SitePoint Sponsor

User Tag List

Results 1 to 4 of 4
  1. #1
    SitePoint Enthusiast
    Join Date
    Jul 2007
    Posts
    44
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Post Security features of HTTP Headers in the top websites

    I recently crawled the top million websites (alexa) and pulled data relating to the usage of HTTP Headers, such as HTTPOnly cookies, X-XSS-Protection, X-Frame-Options and X-Content-Security-Policy.

    See the results here: http://hackertarget.com/http-header-security-analysis/

    Who implements these policies on the web servers they run?

    According to the stats < 1% of sites in the top 1 million are setting these headers for most of the options.

  2. #2
    Certified Ethical Hacker silver trophybronze trophy dklynn's Avatar
    Join Date
    Feb 2002
    Location
    Auckland
    Posts
    14,644
    Mentioned
    19 Post(s)
    Tagged
    3 Thread(s)
    tw,

    I looked through that script and saw nothing earth-shaking. In fact, many are proprietary to one browser or another and, IMHO, irrelevant (as features of the header to be concerned about). In saying that, it's just too easy to spoof the headers so they cannot be relied upon anyway.

    You asked "Who implements these..." so my response is a professional coder. I say professional as one without the knowledge to write good code cannot be considered professional. There are many aspects to this, too many to go into here, but the "home brew" e-commerce sites are things to stay away from!

    Regards,

    DK
    David K. Lynn - Data Koncepts is a long-time WebHostingBuzz (US/UK)
    Client and (unpaid) WHB Ambassador
    mod_rewrite Tutorial Article (setup, config, test & write
    mod_rewrite regex w/sample code) and Code Generator

  3. #3
    SitePoint Author silver trophybronze trophy
    wwb_99's Avatar
    Join Date
    May 2003
    Location
    Washington, DC
    Posts
    10,623
    Mentioned
    4 Post(s)
    Tagged
    0 Thread(s)
    Why are hackers going to honor headers I send?

  4. #4
    Certified Ethical Hacker silver trophybronze trophy dklynn's Avatar
    Join Date
    Feb 2002
    Location
    Auckland
    Posts
    14,644
    Mentioned
    19 Post(s)
    Tagged
    3 Thread(s)
    Quote Originally Posted by wwb_99 View Post
    Why are hackers going to honor headers I send?
    Quote Originally Posted by dklynn View Post
    I looked through that script and saw nothing earth-shaking. In fact, many are proprietary to one browser or another and, IMHO, irrelevant (as features of the header to be concerned about). In saying that, it's just too easy to spoof the headers so they cannot be relied upon anyway.
    I thought I said that already. Okay, okay, certainly not as succinctly as you did!

    Regards,

    DK
    David K. Lynn - Data Koncepts is a long-time WebHostingBuzz (US/UK)
    Client and (unpaid) WHB Ambassador
    mod_rewrite Tutorial Article (setup, config, test & write
    mod_rewrite regex w/sample code) and Code Generator


Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •