“Referrer-Policy” HTTP Header

A relatively new HTTP Header that is supported by most modern browsers (except MSIE) is the “Referrer-Policy” header. There have been previous attempts to implement similar protections through use of the ‘rel’ (or ‘rev’) attributes on links to external websites. The latest approach takes a different approach and prevents leaking of internal URLs, and in some cases parameters, to external websites. This is important from a security perspective as you might maintain some sensitive information in your page urls, that would otherwise be inadvertently shared with an external website.

Clearly, you’ll need to determine your own level of security based upon your needs. Example: ‘no-referrer’ would be the most strict and would prevent the browser from sending the ‘Referer'(sic) header even to your own websites pages.

Example header values:

Referrer-Policy: no-referrer
Referrer-Policy: no-referrer-when-downgrade
Referrer-Policy: origin
Referrer-Policy: origin-when-cross-origin
Referrer-Policy: same-origin
Referrer-Policy: strict-origin
Referrer-Policy: strict-origin-when-cross-origin
Referrer-Policy: unsafe-url

Implementation can be accomplished in many ways, the most simple being and addition to your HTTP server configuration similar to the one shown below for Apache 2.x:

Header always set Referrer-Policy strict-origin

REFERENCES:

Renaming PHPSESSID

Like in Java, securing/renaming the PHP Session ID is simply a configuration item, generally this value is set as a cookie, but occasionally gets used in cases of URL Rewriting.

On Ubuntu your settings can be changed as follows, Windows will use the same settings in the appropriate file:

  1. sudo vi /etc/php5/apache2/php.ini
  2. Modify the following values as needed:

    session.name = "PHPSESSID"
    session.cookie_httponly = 1

REFERENCES

Renaming JSESSIONID

Older versions of Apache Tomcat, as well as the older servlet specifications required that several configuration values need to be set. With servlet 3, you can now modify the name of the session cookie (as well as the ‘rewriting’ attribute name) in the web.xml file

In web.xml: (servlet 3.x)

<session-config>
<session-timeout>30</session-timeout>
<cookie-config>
<name>mysessionid</name><!-- default is jsessionid -->
<http-only>true</http-only>
<!-- secure>true</secure-->
</cookie-config>
<tracking-mode>COOKIE</tracking-mode>
</session-config>

Alternately for Tomcat7, modify TOMCAT_HOME\conf\context.xml:
<Context path="/exampleApp" sessionCookieName="myid">

If you are using spring security, then you should try setting disable-url-rewriting attribute of <http> element to true.

REFERENCES:

Dotless IP Address

This is a concept I had forgotten about until recently, it can often serve as a simple means of code obfuscation and is also sometimes referred to as “Decimal Address”.

Some background:

  • DNS is used to convert a URL/domain name into an IP address that is used to contact the remote machine.
    EXAMPLES:
    localhost = 127.0.0.7
    giantgeek.com = 99.138.127.198
  • IP addresses (as IPv4) are represented as groups of 4 hexadecimal or decimal octets.
  • Those numbers can be plugged into a simple formula to be represented as a single large integer.

As such, you can use the following as equivalents:

  • http://localhost
  • http://127.0.0.1
  • http://2130706433

REFERENCES:

Data URL’s (aka HTML Inline Images)

Here’s a useful trick for minimizing server HTTP connections, unfortunately it’s not universally supported so you will need to provide alternate methods for non-supporting browsers (such as MSIE).

This works by placing the content of the image into the URL itself, as such there’s no need to open up a new server connection and no extra caching at any tier.

<img src=”data:image/gif;base64,R0lGODlhEAAOALMAAOazToeHh0tLS/7LZv/0jvb29t/f3//Ub/ /ge8WSLf/rhf/3kdbW1mxsbP//mf///yH5BAAAAAAALAAAAAAQAA4AAARe8L1Ekyky67QZ1hLnjM5UUde0ECwLJoExKcppV0aCcGCmTIHEIUEqjgaORCMxIC6e0CcguWw6aFjsVMkkIr7g77ZKPJjPZqIyd7sJAgVGoEGv2xsBxqNgYPj/gAwXEQA7″ alt=”embedded folder icon” width=”16″ height=”14″ />

What is a SLD (Second Level Domain)?

I just wrote about the TLD, so this naturally follows:

A SLD includes the TLD name and further identifies the owning organization of a URL.

Second-level domains can be divided into further levels. These subdomains sometimes represent different computers within an organization, but are many times the same machine with different aliases.

Examples:

www.giantgeek.com
mail.giantgeek.com

TLD =  .com
SLD = giantgeek.com
Subdomains = www.gianteek.com & mail.giantgeek.com

NOTE: Refer to HTTP/1.1 for details on how IP addresses, routing and webservers are impacted by this.

Interesting enough, some one character SLD’s do exist,  x.com for example.

References:

Cheers!

What is a TLD (Top Level Domain)?

I occasionally get this question, as many technical people don’t fully understand it.

A TLD is ‘actually” the last section of a URL (owned by the domain registrars themselves).

Examples:

  • .com
  • .net
  • .org
  • .us (and other 2 digit country codes)

You can find a full list of TLD’s here:

Various other TLD’s have been proposed through the years, here are a few common ones (that are in various states of approval or implementation):

  • .museum
  • .info
  • .xxx
  • .biz
  • .mobi

References:

Cheers!