I was scanning my server log files the other day and found that this old “bot” is still making the rounds. It help’s to shut the door on this with some configuration. It’s specifically looking for PHP vulnerabilities and is easily identified by the expletive in it’s User-Agent HTTP request headers.
This HTTP Header is a feature added by MSIE8 to force it to restrict some XSS vectors that can be disabled by the user. Generally you can add it into your webserver configuration.
X-XSS-Protection: 1; mode=block
CORS is a more modern equivalent to JSONP for cross-domain XmlHttpRequests(AJAX) with options to limit domains, subdomains and ports.
Initial browser support:
- Firefox 3.5
- Chrome 4
- Safari 3.2
- MSIE 8
Categories: WebStandards, Work ajax, browser, cors, cross, crossdomain, domain, header, http, jsonp, origin, resource, sharing, xml, xmlhttprequest
There are a couple of steps required to force a browser to save/download content instead of displaying it in the browser window.
Content-Disposition: attachment; filename=example.txt
NOTE: MSIE also supports a poorly documented proprietary META tag…
<meta name="DownloadOptions" content="noopen|nosave" />
To prevent XSS/CSRF exploits in MSIE8 and newer, it’s often best to close as many attack vectors as possible. An easy one to implement is an HTTP Header to prevent MSIE from “sniffing” the content to change it when incorrect.
Example: we would not want an HTML page intentionally served with ‘text/plain’ to be rendered as HTML.
This could be added programatically to pages in your application, via a servlet or servlet filter or added to the httpd.conf file.
Apache2 example: httpd.conf
Header set X-Content-Type-Options nosniff
Categories: MSIE bugs, WebStandards, Work change, conf, content, csrf, header, http, httpd, mime, msie, nosniff, security, sniff, type, xss
DNS is much like a phone book for the internet. For each domain name (or subdomain like ‘www’), there is an IP address that resembles a phone number. Getting the matching number for each domain can take some time and make your site appear slow, particularly on mobile connections. Fortunately, you can pre-request this information and speed up your site in most cases.
To enable a domains DNS lookup to be performed in advance of the request, you can add a single line to the
<head> section of your page.
<link rel="dns-prefetch" href="//giantgeek.com" />
If you want to explicitly turn on (or off) this behavior, you can add one of the following, or their HTTP Header equivalents:
<meta http-equiv="x-dns-prefetch-control" content="on" />
<meta http-equiv="x-dns-prefetch-control" content="off" />
This is supported in all modern browsers:
- Firefox 3.5+
- Safari 5.0+
- MSIE 9.0+
If should be noted that a similar method can be used to prefetch as page, but I will save that for a different article:
<link rel="prefetch" href="http://www.skotfred.com/" />
Categories: WebStandards, Work browser, cache, dns, fetch, head, header, html, http, link, lookup, meta, pre, rel, resolution, resolve
Over the past year there have been many capabilities added to web browsers to allow users to indicate their willingness to be tracked across various sites for web advertisements. While the implementation by individual hosts is optional, the user can sent the request to identify their personal preference. Tracking can be relevant to allow for more “targeted” ads tailored to each user.
Firefox 4.0 betas added an
"X-Do-Not-Track:1" HTTP Header. Later implemented Firefox 5.0 betas as
navigator.doNotTrack, with a value of “yes” when set.
Categories: WebStandards, Work ads, advertising, browser, dnt, do not track, header, http, optout, preference, privacy, tracking
These are useful for some advanced caching behavior, but there are cases where you might find them unnecessary for static files (in particular). Most network analysis tools will call attention to this header value, and while it seems like a trivial amount of bandwidth to send from the server to the client, the real reason for the negative score is more likely related to the behaviors that it causes in the client.
It should be noted that the default value used for the ETag is based upon the ‘inode’ of the file, as such it’s IS problematic in clustered server environments. I’ve shown the correction for this below.
Adding the following to your Apache http.conf file is a start:
# Change ETag to remove the iNode (for multi-server environments)
FileETag MTime Size
#Remove ETag from all static content, this could be done globally without the FilesMatch, but we want better control.
Header unset ETag
Categories: WebStandards, Work apache, browser, cache, caching, ETag, header, http, network, performance, server
Added in MSIE8 and Mozilla Firefox 3.6.9, Apple Safari 4, IE8, and Google Chrome 2 are several mechanisms to defend against cross-domain forgeries.
You can explicitly set this value for ApacheHTTP in the httpd.conf file, your .htaccess files or code it into the page(s) by the application itself.
Categories: WebStandards, Work clickjacking, cross, csrf, domain, frames, header, http, request, scripting, site, xdomain, xss
This can be used to for several reasons:
- To add headers to modify the behavior of a specific ‘misbehaving’ browser or client.
- To replace headers that you don’t want leaked to the Internet.
- To add monitoring information to your server responses.
Changes can be accomplished in the Apache2 ‘httpd.conf’ file.
- Verify that the module is not disabled or commented out:
LoadModule headers_module modules/mod_headers.so
- To add some common metrics:
Header append MyHeader “%D %t”
- To Hide the HTTP Server header that you send in your responses (often done for security through obscurity):
Header unset Server
- You could also replace the Server Header like this:
Header set Server “ScottServer 1.0″