Pete Freitag, Foundeo Inc.


  • 16 Years Web Development
  • Owner Foundeo Inc. Consulting & Products company.
  • Blog:
  • Twitter: @pfreitag


    • The Basics - What is a HTTP Header
    • HTTP Strict Transport Security (HSTS)
    • X-Frame-Options
    • Content-Security-Policy
    • Cookies

HTTP Basics

HTTP Request
GET / HTTP/1.1
User-Agent: My Browser
Cookie: oreo=yum;

HTTP Response
HTTP/1.1 200 OK
Date: Tue, 1 Apr 2014 19:58:49 GMT
Server: Apache
Content-Type: text/plain
Hello World.

HTTP Response Headers in CFML

 <cfheader name="X-Cow" value="moo">

     Yields a HTTP Response such as:
HTTP/1.1 200 OK
Date: Tue, 1 Apr 2014 19:58:49 GMT
X-Cow: moo
Server: Apache
Content-Type: text/plain
Hello World.

HTTP Strict Transport Security


Strict-Transport-Security HTTP Response Header

Instructs the browser to always request a domain using the HTTPS protocol instead of HTTP.

Why Use HSTS?

  • Passive Network Attacks - man in the middle attacks, HTTPS stripping attacks. 

  • Active Network Attacks - compromised DNS, evil twin domains, etc.
  • Mixed Content Vulnerabilities - loading of an insecure resource over a secure request (eg swf)
  • Performance - removes unnecessary redirects to HTTPS from http.
  • Because no one types https:// in the address bar.

    Why HSTS?

    HSTS Directives

      • max-age - number of seconds policy should be kept for.
      • includeSubDomains  - apply this policy to all subdomains of the requested host. Omit to apply policy only to current domain.

    HSTS Examples

    Require HTTPS for 60 seconds on current domain:
     Strict-Transport-Security: max-age=60

    Require HTTPS for 365 days on all subdomains:
     Strict-Transport-Security: max-age=31536000; includeSubDomains

    Remove HSTS Policy (including subdomains):
     Strict-Transport-Security: max-age=0

    How to handle HTTP Requests

    • Requests Over HTTP (Non Secure)

      • Should respond with a 301 redirect to the secure url.
      • Must NOT respond with Strict-Transport-Security header on non-secure HTTP requests.

    • Requests Over HTTPS

      • Should always respond with a Strict-Transport-Security header.

    HSTS Browser Support

    See: for more info.

    HSTS Preloading

    Chrome has a pre-loaded list of domains that have opted in to always use HTTPS, for examples include PayPal, Twitter, etc.

    You can request to be pre-loaded.

    HSTS Resources


    Allows the server to specify if the response content should be part of a frame, and if so from what origin.


      • AKA UI Redressing
      • Attacker tricks the user into clicking on something that performs an unintended action.

    Clickjacking Demo

    X-Frame-Options Directives

      • DENY - Specifies that the requested resource should never be embedded in a frame.
      • SAMEORIGIN - Only pages on the same domain may frame the requested resource.
      • ALLOW-FROM origin - Allow a whitelisted origin to frame the requested content.

    X-Frame-Options Browser Support

      • IE: 8+ (ALLOW-FROM 9+)
      • FF: 3.6.9 (ALLOW-FROM 18+)
      • Chrome: 4.1 (ALLOW-FROM not supported)
      • Safari: 4+ (ALLOW-FROM not supported)

    X-Frame-Options Resources

    Content-Security-Policy (CSP)

    HTTP Response header, allows server to control how resources are loaded. 

    Why Content-Security-Policy?

    • Greatly reduces success of Cross Site Scripting (XSS) attacks.
      • Report / log xss attack attempts

      CSP Demo

      CSP Directives


      CSP Source Expressions

      Source Value Meaning
      * Wildcard, allows all origins.
      'self' Allow same origin.
      'none' Don't allow any resources of this type to load. Allow a domain
      * Allow all subdomains on a domain. Scheme specific.
      https: Require https.
      data: Allow data uri schemes.


      • When script-src or style-src
         are enabled inline style
         or script
         tags are disabled.  
          • You can add 'unsafe-inline' to allow it, but defeats much of CSP's purpose.


      • CSP also disables unsafe dynamic code evaluation, such as the JavaScript eval() function.
        • You can add 'unsafe-eval' to a script-src directive to disable this.

      CSP Reports

      • Specify a report-uri to receive JSON violation reports
      • Report only: Content-Security-Policy-Report-Only

      CSP 1.1

        • Updated version of the CSP spec is now in Editors Draft
        • Adds nonce and hash
        • Adds referrer directive

      CSP Browser Support

      • Chrome: 25+
      • FireFox: 23+
      • Safari: 7+
      • IE: Not Supported Yet
          • IE 10 supports the sandbox directive only via X-Content-Security-Policy
      • Vendor prefixes, such as X-Content-Security-Policy and X-Webkit-CSP

      CSP Resources


        • X-XSS-Protection: 0 (ignore)
        • X-XSS-Protection: 1 (fliter)
        • X-XSS-Protection: 1; mode=block (block)
        • CSP 1.1 Adds a directive reflected-xss to control this.


      Two important cookie directives:

        • HTTPOnly
        • Secure

      Cross Origin Resource Sharing (CORS)

      CORS allows you to make XMLHttpRequests cross-domain


      • Browser makes the cross origin request if method is GET, HEAD or POST and sends an Origin  request header.
      • Request responds with a Access-Control-Allow-Origin  HTTP response header.

      CORS Preflight Request

      • If you need to make a cross origin request that is not GET, HEAD or POST, sends credentials, custom headers or a request body.
          • The browser will send a preflight request, using the OPTIONS HTTP request method.

      CORS Request Headers

      • Origin - the origin of the preflight request
      • Access-Control-Request-Method - The HTTP request method that the request would send.
      • Access-Control-Request-Headers - A comma separated list of header names that the request will use.

      CORS Preflight Response Headers

      • Access-Control-Allow-Origin - An Origin, "*", or "none"
      • Access-Control-Allow-Credentials - When true the request can include credentials.
      • Access-Control-Allow-Headers - tells which request headers can be sent.
      • Access-Control-Allow-Methods  - tells which HTTP methods can be used for the request.
      • Access-Control-Expose-Headers - tells which response headers are available to JavaScript.
      • Access-Control-Max-Age - max seconds to cache preflight response 
      Made with