Everytime you visit a specific webpage you are requesting that page from a server. For instance if you want to check Google out, you make a GET request to https://google.com and the server should send a response back. This is like the very basics of communications for websites. The response can include various things. The type of content: is it HTML or just plain text? Is my requested URL even a page that exist? It can be possible i’ve hit a bad page (the famous 404 page) or the page has been moved (301, 302). These are all valid and needed responses for the client.
If you open your console in the browser, you can easy check these responses:
As you can see I did a GET request to Google.com, but Google is pretty smart and saw I was Dutch. Therefor I got a redirect to google.NL.
The security part
What the server “tells” is based on the application(s), but also by various services like apache, php etc. Here comes the great question: what do you want to tell to your clients?
The main concern here is that you tell exactly what type of software & services you are running. We want to prevent this: security through obscurity. If an attacker has absolutely no idea what you are using, it either limits his chances or at least makes him waste his time.
Most websites that are hacked are hacked by random bots and/or tools. FYI there are like 1 billion websites and trust me to say that only a smart portion of those websites are specifically targeted. So to limit your chances to get ‘hit’ by a known exploit based on software X version Y, you should not disclose your details.
Disclose server information
First in the list is “Server” created by Apache. This can include the actual apache version you are using. For instance Server: Apache/2.4.9 (Unix)
You can easy turn this off by setting the following:
The X-Powered-By tells exactly how the website is “powered by”. For instance the PHP or ASPX version that you are using. You can remove this by changing the following in your php.ini
expose_php = off
THe X-Frame option is fairly new, but really great. It is used to prevent so called “clickhacking” by inserting your website into a frame in an other website. With this option you can block includes, or “whitelist” websites with the following settings
X-Frame-Options: ALLOW-FROM https://example.com/
The Deny option is simple: it will not allow frame includes. SAMEORIGIN means you still can include your own website on the same domain. The Allow-From is a whitelist of domains that you allow to “use” your website.
If you set this value to 1, it will force clients browsers to enforce this browser setting. Various browsers including IE11, Chrome and Safari (WebKit) have support for this header. Sometimes this setting is on by default. If this is enabled and a XSS attack is detected, it will get sanitized and the client will receive a warning.
Checking a website
I have a little project that can check various settings. My plan is to extend this in the future but for now you can use it to get a rating for a website. Check it out at cloudinfo.nl
In a other blogpost I will go into detail on how I have created that website! 🙂