Question 1

How to add missing HTTP Security Headers

Accepted Answer

Most modern browsers ships with a built in XSS filter. However this setting could be turned off by default. Including the X-XSS-Protection header forces this filter to be enabled, thus providing additional protection against Cross Site Scripting attacks.

Missing Strict Transport Security header means that the application fails to prevent users from connecting to it over unencrypted connections. An attacker able to modify a legitimate user’s network traffic could bypass the application’s use of SSL/TLS encryption, and use the application as a platform for attacks against its users. This attack is performed by rewriting HTTPS links as HTTP, so that if a targeted user follows a link to the site from an HTTP page, their browser never attempts to use an encrypted connection. The sslstrip tool automates this process.

Missing Content-Type header means that this website could be at risk of a MIME-sniffing attacks.

Steps to Fix

Q: How to fix misconfigured X-Frame-Options

<h1 id="whatisxframeoptions">What is X-Frame-Options</h1> <p><code>x-frame-options</code> (XFO), is a HTTP response header, also referred to as a HTTP security header, which has been around since 2008. In 2013 it was officially published as <a href="https://tools.ietf.org/html/rfc7034">RFC 7034</a>, but is not an internet standard. This header tells your browser how to behave when handling your site’s content. The main reason for its inception was to <strong>provide clickjacking protection</strong> by not allowing rendering of a page in a frame. This can include rendering of a page in a <code>&lt;frame&gt;</code>, <code>&lt;iframe&gt;</code>, or <code>&lt;object&gt;</code>. Iframes are used to embed and isolate third-party content into a website. Examples of things that use iframes might include social media sharing buttons, Google Maps, video players, audio players, 3rd party advertising, and even some OAuth implementations.</p> <p>The <code>x-frame-options</code> header has three different directives in which you can choose from. These must be sent as an HTTP header, as the browser will ignore if found in a META tag. It is also important to note that certain directives are only supported in certain browsers. See browser support further below in this post. While it is not required to send this response header across your entire site, it is best practice to at least enable it on pages that need it.</p> <h3 id="1denydirective">1. DENY Directive</h3> <p>The DENY directive completely disables the loading of the page in a frame, regardless of what site is trying. Below is what the header request will look like if this is enabled.</p> <p>``` x-f</p>

X-XSS-Protection

For Apache, it is recommended to use the protection provided by XSS filters without the associated risks by using the following code to .htaccess file:

# X-XSS-Protection
<IfModule mod_headers.c>
Header set X-XSS-Protection "1; mode=block"
</IfModule>

For Nginx, add the following code to the nginx configuration: add_header X-XSS-Protection "1; mode=block";

Strict Transport Security

The application should instruct web browsers to only access the application using HTTPS.

To do this, enable **HTTP Strict Transport Secu

Question 2

Content Security Policy - All you need to know

Accepted Answer

What is Content Security Policy?

Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement to the distribution of malware.

Unsafe Inline or Unsafe Eval

Inline JavaScript and CSS are often used on websites but they are also dangerous. They’re the easiest way for a hacker to create an XSS attack. Therefore, to allow them you must add 'unsafe-inline' to the directive you want to allow them for. This is to make sure you understand, what you’re doing isn’t recommended.

A common CSS pattern is to inline your most important CSS that renders your ‘above fold content’ with <style> tags. This can help decrease the perceived rendering time. With HTTP/2, it can be argued against doing this as it tends to be slower. If you do choose to use inline scripts, you have three options.

Get a SHA-256 hash of the script & a

Question 3

Why am I not receiving the OTP for Astra Login?

Accepted Answer

Troubleshooting: Not Receiving Two-Factor Authentication Codes in Email

If you are an Astra customer and are not receiving the two-factor authentication (2FA) OTP code in your email, follow these steps to resolve the issue.

Check Your Inbox Search your email inbox for messages from no-reply@getastra.email. Sometimes, these emails can end up in the inbox but might be missed.
Check Spam Folder Emails containing authentication codes may sometimes be marked as spam by your email provider. Check your spam or junk folder to see if the email ended up there.
Check Organization Policies If you're using a work or school email address, check with your organization's IT or admin team. They might have policies in place that could be blocking these types of emails.
Wait for 20 Minutes Sometimes, there can be delays in email delivery. Wait for at least 20 minutes to see if the email containing the authentication code arrives.
Contact Support If you've tried the above steps and still haven't received the 2FA code within 20 minutes, you can contact us by emailing help@getastra.com

Question 4

How to fix Referrer-Policy HTTP header

Accepted Answer

The Referrer-Policy HTTP header governs which referrer information, sent in the Referer header should be included with requests made.

Syntax

Note that Referer is actually a misspelling of the word “referrer”. The Referrer-Policyheader does not share this misspelling.

Referrer-Policy: no-referrer
Referrer-Policy: no-referrer-when-downgrade
Referrer-Policy: origin
Referrer-Policy: origin-when-cross-origin
Referrer-Policy: same-origin
Referrer-Policy: strict-origin
Referrer-Policy: strict-origin-when-cross-origin
Referrer-Policy: unsafe-url

Directives

no-referrer

The [Referer](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referer "The Referer request header contains the address of the previous web page

Question 5

How to fix misconfigured X-Frame-Options

Accepted Answer

What is X-Frame-Options

x-frame-options (XFO), is a HTTP response header, also referred to as a HTTP security header, which has been around since 2008. In 2013 it was officially published as RFC 7034, but is not an internet standard. This header tells your browser how to behave when handling your site’s content. The main reason for its inception was to provide clickjacking protection by not allowing rendering of a page in a frame. This can include rendering of a page in a <frame>, <iframe>, or <object>. Iframes are used to embed and isolate third-party content into a website. Examples of things that use iframes might include social media sharing buttons, Google Maps, video players, audio players, 3rd party advertising, and even some OAuth implementations.

The x-frame-options header has three different directives in which you can choose from. These must be sent as an HTTP header, as the browser will ignore if found in a META tag. It is also important to note that certain directives are only supported in certain browsers. See browser support further below in this post. While it is not required to send this response header across your entire site, it is best practice to at least enable it on pages that need it.

1. DENY Directive

The DENY directive completely disables the loading of the page in a frame, regardless of what site is trying. Below is what the header request will look like if this is enabled.

``` x-f

Question 6

What is ZAP and why is it used?

Accepted Answer

What is ZAP and Why is it Used?

This article will try to give you a basic understanding of what is OWASP Zed Attack Proxy (ZAP) and why is it used by developers and penetration testers all over the world.

What is OWASP Zed Attack Proxy (ZAP)?

OWASP Zed Attack Proxy (ZAP) is an open-source web application security testing tool developed by the Open Web Application Security Project (OWASP). It is designed to help developers, security testers, and penetration testers identify vulnerabilities and security flaws in web applications.

Why is it used?

Imagine you are the owner of a high-security building with multiple entry points, such as doors and windows. You want to ensure that your building is well-protected against potential intruders or security vulnerabilities. To achieve this, you hire a security expert who specialises in identifying weak points and improving security measures.

OWASP ZAP serves a similar purpose in the digital world. It is a tool used to enhance the security of web applications. Just as the security expert examines your building for vulnerabilities, using OWASP ZAP anyone with the right knowledge can examine web applications for potential security flaws that could be exploited by attackers.

By using OWASP ZAP, developers and security testers can:

Scan for common security vulnerabilities, such as weak authentication mechanisms or input validation issues.
Identify security weaknesses in their web applications.
Mitigate risks by fixing the

Frequently Read Articles

Browse All Categories