BibTex RIS Cite

Analysis of HTTP Security Headers in Turkey

Year 2016, Volume: 5 Issue: 4, 96 - 105, 01.12.2016

Koray Emre Kısa Emin İslam Tatlı

Abstract

Web applications are targeted during cyber-attacks in order to get unauthorized access or manipulate sensitive data. Developers are expected to leverage secure coding best practices to protect their web applications. Over the last few years, browser vendors have integrated certain security header controls to support web application security. If these headers are enabled by developers, browsers check values of these header parameters and prevent certain attacks automatically. In this research, we analysed the existence of the common security headers within 8279 different URLs of 361 popular Turkish web portals from 18 different categories. The analysis results have shown that security headers are not utilized by most web developers and even critical web portals do not implement required security headers. This paper explains our contribution by providing the details of the HTTP Security headers, the attack types they can prevent, the analysis tool we have implemented and the analysis results.

Keywords

HTTP Security Headers Web Security Cyber Security Analysis Large-scale Analysis.

References

  • [1] “Website of European Parliament President Hacked”, http://news.softpedia.com/news/Website-of-EuropeanParliament-President-Hacked-472575.shtml, Latest Access Time for the website is 29.09.2016
  • [2] OWASP Top 10 Project, https://www.owasp.org/index.php/Category:OWASP_To p_Ten_Project, Latest Access Time for the website is 29.09.2016
  • [3] SANS Top 25 Security Errors, https://www.sans.org/top25-software-errors/, Latest Access Time for the website is 29.09.2016
  • [4] W3C, “Content Security Policy 1.0”, https://www.w3.org/TR/2012/CR-CSP-20121115/, Latest Access Time for the website is 29.09.2016
  • [5] Mozilla Foundation, “CSP Policy Directives” “https://developer.mozilla.org/enUS/docs/Web/Security/CSP/CSP_policy_directives”, Latest Access Time for the website is 29.09.2016
  • [6] OWASP, “OWASP Security headers project X-XSSProtection header”, https://www.owasp.org/index.php/OWASP_Secure_Head ers_Project#X-XSS-Protection, Latest Access Time for the website is 29.09.2016
  • [7] OWASP Security headers project, X-Frame-Options header, https://www.owasp.org/index.php/OWASP_Secure_Head ers_Project#X-Frame-Options, Latest Access Time for the website is 29.09.2016
  • [8] IETF, RFC 6797 HTTP Strict Transport Security (HSTS), https://tools.ietf.org/html/rfc6797, Latest Access Time for the website is 29.09.2016
  • [9] “OWASP Security Headers Project Public Key Pinning”, https://www.owasp.org/index.php/Certificate_and_Public _Key_Pinning, Latest Access Time for the website is 29.09.2016
  • [10] Our implemented SecurityHeaderChecker tool, https://github.com/ttemrekisa/securityheaderchecker, Latest Access Time for the website is 29.09.2016
  • [11] K.E. Kısa, E.İ. Tatlı, “Analysis of HTTP Security Headers in Turkey”, Procedings of 9th International Conference on Information Security and Cryptology (ISCTurkey 2016), pp.39-46, Ankara, Turkey, October 25-26, 2016
There are 11 citations in total.

Details

Primary Language English
Journal Section Research Article
Authors

Koray Emre Kısa This is me

Emin İslam Tatlı This is me

Publication Date December 1, 2016
Published in Issue Year 2016 Volume: 5 Issue: 4

Cite

IEEE K. E. Kısa and E. İ. Tatlı, “Analysis of HTTP Security Headers in Turkey”, IJISS, vol. 5, no. 4, pp. 96–105, 2016.