Prof Bill Buchanan B.Buchanan@napier.ac.uk
Professor
Analysis of the adoption of security headers in HTTP
Buchanan, William J.; Helme, Scott; Woodward, Alan
Authors
Scott Helme
Alan Woodward
Abstract
With the increase in the number of threats within Web-based systems, a more integrated approach is required to ensure the enforcement of security policies from the server to the client. These policies aim to stop man-in-the-middle attacks, code injection, and so on. This paper analyses some of the newest security options used within HTTP responses, and scans the Alexa Top 1 Million sites for their implementation within HTTP responses. These options scanned for include: Content Security Policy (CSP); Public Key Pinning Extension for HTTP (HPKP); HTTP Strict Transport Security (HSTS) and HTTP Header Field X-Frame-Options (XFO), in order to understand the impact that these options have on the most popular Web sites.
The results show that, while the implementation of the parameters are increasing, they are still not implemented on many of the top sites. Along with this the paper shows the profile of adoption of Let’s Encrypt digital certificates across the one million sites, along with a way of assessing the quality of the security headers.
| Journal Article Type | Article |
|---|---|
| Acceptance Date | Oct 3, 2017 |
| Online Publication Date | Oct 5, 2017 |
| Publication Date | 2018-03 |
| Deposit Date | Oct 12, 2017 |
| Publicly Available Date | Nov 1, 2017 |
| Journal | IET Information Security |
| Print ISSN | 1751-8709 |
| Electronic ISSN | 1751-8717 |
| Publisher | Institution of Engineering and Technology (IET) |
| Peer Reviewed | Peer Reviewed |
| Volume | 12 |
| Issue | 2 |
| Pages | 118-126 |
| DOI | https://doi.org/10.1049/iet-ifs.2016.0621 |
| Keywords | Computer Networks and Communications; Software; Information Systems |
| Public URL | http://researchrepository.napier.ac.uk/Output/996814 |
| Contract Date | Nov 1, 2017 |
Files
Analysis of the adoption of security headers in HTTP
(4.5 Mb)
PDF
Copyright Statement
This paper is a postprint of a paper submitted to and accepted for publication in IET Information Security and is subject to Institution of Engineering and Technology Copyright. The copy of record is available at the IET Digital Library.
You might also like
Password Pattern and Vulnerability Analysis for Web and Mobile Applications
(2016)
Journal Article
Approaches to the classification of high entropy file fragments.
(2013)
Journal Article
Plugging the Gaps
(2012)
Journal Article
Downloadable Citations
About Edinburgh Napier Research Repository
Administrator e-mail: repository@napier.ac.uk
This application uses the following open-source libraries:
SheetJS Community Edition
Apache License Version 2.0 (http://www.apache.org/licenses/)
PDF.js
Apache License Version 2.0 (http://www.apache.org/licenses/)
Font Awesome
SIL OFL 1.1 (http://scripts.sil.org/OFL)
MIT License (http://opensource.org/licenses/mit-license.html)
CC BY 3.0 ( http://creativecommons.org/licenses/by/3.0/)
Powered by Worktribe © 2024
Advanced Search