Insecure or unset HTTP headers - X-XSS Protection
Need
Implementation of secure and properly configured HTTP headers
Context
- Usage of Go 1.13 for building scalable and efficient applications
- Usage of gin-gonic/gin for building web applications and APIs in Go
Description
Non compliant code
package main
import (
"github.com/gin-gonic/gin"
)
func main() {
r := gin.Default()
r.GET("/", func(c *gin.Context) {
c.Writer.Header().Set("X-XSS-Protection", "1; mode=block")
c.JSON(200, gin.H{
"message": "Hello, World!",
})
})
r.Run()
}
In this code snippet, the application is setting the HTTP response header X-XSS-Protection to 1; mode=block. The X-XSS-Protection header is a feature of Internet Explorer, Chrome and Safari that stops pages from loading when they detect reflected cross-site scripting (XSS) attacks.
However, the X-XSS-Protection header is deprecated. The use of this header is no longer recommended, because it can introduce additional security issues on the client side. It can enable attackers to detect where a web application's XSS filter is being applied and work around it.
Moreover, this header is not set in the middleware, which means it is not applied to all routes. This could potentially lead to stored XSS vulnerabilities in routes where the header is not set.
To solve this problem, it is recommended to use the HTTP Content-Security-Policy (CSP) header with a strict policy instead. The CSP provides a much stronger level of protection against XSS and other web attacks. The application should also ensure that all HTTP headers are set in middleware to apply them to all routes.
Steps
- Remove the usage of the X-XSS-Protection header.
- Implement proper input validation and output encoding to prevent XSS attacks.
- Consider using Content Security Policy (CSP) to further enhance security against XSS attacks.
Compliant code
package main
import (
"github.com/gin-gonic/gin"
)
func main() {
r := gin.Default()
r.GET("/", func(c *gin.Context) {
c.JSON(200, gin.H{
"message": "Hello, World!",
})
})
r.Run()
}
The updated code removes the usage of the X-XSS-Protection header from the HTTP response. This header is considered deprecated and its use can lead to stored XSS vulnerabilities.
The application now relies on the browser's built-in XSS protection, which is generally more up-to-date and reliable than trying to manage XSS protection at the application level.
In addition to removing the X-XSS-Protection header, it's recommended to implement proper input validation and output encoding to prevent XSS attacks. This involves validating any input received from the user to ensure it is safe before using it in your application, and encoding output to ensure any potentially harmful characters are rendered harmless.
Furthermore, consider using Content Security Policy (CSP) to further enhance security against XSS attacks. CSP is a security layer that helps detect and mitigate certain types of attacks, including XSS and data injection attacks. It's a declarative policy that lets the server inform the browser about the sources from which the application expects to load resources.