-
Notifications
You must be signed in to change notification settings - Fork 11
HTTP Security Headers
Node RASP intercepts each HTTP response from the server. For each response specific security-related HTTP headers are set automatically, based on the content type of the body and personal preferences. This ensures a safe client-server communication.
The security headers are added to every request by default. If you want to change the default settings you can either set an environment variable, add a variable to your package.json or change the variable directly on the OutogingMessage prototype itself.
For instance, you can add the environment variable securityHeader like following:
export SECURITYHEADER="{ \"addHeaders\": true,
\"headers\":
{ \"x-powered-by\": true,
\"expect-ct\": true,
\"strict-transport-security\": true,
\"referrer-policy\": true,
\"x-dns-prefatch-control\": true,
\"x-permitted-cross-domain-policies\": true,
\"x-content-type-options\": true,
\"content-security-policy\": true,
\"x-download-options\": true,
\"x-frame-options\": true,
\"x-xss-protection\": true,
\"feature-policy\": false,
\"public-key-pins\": false,
\"cache-control\": false
}
}"
This option works for node.js without having to use npm. However, a variable defined in the package.json or directly on the OutgoingMessage prototype overwrite the options in an environment variable.
Your package.json for configuring the security headers looks like this:
{ "name": "application",
"securityHeader":
{ "addHeaders": true,
"headers":
{ "x-powered-by": true,
"expect-ct": true,
"strict-transport-security": true,
"referrer-policy": true,
"x-dns-prefatch-control": true,
"x-permitted-cross-domain-policies": true,
"x-content-type-options": true,
"content-security-policy": true,
"x-download-options": true,
"x-frame-options": true,
"x-xss-protection": true,
"feature-policy": false,
"public-key-pins": false,
"cache-control": false
}
},
"scripts": { "start": "node index.js" }
}
One can either turn off the whole feature by setting the addHeaders variable or change the settings for specific headers. Run your server with npm start, otherwise the package.json won't be loaded.
You can also change the default options for the security header directly on the OutgoingMessage prototype. For instance, disabling all security headers would work like follows:
OutgoingMessage.prototype.setSecurityHeaders({ 'addHeaders': false });
There are multiple security headers for HTTP communication. Some are useful for a broad variety of content types. Others are only applicable for HTML-based communication. In the following table, different security headers are listed. For each security header a short description is presented and its usage for different content types is shown. The presented configuration is a trade-off between compatibility and security.
| Header | Value | Description | All HTTP | HTML |
|---|---|---|---|---|
| Expect-CT | max-age=86400; enforce | Browsers expects certificate transparency. | X | X |
| Strict-Transport-Security (HSTS) | max-age=31536000; includeSubdomains | Keep users on HTTPS. | X | X |
| Referrer-Policy | same-origin | Restrict referrer headers. | X | X |
| X-Content-Type-Options | nosniff | Prevents browsers from sniffing the content-type. | X | X |
| X-DNS-Prefatch-Control | off | Disable browsers’ DNS prefetching. | X | X |
| X-Powered-By | Indicates what technology powers the server. | X | X | |
| X-Download-Options | noopen | Prevent from executing downloads in site’s context. | X | |
| X-Frame-Options | deny | Prevents your webpage from being put in an iframe. | X | |
| X-XSS-Protection | 1; mode=block | Basic protection against XSS. | X | |
| X-Permitted-Cross-Domain-Policies | e.g. none | Permission to handle data across domains. | ||
| Content-Security-Policy | e.g. script-src 'self'; object-src 'self' | Whitelist of things that are allowed on the webpage. | ||
| Feature-Policy | e.g. vibrate 'none'; geolocation 'none' | Deny the use of browser features. | ||
| Public-Key-Pins | e.g. pin-sha256="klO23nT2ehFDXCfx 3eHTDRESMz3asj1muO+4aIdjiuY="; max-age=2592000; includeSubDomains | Prevent person-in-the-middle attacks. | ||
| Cache-Control Surrogate-Control Pragma Expires |
e.g. nocache | Disables browser caching. |