Time to return to the dramatically bad situation where security headers are concerned.
One important example from the Hall of Shame:
https://www.microsoft.comSee:
https://www.uploady.com/download/gN0Vfam8FKU/F9RytmG59o8~34EAand
https://www.uploady.com/download/GbzM~734U3J/7WSvra~jOTelppArX-Frame Options - missing
Provides clickjacking protection by instructing browsers that this page should not be placed within a frame. Possible values are: deny - no rendering within a frame, sameorigin - no rendering if origin mismatch, and allow-from: - allow rendering if framing page is within the specified URI domain. Allow from is supported by IE and Firefox, but not Chrome or Safari. It will also interfere with In Page Google Analytics since it requires your page to be framed by Google.
Strict-Transport-Security missing
HTTP Strict-Transport-Security (HSTS) enforces secure (HTTP over SSL/TLS) connections to the server. This reduces impact of bugs in web applications leaking session data through cookies and external links and defends against Man-in-the-middle attacks. HSTS also disables the ability for users to ignore SSL negotiation warnings.
X-Content-Type-Options Use 'nosniff' missing
The only defined value, "nosniff", prevents Internet Explorer and Google Chrome from MIME-sniffing a response away from the declared content-type. This also applies to Google Chrome when downloading extensions. This reduces exposure to drive-by download attacks and sites serving user uploaded content that by clever naming could be treated by MSIE as executable or dynamic HTML files.
Warning on Content-Type
Instructs the browser to interpret the page as a specific content type rather than relying on the browser to make assumptions.
X-XSS-Protection Use '1; mode=block' missing'
This header enables the Cross-site scripting (XSS) filter built into most recent web browsers. Typically this is enabled by default, but if it was disabled by the user this header will force the filter to be active for this particular website. This header is supported in IE 8+.
Warning Set-Cookie MS-CV=Rzov4KmjtEO7jS...12:43:49 GMT; path=/ Add 'secure; httponly;'
The secure flag on cookies instructs the browser to only submit the cookie as part of requests over secure (HTTPS) connections. This prevents the cookie from being observed as plain text in transit over the network.
The HttpOnly flag instructs the browser that this cookie can only be accessed when sending an HTTP request. This prevents scripts running as part of a page from retrieving the value and is a defense against XSS attacks.
Cache-control has warning.
Data returned in web responses can be cached by user's browsers as well as by intermediate proxies. This directive instructs them not to retain the page content in order to prevent others from accessing sensitive content from these caches.
Two missing headers on caching: Data returned in web responses can be cached by user's browsers as well as by intermediate proxies. This directive instructs them not to retain the page content in order to prevent others from accessing sensitive content from these caches.
Content-Security-Policy missing: Content Security Policy requires careful tuning and precise definition of the policy. If enabled, CSP has significant impact on the way browser renders pages (e.g., inline JavaScript disabled by default and must be explicitly allowed in policy). CSP prevents a wide range of attacks, including Cross-site scripting and other cross-site injections. (
https://www.owasp.org/index.php/Content_Security_Policy). Content-Security-Policy is recotnized in Chrome 25+ and Firefox 23+
Additionally 4 warnings here:
https://asafaweb.com/Scan?Url=https%3A%2F%2Fwww.microsoft.comThe excessive header info proliferation is one of the protection schemes everybody should know about, you do not want any script kiddie know your full server version number info.
What I find here, my dear forums friends, is beyond belief really. What security does MS uphold? I trust no one, unless I test,
and this is just one big EPIC FAIL: and what about all those poor coders that have to write code to bring their recent page to IE 6,7.
polonus