HTTP headers are included in every HTTP response from a web server. Setting the appropriate HTTP headers can reduce the risk of man-in-the-middle and cross-site-scripting attacks on a web application. You can also reduce information leaks about the web application configuration - vital data that gives a would-be attacker clues about potential vulnerabilities. Read on to find out how to set the appropriate headers in your Perl web application.
The following headers are set:
X-Frame-Options
: protect site from being loaded into an frame or iframe (specs)
Strict-Transport-Security
: requester to load all content via HTTPS
Content-Security-Policy
: sets a whitelist of domains from which content can be safely loaded (specs)
IE-only headers:
X-Content-Type-Options
: disable mime sniffing, disabled by default in IE but enforced anyway.
X-Download-Options
: prevent IE from opening an HTML file directly
X-XSS-Protection
: turn on its XSS filter
Deprecated headers:
X-Content-Security-Policy
: IE10+
X-Webkit-CSP
: iOS Safari 5.0-5.1
These two headers can be switched on optionally to support browsers not yet using the standard hearders.
For more information see also:
cd /path/to/foswiki perl tools/extension_installer <NameOfExtension> installIf you have any problems, or if the extension isn't available in
configure
, then you can still install manually from the command-line. See https://foswiki.org/Support/ManuallyInstallingExtensions for more help.
17 Oct 2018 | more reasonable default settings |
09 Sep 2016 | added child-src policty in addition to the now deprected frame-src |
08 Mar 2016 | fixed xss protection |
Author | Michael Daum |
Version | 1.10 |
Release | 17 Oct 2018 |
Description | Add HTTP security headers to protect against XSS attacks |
Repository | https://github.com/foswiki/SecurityHeadersPlugin |
Copyright | 2015-2018 Michael Daum http://michaeldaumconsulting.com |
License | GPL (GNU General Public License) |
Home | https://foswiki.org/Extensions/SecurityHeadersPlugin |
Support | https://foswiki.org/Support/SecurityHeadersPlugin |