Web applications are targeted during cyber-attacks in order to get unauthorized access or manipulate sensitive data. Developers are expected to leverage secure coding best practices to protect their web applications. Over the last few years, browser vendors have integrated certain security header controls to support web application security. If these headers are enabled by developers, browsers check values of these header parameters and prevent certain attacks automatically. In this research, we analysed the existence of the common security headers within 8279 different URLs of 361 popular Turkish web portals from 18 different categories. The analysis results have shown that security headers are not utilized by most web developers and even critical web portals do not implement required security headers. This paper explains our contribution by providing the details of the HTTP Security headers, the attack types they can prevent, the analysis tool we have implemented and the analysis results.
[1] “Website of European Parliament President Hacked”,
http://news.softpedia.com/news/Website-of-EuropeanParliament-President-Hacked-472575.shtml, Latest
Access Time for the website is 29.09.2016
[2] OWASP Top 10 Project,
https://www.owasp.org/index.php/Category:OWASP_To
p_Ten_Project, Latest Access Time for the website is
29.09.2016
[3] SANS Top 25 Security Errors,
https://www.sans.org/top25-software-errors/, Latest
Access Time for the website is 29.09.2016
[4] W3C, “Content Security Policy 1.0”,
https://www.w3.org/TR/2012/CR-CSP-20121115/, Latest
Access Time for the website is 29.09.2016
[5] Mozilla Foundation, “CSP Policy Directives”
“https://developer.mozilla.org/enUS/docs/Web/Security/CSP/CSP_policy_directives”,
Latest Access Time for the website is 29.09.2016
[6] OWASP, “OWASP Security headers project X-XSSProtection header”,
https://www.owasp.org/index.php/OWASP_Secure_Head
ers_Project#X-XSS-Protection, Latest Access Time for
the website is 29.09.2016
[7] OWASP Security headers project, X-Frame-Options
header,
https://www.owasp.org/index.php/OWASP_Secure_Head
ers_Project#X-Frame-Options, Latest Access Time for
the website is 29.09.2016
[8] IETF, RFC 6797 HTTP Strict Transport Security
(HSTS), https://tools.ietf.org/html/rfc6797, Latest Access
Time for the website is 29.09.2016
[9] “OWASP Security Headers Project Public Key Pinning”,
https://www.owasp.org/index.php/Certificate_and_Public
_Key_Pinning, Latest Access Time for the website is
29.09.2016
[10] Our implemented SecurityHeaderChecker tool,
https://github.com/ttemrekisa/securityheaderchecker,
Latest Access Time for the website is 29.09.2016
[11] K.E. Kısa, E.İ. Tatlı, “Analysis of HTTP Security
Headers in Turkey”, Procedings of 9th International
Conference on Information Security and Cryptology
(ISCTurkey 2016), pp.39-46, Ankara, Turkey, October
25-26, 2016