Response Header Security Handler

Purpose

The Response Header Security Handler enforces client side response header security features, including X-Fame-Options, X-Content-Type-Options, XSS Protection and Content Security Policy options. These features improve client side security and prevent attacks such as malicious code embedded in frames, cross site scripting and attacks based on browser MIME-type vulnerabilities.

For more information regarding adding and editing Handlers, see Editing Handlers.

Severity

Events triggered by this handler are given the severity: low. (For details on severity levels, see Severity of Events Triggered by Handlers).

Recommendations for use

To simplify configuration, it is recommended that you use the Response Header Security Wizard. The wizard configures the required attributes.

Not all browsers support all these features: X-Frame-Options (XFO), X-XSS-Protection, X-Content-Type-Options, and Content-Security-Policy (CSP)) .

You must take care when configuring Content-Security-Policy (CSP)) and X-XSS-Protection as these restrictions may break applications (preventing users from accessing pages).

Ensure you check and test your application to confirm the security response header settings and browser combinations do not break applications.

Attributes

Attribute Meaning

x_frame_options

Set the X-Frame-Options (XFO) options. This determines whether or not the browser renders content protected by vWAF within a frame:

  • deny: Do not allow the browser to render a page, protected by vWAF, within a frame on another page.
  • sameorigin: Allow the browser to render content in a frame, provided the frame is within the same origin. The browser will not render content within a frame in another location (beyond the scope of the origin).

x_content_type_no_sniff

Enable the Content Type Restriction (X-Content-Type-Options: nosniff) to ensure the browser loads and renders content based on the Content-Type Header MIME type only. This prevents the browser 'MIME sniffing' and potentially loading malicious content. For example, if 'X-Content-Type-Options: nosniff' is not enabled, a browser could load a file with misleading attributes, treat the file as HTML and execute a malicious script.

x_xss_protection

Set the XSS (X-XSS) Protection options. This determines how the browser responds if XSS is detected:

  • enable: Enable XSS protection so that if a cross-site scripting attack is detected, the browser removes unsafe content from the page.
  • enable_and_block: Enable XSS protection. If a cross-site scripting attack is detected, the browser will not display the page at all (rather than remove unsafe content from the page).
  • disable: Disable XSS filtering. No protection.

x_xss_protection_report

Enable this option to instruct the browser to submit reports to the server regarding validation of cross site scripting rules. If enabled, relevant entries are included in vWAF log files. These entries are logged as INFO and include the term ResponseHeaderSecurityHandler as shown in the example below.

"20170303-00225","unknown","198.51.100.0:8086","foo.com","203.0.113.0","POST","/08e6c7c31eae2f229320f4398a45dd7c37b3c028b9ed4461797fc09f86100ba9","HTTP/1.1","[88/-]","INFO","PROTECTION","REQUEST","ResponseHeaderSecurityHandler","","","LOW","44c0a70c84e843fc","xss-report: {"xss-report":{"request-url":"http://test.local/test.php?foo=%3Cscript%3Ealert(1);%3C/script%3E","request-body":""}}","",""

csp_enforce

Enable Content Security Policy (CSP) response header to reduce the risk of cross-site scripting. This determines the location (and CSP directives) from which the browser can load resources.

csp_resource_urls

If csp_enforce is enabled, add the required CSP Resources:

  • vWAF adds the CSP directive 'default-src' and source value self. This ensures the browser loads resources from the same origin only, including protocol (http or https), host and ports.
  • Additional URLs. You can add URLs that are required in addition to 'self'. This allows the browser to load resources from the specified URLs.
  • vWAF also supports the CSP directive source values unsafe-inline and unsafe-eval. You can add these CSP directives, as required.

csp_report

Enable this option to instruct the browser to submit reports to the server regarding validation of the CSP rules. If enabled, relevant entries are included in vWAF log files. These entries are logged as INFO and include the term ResponseHeaderSecurityHandler as shown in the example below.

"20170303-00225","unknown","198.51.100.0:8086","foo.com","203.0.113.0","POST","/08e6c7c31eae2f229320f4398a45dd7c37b3c028b9ed4461797fc09f86100ba9","HTTP/1.1","[88/-]","INFO","PROTECTION","REQUEST","ResponseHeaderSecurityHandler","","","LOW","44c0a70c84e843fc","csp-report: {""csp-report"":{""document-uri"":""http://foo.com/test.html"",""referrer"":"""",""violated-directive"":""default-src 'self'"",""effective-directive"":""script-src"",""original-policy"":""default-src 'self'; report-uri /08e6c7c31eae2f229320f4398a45dd7c37b3c028b9ed4461797fc09f86100ba9"",""blocked-uri"":""http://maps.google.com"",""status-code"":200}}","",""

usertext

You do not need to configure this attribute as it is not used by the handler.

enable_logging

You do not need to configure this attribute as it is not used by the handler.

For details regarding entries added to the log file by this handler, see the relevant section in Entries in Application-Specific Log Files.