On the Chromium blog today, Google announced a couple of new features to do with improving the safety of web browsing. I’ve implemented them both for this website in Apache. The first one is named, “Strict-Transport-Security,” and is currently supported by both Google Chrome and NoScript, with a native Firefox version under development. It allows you to specify in your HTTPS response headers that the user agent should perform more strict SSL checks on future requests, with a server configurable timeout. The idea of this is that it will help to prevent MITM attacks where the user just clicks through the SSL warnings whilst ignoring them. https://www.paypal.com/ already supports this feature. I’ve currently implemented it with a 30 minute timeout, which I’ll increase once I’ve had it running for a while. I used mod_headers for Apache. Adding the following simple configuration to the .htaccess file in the sites document root was all that was required:
Header set Strict-Transport-Security “max-age=1800”
The second security feature described on the blog exists to defend against ClickJacking. The idea behind this is that you should be able to specify that certain web pages (all?) on your site are not allowed to be opened inside an iFrame. Like Strict-Transport-Security, this is done by sending a HTTP response header. This is already supported by Google Chrome, Safari 4 and IE8. It also seems to work under Firefox here, but I’m not sure if that is provided by NoScript. Because I don’t use iFrames at all, I implemented it site wide on this website. I used mod_headers again, and updated my .htaccess to contain the following:
Header set X-Frame-Options “deny”
The “Origin” header is also mentioned as a means to prevent CSRF attacks, but I wont implement that until the format is finalised.