Insufficient Browser Controls

[djgrijalva]

Version

4.2.21

Severity

Low

Environment

msi

Steps to Reproduce

Proper implementation of HTTP security headers is a fundamental part of website security/hardening. The security headers add an extra layer of protection on modern browsers. Properly implemented, security headers offer protection against common attacks, including XSS, redirection, and many others. The PSU application did not have any of the browser security headers implemented. Content Security policy (CSP) and X-Content type options missing in the HTTP response headers.

Expected behavior

The attacks due to insufficient security controls may require the exploitation of multiple vulnerabilities before having a higher impact. If successful, these attacks can lead to financial and resource loss due to time taken for investigation, mitigation, and restoring the application.

Actual behavior

Recommendation    
It is recommended to add in he below stated HTTP response headers to provide defense in depth-
• Content Security Policy - The Content Security Policy (CSP frame-ancestors) HTTP header can be set to Content-Security-Policy: frame-ancestors 'self' *.oursite.com https://mytrustedsite.com;- This allows the current site and any whitelisted sites. 
• X-Content-Type- The response header, X-Content-Type-Options, can be set to "no-sniff" to prevent browsers from doing MIME sniffing.

Additional Environment data

No response

Screenshots/Animations

No response

[adamdriscoll]

The Content-Security-Policy header can be configured via settings.ps1. Set-PSUSetting has a paramete r called -ContentSecurityPolicy to adjust this value.

We've also added Kestrel \ Headers to appsettings.json to add arbitrary headers (like X-Content-Type-Options) to the web server.