.

1; mode=block
This syntax would enable the XSS filtering privileges. But instead of sanitizing the pages, the browser would prevent the pages from loading if any attack is detected.

1; report=
This syntax would help XSS filtering possible. When there is any XSS attack detected, the browser would sanitize the pages thereby reporting the attack.

Example:

The syntax below blocks pages from loading when reflected XSS attacks are detected:

X-XSS-Protection: 1; mode=block

In PHP;

header(“X-XSS-Protection: 1; mode=block”);

In Nginx;

add_header “X-XSS-Protection” “1; mode=block”;
⦁ WWW-Authenticate

It is a HTTP response header that helps in defining the authentication method which must be used so as to gain access to a resource.
This header is sent along with a “401 Unauthorized” response status code.
Syntax:
WWW-Authenticate: realm=
The permitted sets of directives under this header are as follows;

The most common authentication type is Basic. Other authentication schemes maintained by IANA are; Bearer, Digest, HOBA, Mutual, Negotiate, OAuth, SCRAM-SHA-1, SCRAM-SHA-256 and vapid.
realm=
It provides a description of the area that needs to be protected.
charset=
It tells the client about the server’s preferred encoding scheme while submitting a username and password. Here, the only allowed value is “UTF-8″ which is a case insensitive string. This by no means is related to the encoding of the realm string.
Examples:
A server response typically contains a “WWW-Authenticate” header that looks like the below:
WWW-Authenticate: Basic
WWW-Authenticate: Basic realm=”Access to the staging site”, charset=”UTF-8″

⦁ Authorization

This is a HTTP request header that contains the credentials in order to authenticate a user with a server. It usually happens after the server has responded with “401 Unauthorized” status and the WWW-Authenticate header.
Syntax:
Authorization:
The directives permitted under this header are as follows;

The common one is Basic. Other authentication schemes maintained by IANA are; Bearer, Digest, HOBA, Mutual, Negotiate, OAuth, SCRAM-SHA-1, SCRAM-SHA-256 and vapid.

If the authentication type is Basic then the credentials is provided as;
Username:Password
Example; root:toor
Example:
Authorization: Basic YWxhZGRpbjpvcGVuc2VzYW1l

⦁ Proxy-Authenticate

It is a HTTP response header that defines the authentication method which should be employed so as to gain access to a resource behind a proxy server. It helps authenticate the request to the proxy server, thereby allowing it to transmit the request further.
This header is sent along with a “407 Proxy Authentication Required” status code.
Syntax:
Proxy-Authenticate: realm=
The directives permitted under this header are as follows;

The most common authentication type is Basic. Other authentication schemes maintained by IANA are; Bearer, Digest, HOBA, Mutual, Negotiate, OAuth, SCRAM-SHA-1, SCRAM-SHA-256 and vapid.
realm=
It provides a description of the area that needs to be protected.
Examples:
Proxy-Authenticate: Basic
Proxy-Authenticate: Basic realm=”Access to the internal site”

⦁ Proxy-Authorization

It is a HTTP request header that contains the credentials so as to authenticate a user to a proxy server. It happens usually after the server has responded with a 407 Proxy Authentication Required status and the Proxy-Authenticate header.
Syntax:
Proxy-Authorization:
The directives permitted under this header are as follows;

The common one is Basic. Other authentication schemes maintained by IANA are; Bearer, Digest, HOBA, Mutual, Negotiate, OAuth, SCRAM-SHA-1, SCRAM-SHA-256 and vapid.

If the authentication type is Basic then the credentials is provided as;
Username:Password
Example; root:toor
Example:
Proxy-Authorization: Basic YWxhZGRpbjpvcGVuc2VzYW1l

⦁ Content-Security-Policy(CSP)

It is a response header that allows all the website administrators to control resources that the user is allowed to load for a given page. With a very few exceptions, policies in most cases involve specifying the server origins and the script endpoints, which helps guard against XSS attacks.
Syntax:
Content-Security-Policy: ; The different types of directives that can be used with this header are as follows;
The first category is the “Fetch directives” that help in controlling locations from which few of the resource types may be loaded. These directives constitute connect-src, default-src, font-src, frame-src, img-src, manifest-src, media-src, object-src, script-src, style-src and worker-src.
The second category is the “Document Directives” that help in governing the properties of a document or worker environment to which a policy applies. These directives include base-uri, plugin-types and sandbox.
The third category is the “Navigation directives” that help in governing that to which location a user can possibly navigate to or be able to submit a form to (for example). It consists of form-action and frame-ancestors.
Other directives are block-all-mixed-content, require-sri-for and upgrade-insecure-requests.
Examples:
Disabling unsafe inline/eval and only allowing loading of resources (such as; images, fonts, scripts, etc.) over https:
// header
Content-Security-Policy: default-src https:
// meta tag

Not implementing the above policy yet; rather reporting violations that would have occurred:
Content-Security-Policy-Report-Only: default-src https:; report-uri /csp-violation-report-endpoint/

⦁ Content-Security-Policy-Report-Only

This is a response header which allows web developers to experiment with policies by monitoring (and not enforcing) their effects. These all violation reports consist of JSON documents sent through a HTTP POST request to the specified URI.
Syntax:
Content-Security-Policy-Report-Only: ; This header uses the same directives as those used by CSP. The report-uri directive of CSP should be used here so as make it functional.
Examples:
This header would help to report the various violations that have taken place. It helps us observe how our site behaves or responds, looking into the various reports regarding violations and then choosing the appropriate policy that would be applied by CSP header.
Content-Security-Policy-Report-Only: default-src https:; report-uri /csp-violation-report-endpoint/
But let’s say we want to get the reports as well as enforce the policy, then we use CSP header along with report-uri directive such as;
Content-Security-Policy: default-src https:; report-uri /csp-violation-report-endpoint/
Violation Report Syntax:
The report JSON object constitutes the following data such as; blocked-uri, disposition, document-uri, effective-directive, original-policy, referrer, script-sample, status-code and violated-directive.

⦁ Public-Key-Pins
This is a response header that associates a specific kind of cryptographic public key with a certain web server so as to decrease the risk of MITM attacks by implementing forged certificates. If for example, one or several keys are pinned and none of them are used by the server, the browser will not by any means accept the response as legitimate, and will thereby not display it.
Public-Key-Pins: pin-sha256=”“;
max-age=;
includeSubDomains;
report-uri=””
The various directives that are permitted under this header are as follows;
pin-sha256=””
The term “pin-value” is the Base64 encoded Subject Public Key Information (SPKI) fingerprint. Multiple pins can be specified for different public keys.
max-age=
This provides the time in seconds, that the browser should remember that this site is only to be accessed using one of the defined keys.
includeSubDomains (Optional)
If this parameter is put to use, the rule would be applied to all of the site’s subdomains too.
report-uri=”” (Optional)
If this parameter is used, then pin validation failures would be reported to the specified URL.
Example:
Public-Key-Pins:
pin-sha256=”cUPcTAZWKaASuYWhhneDttWpY3oBAkE3h2+soZS7sWs=”;
pin-sha256=”M8HztCzM3elUxkcjR2S5P4hhyBNf6lHkmjAHKhpGPWE=”;
max-age=5184000; includeSubDomains;
report-uri=”https://www.example.org/hpkp-report”
⦁ Strict-Transport-Security
It is a HTTP response header (often written as HSTS) that allows a website inform browsers that it should only be accessed using HTTPS rather than using HTTP.
Syntax:
Strict-Transport-Security: max-age=
Strict-Transport-Security: max-age=; includeSubDomains
Strict-Transport-Security: max-age=; preload
The permitted sets of directives used under this header are as follows;
max-age=
This is the time in seconds format, that the browser should remember that a website is only to be accessed using HTTPS.
includeSubDomains (Optional)
If this parameter is put to use, then the rule would be applied to all of the site’s subdomains as well.
preload (Optional)
It is not a part of HSTS specification and by no means be considered as official.
Description:
When a website accepts a connection with the use of HTTP and redirects to HTTPS, chances are the users may initially communicate with the non-encrypted version of the website before being redirected to the safer version. For example, the user types in http://www.foo.com/ or may be just foo.com. This would create a chance for a man-in-the-middle attack. The redirect that takes place could be exploited to direct the users to a malicious site rather than redirecting them to the secure version of the former website.
The HTTP Strict Transport Security header provides direction to the browser by informing that it should never load or render a website using HTTP. It should automatically convert all attempts made to access the website using HTTP to HTTPS requests instead.

Example Case:
We log into a free WiFi access point facility at an airport and start using it by surfing through the web, while visiting our online banking service in order to check our balance or let’s suppose to pay a couple of bills. But, let’s assume unfortunately the access point we are using is in reality a hacker’s laptop, and he/she is intercepting our original HTTP request and thereby redirecting us to a lookalike or clone of our bank’s website rather than the original deal. So, now our private data gets exposed to the hacker.
Strict Transport Security helps resolve this issue. That is, if we have accessed our bank’s website once using HTTPS, and the bank’s web site uses Strict Transport Security, our browser would know to automatically use only HTTPS, which would prevent hackers from performing man-in-the-middle attack.
How the browser handles it
When for the first time our website is accessing with the use of HTTPS, it returns the Strict-Transport-Security header, which the browser records, so that the future attempts made to load the website using HTTP will automatically use HTTPS instead.
On expiration of the allotted time as specified by Strict-Transport-Security header, the next request made to render the website through HTTP will commence as normal instead of automatically using HTTPS.
Whenever the header is delivered to the browser, it would update the expiration time for that website. So, websites can refresh this received information and prevent the timeout from expiring. In order to disable Strict Transport Security, setting the max-age to 0 would immediately expire the Strict-Transport-Security header, thereby allowing access via HTTP.
Example:
Strict-Transport-Security: max-age=31536000; includeSubDomains
All pages and sub-domains would be loaded when used via HTTPS for duration of 1 year. The pages demanding access via HTTP would be prevented.

⦁ X-Content-Type-Options

This is a response HTTP header which is used as a marker by the server in order to indicate that the MIME types which are advertised in the Content-Type headers should not be changed and be followed. This header allows to opt-out of MIME type sniffing.
This header came into existence when it was introduced by Microsoft in IE 8 as a way for webmasters so as to block content sniffing that was taking place and could transform non-executable MIME types into executable ones. Other browsers also started introducing it since then, even if their MIME sniffing algorithms were less aggressive.
The site security testers mostly expect this header to be set.
On using this header we can prevent the browser from interpreting files as something else than declared by the content type in the HTTP headers.
Syntax:
X-Content-Type-Options: nosniff
This value “nosniff” will prevent the browser from MIME-sniffing a response away from the declared content-type.
The directive under this header is;
nosniff
This helps in blocking a request if the requested type is;
⦁ “style” and the MIME type is not “text/css”, or
⦁ “script” and the MIME type is not a ⦁ JavaScript MIME type.

⦁ X-Frame-Options
It is a HTTP response header. It is helpful in indicating whether or not a web browser should be allowed to render or load a page in a , or <object> . By using this sites can avoid clickjacking attacks, by making sure that their content is not embedded into other sites.<br /> There are three prevalent directives made available for this header which are as follows;<br /> X-Frame-Options: DENY<br /> Even though the site would be attempting to load the page, it cannot be displayed in a frame.<br /> X-Frame-Options: SAMEORIGIN<br /> The page is allowed to be only displayed in a frame that must be from the same origin as the page itself.<br /> X-Frame-Options: ALLOW-FROM https://example.com/<br /> Or; ALLOW-FROM uri<br /> The page is only displayed in a frame on the origin that is specifically or explicitly mentioned. A point to be noted is that in Firefox this still is an issue as it suffers from the same problem as SAMEORIGIN did, which is, it does not check the frame ancestors to verify if they belong to the same origin or not.<br /> Example (Configuring Apache):<br /> In order to configure Apache so as to send the X-Frame-Options header for all pages, the below syntax is added to our site’s configuration:<br /> Header always set X-Frame-Options SAMEORIGIN<br /> In order to configure Apache so as to set the X-Frame-Options deny, the below syntax is added to our site’s configuration:<br /> Header set X-Frame-Options DENY<br /> In order to configure Apache so as to set the X-Frame-Options to ALLOW-FROM a specific Host, the below syntax is added to our site’s configuration:<br /> Header set X-Frame-Options “ALLOW-FROM https://example.com/”<br /> In order to configure nginx so as to send the X-Frame-Options header, the syntax below is either added to our http, server or location configuration:<br /> add_header X-Frame-Options SAMEORIGIN;<br /> ⦁ Upgrade-Insecure-Requests<br /> This is a request header that sends a signal to the server informing or expressing the client’s preference for an encrypted and authenticated response and also that it can handle the upgrade-insecure-requests CSP directive successfully.<br /> Syntax:<br /> Upgrade-Insecure-Requests: 1<br /> Example:<br /> A client sends requests by signaling to the server that it supports the upgrade mechanisms of upgrade-insecure-requests:<br /> GET / HTTP/1.1<br /> Host: example.com<br /> Upgrade-Insecure-Requests: 1<br /> The server mentioned above can now successfully redirect to a secure version of the site. A Vary header can be used so that the site isn’t served by caches to clients that don’t support the upgrade mechanism.<br /> Location: https://example.com/<br /> Vary: Upgrade-Insecure-Request</p> <p>⦁ X-Permitted-Cross-Domain-Policies<br /> Cross-domain policy files are XML documents that grant a web client, such as Adobe Flash Player or Adobe Acrobat, etc. permission to handle data across domains. When clients request content hosted on a particular source domain and that content make requests directed towards a domain other than its own, the remote domain needs to host a cross-domain policy file that grants access to the source domain, allowing the client to continue the transaction. Normally a meta-policy is declared in the master policy file, but for those who can’t write to the root directory, they can also declare a meta-policy using the X-Permitted-Cross-Domain-Policies HTTP response header.<br /> Syntax:<br /> X-Permitted-Cross-Domain-Policies: none<br /> The permitted values that are accepted by the header are as follows;<br /> none<br /> No policy files are allowed anywhere on the target server, including this master policy file.<br /> master-only<br /> Only this master policy file is allowed.<br /> by-content-type<br /> [HTTP/HTTPS only] Only policy files served with Content-Type: text/x-cross-domain-policy are allowed.<br /> by-ftp-filename<br /> [FTP only] Only policy files whose file names are crossdomain.xml (i.e. URLs ending in /crossdomain.xml) are allowed.<br /> all<br /> All policy files on this target domain are allowed.</p> <p>⦁ Referrer-Policy<br /> This is a HTTP header that governs which referrer information that is sent in the “Referer” header, must be included with the requests made.<br /> Syntax:<br /> Referrer-Policy: no-referrer<br /> Referrer-Policy: no-referrer-when-downgrade<br /> Referrer-Policy: origin<br /> Referrer-Policy: origin-when-cross-origin<br /> Referrer-Policy: same-origin<br /> Referrer-Policy: strict-origin<br /> Referrer-Policy: strict-origin-when-cross-origin<br /> Referrer-Policy: unsafe-url</p> <p>The permitted sets of directives are as follows;</p> <p>no-referrer<br /> Here, “Referer” header would be entirely omitted. Along with requests no referrer information is sent.<br /> no-referrer-when-downgrade<br /> It is the default behavior of an user agent when no policy is specified. Here, the origin is sent as referrer to a-priori as-much-secure destination (HTTPS->HTTPS), whereas it isn’t sent to a less secure destination (HTTPS->HTTP).<br /> Origin<br /> Here, only the origin of the document is sent as referrer in all cases. For example, the document “https://example.com/page.html” would send a referrer “https://example.com/”.<br /> origin-when-cross-origin<br /> It sends a full URL while performing a same-origin request, whereas it sends only the origin of the document for all other cases.<br /> same-origin<br /> A referrer will be sent for same-site origins, but cross-origin requests will contain no referrer information.</p> <p>strict-origin<br /> Here, it only sends the origin of the document as the referrer to a-priori as-much-secure destination (HTTPS->HTTPS), but does not send it to a less secure destination (HTTPS->HTTP).<br /> strict-origin-when-cross-origin<br /> It helps in sending a full URL while performing a same-origin request, while only sending the origin of the document to a-priori as-much-secure destination (HTTPS->HTTPS), and sending no header to a less secure destination (HTTPS->HTTP).<br /> unsafe-url<br /> Here it helps in sending a full URL (stripped from parameters) while performing a same-origin or cross-origin request.<br /> Examples:</p> <p>⦁ Expect-CT</p> <p>The Expect-CT header is used by a server to indicate that browsers should evaluate connections to the host emitting the header for Certificate Transparency compliance.<br /> Syntax:<br /> Expect-CT: report-uri=”<uri>“,<br /> enforce,<br /> max-age=<age></p> <p> The values that are permitted for this header are described as follows;<br /> max-age<br /> This directive specifies number of seconds after the reception of the Expect-CT header field during which the browser must regard the host from whom the message was received as a Known Expect-CT Host.<br /> enforce<br /> The directive is optional and a valueless directive that, if present, signals to the browser that compliance to the CT Policy should be enforced (rather than report-only) and that the browser should refuse future connections that violate its CT Policy. When both the enforce directive and report-uri directive are present, the configuration is referred to as an “enforce-and-report” configuration, signalling to the browser that compliance to the CT Policy should be enforced and that violations should be reported.<br /> Report-uri<br /> The directive is optional and indicates the URL to which the browser should report Expect-CT failures.<br /> Example:<br /> The example below signifies the enforcement of Certificate Transparency for 24 hours and reports violations to “foo.example”.<br /> Expect-CT: max-age=86400, enforce, report-uri=”https://foo.example/report”</p> <p>⦁ Access-Control-Allow-Origin</p> <p>This is a response header that indicates whether or not the response that is received can be shared with resources with the given origin.<br /> Syntax:<br /> Access-Control-Allow-Origin: *<br /> Access-Control-Allow-Origin: <origin><br /> The directives taken into consideration are;<br /> *<br /> For requests that lack credentials, the server may specify “*” as a wildcard which would allow any origin to access the resource.<br /> <origin><br /> This directive specifies an uri that may access the resource.<br /> Examples:<br /> In order to allow any resource to access our resource, we can simply specify:<br /> Access-Control-Allow-Origin: *<br /> In order to allow https://developer.mozilla.org to access our resource, we can mention as below:<br /> Access-Control-Allow-Origin: https://developer.mozilla.org</p> <p>⦁ Set-Cookie</p> <p>This is a HTTP response header that is used so that cookies can be sent from the server to the user agent.<br /> Syntax:<br /> Set-Cookie: <cookie-name>=<cookie-value><br /> Set-Cookie: <cookie-name>=<cookie-value>; Expires=<date><br /> Set-Cookie: <cookie-name>=<cookie-value>; Max-Age=<non-zero-digit><br /> Set-Cookie: <cookie-name>=<cookie-value>; Domain=<domain-value><br /> Set-Cookie: <cookie-name>=<cookie-value>; Path=<path-value> Set-Cookie: <cookie-name>=<cookie-value>; Secure<br /> Set-Cookie: <cookie-name>=<cookie-value>; HttpOnly </p> <p>Set-Cookie: <cookie-name>=<cookie-value>; SameSite=Strict<br /> Set-Cookie: <cookie-name>=<cookie-value>; SameSite=Lax </p> <p>Multiple directives can also be made available, for example:<br /> Set-Cookie: <cookie-name>=<cookie-value>; Domain=<domain-value>; Secure; HttpOnly</p> <p>The various directives that are employed by this header are;<br /> <cookie-name><br /> It can be any US-ASCII characters except control characters (CTLs), spaces, or tabs. It also should not contain separator characters such as: ( ) < > @ , ; : \ ” / [ ] ? = { }.<br /> <cookie-value><br /> It can be optionally set in double quotes and any US-ASCII characters excluding CTLs, whitespace, double quotes, comma, semicolon, and backslash can be allowed.<br /> Expires=<date> (Optional)<br /> This is the maximum lifetime of the cookie as an HTTP-date timestamp. If this is not specified, the cookie will have the same lifetime as that of a session cookie. When we put up an expiry date, the time and date set is relative to the client the cookie is being set on, not the server.<br /> Max-Age=<number> (Optional)<br /> This indicates the number of seconds until the cookie expires. A zero value or negative number indicates that the cookie will expire immediately.<br /> Domain=<domain-value> (Optional)<br /> This directive is going to specify those hosts to which the cookie will be sent. If it is not specified, the default would be the host portion of the current document location (excluding subdomains).<br /> Path=<path-value> (Optional)<br /> This directive signifies an URL path which should exist in the requested resource before sending the Cookie header.<br /> Secure (Optional)<br /> This indicates that a secure cookie will be sent to the web server only when a request is made through use of SSL and HTTPS protocols.<br /> HttpOnly (Optional)<br /> HTTP-only cookies aren’t accessible through JavaScript using the “Document.cookie” property.<br /> Example:<br /> Set-Cookie: sessionid=38afes7a8; HttpOnly; Path=/<br /> Set-Cookie: id=a3fWa; Expires=Wed, 21 Oct 2015 07:28:00 GMT; Secure; HttpOnly</p> <p>⦁ Cache-Control<br /> It is a general-header that is used to specify directives for both caching mechanisms that is requests and responses. The caching directives are unidirectional, which means that a given directive in a request is not implying that the same directive is to be given in the response.<br /> Syntax:<br /> Directives here are case insensitive. They have an optional argument that uses both token and quoted-string syntax. When there are multiple directives, they are separated by comma.<br /> Syntax for Cache-Control directives that the client uses in a HTTP request are as follows;<br /> Cache-Control: max-age=<seconds><br /> Cache-Control: max-stale[=<seconds>]<br /> Cache-Control: min-fresh=<seconds><br /> Cache-Control: no-cache<br /> Cache-Control: no-store<br /> Cache-Control: no-transform<br /> Cache-Control: only-if-cached<br /> Syntax for Cache-Control directives that the server uses in a HTTP response are as follows;<br /> Cache-Control: must-revalidate<br /> Cache-Control: no-cache<br /> Cache-Control: no-store<br /> Cache-Control: no-transform<br /> Cache-Control: public<br /> Cache-Control: private<br /> Cache-Control: proxy-revalidate<br /> Cache-Control: max-age=<seconds><br /> Cache-Control: s-maxage=<seconds></p> <p>Descriptions for the directives dealing with “cacheability” are as follows;<br /> public<br /> This indicates that the response may be cached by any cache.<br /> private<br /> This indicates that the response is meant for a single user only and shouldn’t be stored by a shared cache. A private cache may store the response.<br /> no-cache<br /> It forces caches to submit the request to the origin server for validation before releasing a cached copy.<br /> only-if-cached<br /> It indicates to not retrieve new data. This being the case, the server wishes the client to obtain a response only once and then cache. From this moment the client should keep releasing a cached copy and avoid contacting the origin-server to see if a newer copy exists.<br /> Descriptions for the directives dealing with “expiration” are as follows;<br /> max-age=<seconds><br /> This specifies the maximum amount of time a resource can be considered fresh. Contrary to Expires direvtive, this one is relative to the time of the request.<br /> s-maxage=<seconds><br /> It overrides max-age or the Expires header, but is only applicable to shared caches (e.g., proxies) and is ignored by a private cache.<br /> max-stale[=<seconds>]<br /> It indicates that the client is willing and ready to accept a response that has exceeded its expiration time.<br /> min-fresh=<seconds><br /> It indicates that the client wants a response that will still be fresh for at least the specified number of seconds.</p> <p>Descriptions for the directives dealing with revalidation and reloading are as follows;<br /> must-revalidate<br /> As per this directive the cache must verify the status of the stale resources before using it. The ones that are expired shouldn’t be used.<br /> proxy-revalidate<br /> It is same as must-revalidate, but with a difference that it applies to only shared caches such as proxies and is ignored by a private cache.<br /> Descriptions for the other directives are as follows;<br /> no-store<br /> Here, the cache shouldn’t store anything about the client request or server response.<br /> no-transform<br /> In here no transformations or conversions should be made to the resource.<br /> Examples:<br /> Cache-Control: no-cache, no-store, must-revalidate<br /> Cache-Control: public, max-age=31536000</p> <p>⦁ Access-Control-Allow-Credentials</p> <p>It is a response header that indicates whether or not the response to the request made can be exposed to the page. When the true value is returned, it can be exposed.<br /> Here, the credentials can be considered as cookies, authorization headers or TLS client certificates.<br /> Syntax:<br /> Access-Control-Allow-Credentials: true<br /> The directive used with this header is;<br /> true<br /> Over here, the only valid value for this header is true which is case-sensitive. If credentials are not needed then it’s better to omit this header completely instead of setting its value to false.<br /> Example:<br /> Access-Control-Allow-Credentials: true</p> <p>⦁ ETag</p> <p>This HTTP response header is considered to be an identifier for a specific version of a resource. It allows caches to be more efficient while also saving bandwidth, as a web server does not need to send a full response if the content has not changed. On the other hand, for suppose the content has changed, these headers are useful to help prevent simultaneous updates of a resource from overwriting each other (“mid-air collisions”).<br /> If the resource at a given URL changes, a new Etag value must be generated. These are therefore similar to fingerprints which might also be used for tracking purposes by some servers.<br /> Syntax:<br /> ETag: W/”<etag_value>”<br /> ETag: “<etag_value>”<br /> The directives permitted under this header are as follows;<br /> W/ (Optional)<br /> ‘W/’ which is case-sensitive signifies that a weak validator is used. Weak validators are easy to generate but not that useful for comparisons. Strong validators are ideal for comparisons but are very difficult to generate efficiently. Weak Etag values of two representations for the same resources might be semantically equivalent whereas not byte-for-byte identical.<br /> “<etag_value>”<br /> These entity tags uniquely represent the requested resources. They are a string of ASCII characters which are placed between double quotes such as “675af34563dc-tr34”. The method by which ETag values are generated is not perfectly specified that is, sometimes; a hash of the content, a hash of the last modification timestamp, or just a revision number is used.<br /> Examples:<br /> ETag: “33a64df551425fcc55e4d42a148795d9f25f89d4”<br /> ETag: W/”0815”</p> <p>⦁ Vary</p> <p>It is a HTTP response header. It signifies how we would match a future request header so as to decide whether a cached response can be put to use instead of requesting or asking from the origin server. This can be used by server to point out what all headers it used while selecting a representation of a resource in a content negotiation algorithm.<br /> This header should be set on “304 Not Modified” response exactly like it would have been set on an equivalent “200 OK” response.<br /> Syntax:<br /> Vary: *<br /> Vary: <header-name>, <header-name>, …<br /> The permitted directives are as follows;<br /> *<br /> Each request for an URL is supposed to be treated as a unique and un- cacheable request. <br /> <header-name> A comma-separated list of header names that has to be taken into account while deciding whether or not a cached response can be used.<br /> Example:<br /> Vary: User-Agent<br /> When we are using “Vary: User-Agent” header, caching servers should take into consideration the user agent while deciding whether to serve the page from cache. For example, if we are serving different content to mobile users, it can help us to avoid that a cache may mistakenly serve a desktop version of our site to our mobile users. </p> <p>⦁ Pragma</p> <p>This is a HTTP/1.0 general header. It is classified as an implementation-specific header which may have diverse effects along the request-response chain. This header is used for backwards compatibility with HTTP/1.0 caches in situations when the Cache-Control HTTP/1.1 header is not yet present.<br /> Syntax:<br /> Pragma: no-cache<br /> The directive mentioned under this header is;<br /> no-cache</p> <p>It is same as Cache-Control: no-cache. Before releasing a cached copy, it forces caches to submit the request to the origin server for validation purposes. </p> <p>Example:</p> <p>Pragma: no-cache</p> <p>⦁ Expires</p> <p>This header encompasses the date/time after which the response is considered stale.</p> <p>Invalid dates, such as the value 0, indicate a date in the past which means that the resource is already expired.</p> <p>If there is a presence of Cache-Control header having directives such as “max-age” or “s-maxage” in the response, the Expires header is ignored.</p> <p>An expiration time in the past or just the specification of the value 0 would work so as to prevent caching.</p> <p>Syntax:</p> <p>Expires: <http-date></p> <p>The directive under this header is;<br /> <http-date></p> <p>It provides an HTTP-date timestamp.</p> <p>Example:</p> <p>Expires: Wed, 21 Oct 2015 07:28:00 GMT</p> <p>⦁ Access-Control-Allow-Headers</p> <p>This response header is helpful as a response to a preflight request by indicating which HTTP headers can be actually used during the actual request.</p> <p>This header is required if the request has an Access-Control-Request-Headers header.</p> <p>Syntax:</p> <p>Access-Control-Allow-Headers: <header-name>, <header-name>, …</p> <p>The directive listed under this header is;</p> <header-name> <p>It indicates a comma-delimited list of all the supported request headers.</p> <p>Example:</p> <p>Access-Control-Allow-Headers: X-Custom-Header</p> <p>⦁ Access-Control-Allow-Methods</p> <p>This is a response header which specifies a method or methods that are allowed while accessing the resource in response to a preflight request.</p> <p>Syntax:</p> <p>Access-Control-Allow-Methods: <method>, <method>, …</p> <p>The directive under this header is;<br /> <method></p> <p>It is a comma-delimited list of all allowed HTTP request methods.</p> <p>Example:</p> <p>Access-Control-Allow-Methods: POST, GET, OPTIONS</p> <p>⦁ Access-Control-Expose-Headers</p> <p>This is a response header helps indicating what all headers can be exposed as a part of the response by listing their names.<br /> By default, the 6 simple response headers that are exposed include; Cache-Control, Content-Language, Content-Type, Expires, Last-Modified and Pragma.<br /> If we want clients so as to be able to access various other headers, we have to list them using this header.<br /> Syntax:<br /> Access-Control-Expose-Headers: <header-name>, <header-name>, …<br /> The directive under this header is;<br /> <header-name> Provides a list of all the exposed headers consisting of zero or more header names other than the simple response headers that the resource might use and can be exposed.<br /> Examples:<br /> In order to expose a non-simple response header, we can specify:<br /> Access-Control-Expose-Headers: Content-Length<br /> In order to additionally expose a custom header, such as X-Kuma-Revision, we can specify multiple headers separated by a comma such as below;<br /> Access-Control-Expose-Headers: Content-Length, X-Kuma-Revision</p> <p>⦁ Access-Control-Max-Age</p> <p>This is a response header that indicates how long the results of a preflight request (i.e. the information contained in the “Access-Control-Allow-Methods” and “Access-Control-Allow-Headers” headers) can be cached.<br /> Syntax:<br /> Access-Control-Max-Age: <delta-seconds><br /> The directive listed under this header includes;<br /> <delta-seconds><br /> It signifies the number of seconds the results can be cached.<br /> Firefox caps this header value at 24 hours (i.e. 86400 seconds) and Chromium at a value of 10 minutes (i.e. 600 seconds). Chromium also specifies a default value of 5 seconds.<br /> A value of -1 would disable caching, thereby requiring a preflight OPTIONS check for all calls.<br /> Example:<br /> Access-Control-Max-Age: 600<br /> The above example indicates that the results of a preflight request will be cached for 10 minutes.</p> <p>⦁ Access-Control-Request-Headers</p> <p>This request header is used while issuing a preflight request so as to let the server know what all HTTP headers will be used when the actual request is made.<br /> Syntax:<br /> Access-Control-Request-Headers: <header-name>, <header-name>, …<br /> The directive listed under this header is;<br /> <header-name> It provides a comma-delimited list of HTTP headers which are included in the request.<br /> Example:<br /> Access-Control-Request-Headers: X-PINGOTHER, Content-Type</p> <p>⦁ Access-Control-Request-Method</p> <p>This is a request header that is used when issuing a preflight request so as to let the server know which HTTP method would be used when the actual request is made. This header is of importance as the preflight request is always an OPTIONS (a HTTP method that is used to describe the communication options available for the target resource) and also it does not use the same method as the actual request.<br /> Syntax:<br /> Access-Control-Request-Method: <method><br /> The directive under this header includes;<br /> <method><br /> It provides one of the HTTP request methods, such as; GET, POST, or DELETE.<br /> Example:<br /> Access-Control-Request-Method: POST</p> <p>⦁ Allow</p> <p>This header lists down the set of methods supported by a resource.<br /> The Allow header should be sent when the server responds with a “405 Method Not Allowed” status code to indicate which request methods can be used. An empty Allow header signifies that the resource allows no request methods that might occur temporarily for a given resource as an example.<br /> Syntax:<br /> Allow: <http-methods><br /> The directive listed under this header is;<br /> <http-methods><br /> It provides a list of all the allowed HTTP request methods.<br /> Example:<br /> Allow: GET, POST, HEAD</p> <p>⦁ Content-Type</p> <p>This is a header which is used for indicating the media type of the resource. In requests like, POST or PUT, the client informs or tells the server what type of data is actually sent.<br /> Syntax:<br /> Content-Type: text/html; charset=utf-8<br /> Content-Type: multipart/form-data; boundary=something<br /> The permitted sets of directives listed under this header are as follows;<br /> media-type<br /> It represents the MIME type of the resource or the data.<br /> charset<br /> It signifies the character encoding standard.<br /> boundary<br /> This directive is required for multipart entities that consist of 1 to 70 characters from a set of characters which are known to be very robust through email gateways while not ending with white space. It can be also used to encapsulate the boundaries of the multiple parts of the message.</p> </div> </div> </div> </article> <nav class="navigation post-navigation" aria-label="Posts"> <h2 class="screen-reader-text">Post navigation</h2> <div class="nav-links"><div class="nav-previous"><a href="http://www.valencynetworks.com/blogs/e-commerce-website-pentesting-final/" rel="prev"><span class="nav-subtitle">Previous:</span> <span class="nav-title">E-commerce Website Pentesting Final</span></a></div><div class="nav-next"><a href="http://www.valencynetworks.com/blogs/fundamentals-of-iso-27001/" rel="next"><span class="nav-subtitle">Next:</span> <span class="nav-title">Fundamentals Of ISO 27001</span></a></div></div> </nav> </main> <aside id="secondary" class="widget-area"> <div class="widget widget_search"><div class="widget-content"><h2 class="widget-title">Search by ketwords</h2><form role="search" method="get" class="search-form" action="http://www.valencynetworks.com/blogs/"> <label> <span class="screen-reader-text">Search for:</span> <input type="search" class="search-field" placeholder="Search …" value="" name="s" /> </label> <input type="submit" class="search-submit" value="Search" /> </form></div></div><div class="widget widget_categories"><div class="widget-content"><h2 class="widget-title">Category</h2> <ul> <li class="cat-item cat-item-46"><a href="http://www.valencynetworks.com/blogs/category/cloud-security/">Cloud Security</a> </li> <li class="cat-item cat-item-50"><a href="http://www.valencynetworks.com/blogs/category/code-security/">Code Security</a> </li> <li class="cat-item cat-item-42"><a href="http://www.valencynetworks.com/blogs/category/compliance/">Compliance</a> </li> <li class="cat-item cat-item-49"><a href="http://www.valencynetworks.com/blogs/category/cyber-attacks-explained/">Cyber Attacks Explained</a> </li> <li class="cat-item cat-item-52"><a href="http://www.valencynetworks.com/blogs/category/cyber-forensics/">Cyber Forensics</a> </li> <li class="cat-item cat-item-45"><a href="http://www.valencynetworks.com/blogs/category/iot-security/">IoT Security</a> </li> <li class="cat-item cat-item-58"><a href="http://www.valencynetworks.com/blogs/category/mobile-app-security/">Mobile App Security</a> </li> <li class="cat-item cat-item-48"><a href="http://www.valencynetworks.com/blogs/category/open-source-security/">Open Source Security</a> </li> <li class="cat-item cat-item-57"><a href="http://www.valencynetworks.com/blogs/category/phishing/">Phishing</a> </li> <li class="cat-item cat-item-44"><a href="http://www.valencynetworks.com/blogs/category/scada-security/">SCADA Security</a> </li> <li class="cat-item cat-item-8"><a href="http://www.valencynetworks.com/blogs/category/tech/">Tech</a> </li> <li class="cat-item cat-item-35"><a href="http://www.valencynetworks.com/blogs/category/technology/">Technology</a> </li> <li class="cat-item cat-item-51"><a href="http://www.valencynetworks.com/blogs/category/tools/">Tools</a> </li> <li class="cat-item cat-item-1"><a href="http://www.valencynetworks.com/blogs/category/uncategorized/">Uncategorized</a> </li> <li class="cat-item cat-item-43"><a href="http://www.valencynetworks.com/blogs/category/vapt/">VAPT</a> </li> <li class="cat-item cat-item-47"><a href="http://www.valencynetworks.com/blogs/category/web-security/">Web Security</a> </li> <li class="cat-item cat-item-55"><a href="http://www.valencynetworks.com/blogs/category/web-vapt/">Web VAPT</a> </li> <li class="cat-item cat-item-54"><a href="http://www.valencynetworks.com/blogs/category/webinar/">Webinar</a> </li> </ul> </div></div><div class="widget widget_calendar"><div class="widget-content"><div id="calendar_wrap" class="calendar_wrap"><table id="wp-calendar" class="wp-calendar-table"> <caption>April 2024</caption> <thead> <tr> <th scope="col" title="Monday">M</th> <th scope="col" title="Tuesday">T</th> <th scope="col" title="Wednesday">W</th> <th scope="col" title="Thursday">T</th> <th scope="col" title="Friday">F</th> <th scope="col" title="Saturday">S</th> <th scope="col" title="Sunday">S</th> </tr> </thead> <tbody> <tr><td>1</td><td>2</td><td>3</td><td>4</td><td>5</td><td>6</td><td>7</td> </tr> <tr> <td>8</td><td>9</td><td>10</td><td>11</td><td>12</td><td>13</td><td>14</td> </tr> <tr> <td>15</td><td>16</td><td><a href="http://www.valencynetworks.com/blogs/2024/04/17/" aria-label="Posts published on April 17, 2024">17</a></td><td>18</td><td>19</td><td>20</td><td>21</td> </tr> <tr> <td>22</td><td>23</td><td>24</td><td>25</td><td id="today"><a href="http://www.valencynetworks.com/blogs/2024/04/26/" aria-label="Posts published on April 26, 2024">26</a></td><td>27</td><td>28</td> </tr> <tr> <td>29</td><td>30</td> <td class="pad" colspan="5"> </td> </tr> </tbody> </table><nav aria-label="Previous and next months" class="wp-calendar-nav"> <span class="wp-calendar-nav-prev"><a href="http://www.valencynetworks.com/blogs/2024/03/">« Mar</a></span> <span class="pad"> </span> <span class="wp-calendar-nav-next"> </span> </nav></div></div></div></aside> </div> </div> <footer id="colophon" class="site-footer"> <div class="footer-wrapper block-gap"> <div class="container"> <div class="column-1"> <div class="widget-column"> <div id="recent-posts-2" class="widget footer-widgets widget_recent_entries"> <h2 class="widget-title">Related Posts</h2> <ul> <li> <a href="http://www.valencynetworks.com/blogs/are-android-apps-more-secure-or-ios-apps/">Are Android Apps More Secure or iOS Apps</a> <span class="post-date">26/04/2024</span> </li> <li> <a href="http://www.valencynetworks.com/blogs/is-xss-vulnerability-possible-on-mobile-apps/">Is XSS Vulnerability Possible on Mobile Apps</a> <span class="post-date">17/04/2024</span> </li> <li> <a href="http://www.valencynetworks.com/blogs/difference-between-privilege-escalation-attack-and-idor-attack/">Difference Between Privilege Escalation Attack and IDOR Attack</a> <span class="post-date">04/03/2024</span> </li> <li> <a href="http://www.valencynetworks.com/blogs/exploring-tisax-version-6-a-comprehensive-guide/">Exploring TISAX Version 6 – A Comprehensive Guide</a> <span class="post-date">10/01/2024</span> </li> <li> <a href="http://www.valencynetworks.com/blogs/tls-based-attacks/">TLS Based Attacks</a> <span class="post-date">11/12/2023</span> </li> <li> <a href="http://www.valencynetworks.com/blogs/are-tls-vulnerabilities-considered-critical-for-internal-network/">Are TLS vulnerabilities considered critical for internal network</a> <span class="post-date">11/12/2023</span> </li> <li> <a href="http://www.valencynetworks.com/blogs/understanding-threats-risks-and-vulnerabilities/">Understanding Threats, Risks, and Vulnerabilities</a> <span class="post-date">14/11/2023</span> </li> <li> <a href="http://www.valencynetworks.com/blogs/difference-between-cybersecurity-risk-and-vulnerability/">Difference Between Cybersecurity Risk and Vulnerability</a> <span class="post-date">14/11/2023</span> </li> <li> <a href="http://www.valencynetworks.com/blogs/building-an-effective-blue-team-best-practices-for-organizational-cybersecurity/">Building an Effective Blue Team: Best Practices for Organizational Cybersecurity</a> <span class="post-date">02/11/2023</span> </li> <li> <a href="http://www.valencynetworks.com/blogs/designing-the-ideal-iso-27001-awareness-training-content/">Designing the Ideal ISO 27001 Awareness Training Content</a> <span class="post-date">06/09/2023</span> </li> </ul> </div> </div> </div> </div> </div> <div class="site-info"> <div class="container"> Proudly powered by WordPress <span class="sep"> | </span> Theme: Looks Blog by Crimson Themes. </div> </div> </footer> </div> <script async src="https://www.googletagmanager.com/gtag/js?id=G-NPJX87D3NY"></script> <script> window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'G-NPJX87D3NY'); </script> <script type='text/javascript'> (function(I, _, T, i, c, k, s) { if(I.iticks) return; I.iticks = {host:c, settings:s, clientId:k, cdn:_, queue:[]}; var h = T.head || T.documentElement; var e = T.createElement(i); var l = I.location; e.async = true; e.src = (_||c)+'/client/inject.min.js'; h.insertBefore(e, h.firstChild); I.iticks.call = function(a, b) { b = b || {}; try { b._meta = {url:l.href+l.hash, time:Date.now()}; }catch(e) { b = {_meta:{url:l.href+l.hash, time:Date.now()}}; } I.iticks.queue.push([a, b]); }; })(window, 'https://d25ok8ck9cwr91.cloudfront.net', document, 'script', 'https://app.intelliticks.com', 'igRemx8EJhtwbLwTJ_c', {}); </script> <script src="http://www.valencynetworks.com/blogs/wp-content/themes/looks-blog/js/navigation.js?ver=20151215" id="looks-blog-navigation-js"></script> <script src="http://www.valencynetworks.com/blogs/wp-content/themes/looks-blog/assets/js/skip-link-focus-fix.js?ver=20151215" id="looks-blog-skip-link-focus-fix-js"></script> <script src="http://www.valencynetworks.com/blogs/wp-content/themes/looks-blog/assets/js/custom.js?ver=2.0.0" id="looks-blog-custom-js"></script> </body> </html> <script src="/cdn-cgi/scripts/7d0fa10a/cloudflare-static/rocket-loader.min.js" data-cf-settings="3214eb904fde67a086f459b9-|49" defer></script>