Uploaded image for project: 'Spark'
  1. Spark
  2. SPARK-22188

Add defense against Cross-Site Scripting, MIME-sniffing and MitM attack

    Details

    • Type: Improvement
    • Status: Resolved
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 2.0.2, 2.1.1, 2.2.0
    • Fix Version/s: 2.3.0
    • Component/s: Spark Core
    • Labels:

      Description

      Below HTTP Response headers can be added to improve security.

      The HTTP Strict-Transport-Security response header (often abbreviated as HSTS) is a security feature that lets a web site tell browsers that it should only be communicated with using HTTPS, instead of using HTTP.

      Note: The Strict-Transport-Security header is ignored by the browser when your site is accessed using HTTP; this is because an attacker may intercept HTTP connections and inject the header or remove it. When your site is accessed over HTTPS with no certificate errors, the browser knows your site is HTTPS capable and will honor the Strict-Transport-Security header.

      An example scenario
      You log into a free WiFi access point at an airport and start surfing the web, visiting your online banking service to check your balance and pay a couple of bills. Unfortunately, the access point you're using is actually a hacker's laptop, and they're intercepting your original HTTP request and redirecting you to a clone of your bank's site instead of the real thing. Now your private data is exposed to the hacker.
      Strict Transport Security resolves this problem; as long as you've accessed your bank's web site once using HTTPS, and the bank's web site uses Strict Transport Security, your browser will know to automatically use only HTTPS, which prevents hackers from performing this sort of man-in-the-middle attack.

      Syntax:
      Strict-Transport-Security: max-age=<expire-time>
      Strict-Transport-Security: max-age=<expire-time>; includeSubDomains
      Strict-Transport-Security: max-age=<expire-time>; preload
      Read more at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security

      The HTTP X-XSS-Protection response header is a feature of Internet Explorer, Chrome and Safari that stops pages from loading when they detect reflected cross-site scripting (XSS) attacks.

      Syntax:
      X-XSS-Protection: 0
      X-XSS-Protection: 1
      X-XSS-Protection: 1; mode=block
      X-XSS-Protection: 1; report=<reporting-uri>
      Read more at http://sss.jjefwfmpqfs.pjnpajmmb.ljpsh.us3.gsr.awhoer.net/en-US/docs/Web/HTTP/Headers/X-XSS-Protection

      The HTTP X-Content-Type-Options response header is used to protect against MIME sniffing vulnerabilities. These vulnerabilities can occur when a website allows users to upload content to a website however the user disguises a particular file type as something else. This can give them the opportunity to perform cross-site scripting and compromise the website. Read more at https://www.keycdn.com/support/x-content-type-options/ and https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options

        Attachments

          Activity

            People

            • Assignee:
              kpandey Krishna Pandey
              Reporter:
              kpandey Krishna Pandey
            • Votes:
              1 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: