We all know about dark hat hackers and their cyber criminal mentality. They have proven their ability to magic their into your life leaving a trail of digital theft, financial loss and business damage in their wake. The security industry is built around developing answers to the latest 'zero day' threat in a race against time that does not always get to a production environment in time.
Whilst the security industry has an impressive array of services, integrations and platforms available for digital businesses, the fact is that many businesses do not give their application's HTTP headers the attention it needs to reduce the attack surface on their digital footprint. Poorly maintained HTTP headers open up a wide variety of attack vectors that are well known by the wider hacker community. The range of automated bots looking for attack vectors via automated scanning is staggering as is the range of attack vectors associated with HTTP headers. Cross-site attacks, cache and password reset poisoning are just some examples of how poorly maintained HTTP headers can severely damage your business. Ideally, your business should configure all application HTTP headers for X-Frame options, X-Content-Type-Options, Strict-Transport-Security, Content-Security-Policy, and Referrer-Policy. Depending on your business use case, I would add a Permissions-Policy also. If you have an external WAF, you could set your security policies there and the reverse proxy will ensure the appropriate headers reach your server; but make sure you have bypass prevention configuration set up on your external WAF. It's always best therefore to generate these headers at the application stage. A free web scan should pick up your HTTP header posture as described above. It's also worth noting that TLS encryption for HTTPS if at TLS 1.1 should at the earliest be upgraded to TLS 1.2 which may require some programming on your part given the FIPS-140 compliant security feature of 1.2. This may seem excessive but given the speed of development of so many hacking technologies, planning and implementing such upgrades now is a must in my view.
No application is perfect and no security solution is so wholesome that it guarantees the safety of your digital resources. That said, those who set a high bar on security for their digital resources are destined to be last in line for the focus on the skilled hacking elite that holds companies to ransom as a career choice. They will always target those who can be socially engineered into divulging their secrets and/or those who leave easy vectors open to minimise their effort and maximize their return on investment. By not being 'that guy', you secure a better outlook for your company's future starting with its HTTP headers.
Stay tuned for more on infrastructure in this blog along with articles on other areas of interest in the writing and DevOps arenas. To not miss out on any updates on my availability, tips on related areas or anything of interest to all, sign up for one of my newsletters in the footer of any page on Maolte. I look forward to us becoming pen pals!