Go to the profile of Egor Homakov
Egor Homakov
Personal blog. See infosec posts at http://Sakurity.com/blog

Request for a new header: State-Of-The-Art

If you want to develop a website these days you need to remember many headers, attributes and other little things that you MUST implement to keep it secure. Enormous amount of human time was wasted on adding X-Frame-Options to all apps, then on adding some cookie flags, then on some other header, then on rel=noopener, and there’s just as much your app still does not have… If you’re a web developer, you know exactly what I’m talking about. It makes me cringe when I look at Response Headers of any modern website.

The motivation behind this is that the standards people hate breaking things and maniacally love compatibility. So they add new flags and headers to fix old issues. This usually leaves entire web vulnerable with around 5–10% adding the patches manually.

What if we could have one header the websites could use to say “I support the version 4 of web standards” which would turn on all the flags?

Ask yourself “what should be a default for most modern apps but I have to do it manually?” and please add to the list below (which mostly includes security pitfalls).

How about “State-Of-The-Art: 1” or “SOTA: 1” header doing following by default:

  • X-Frame-Options: deny
  • X-UA-Compatible:IE=Edge,chrome=1
  • Strict-Transport-Security:max-age=31536000; includeSubdomains; preload
  • X-Content-Type-Options:nosniff
  • Marks all links with rel noopener and noreferer
  • <meta content=”origin-when-cross-origin” name=”referrer” />
  • Some Content-Security-Policy with sane defaults?
  • Allows CORS from any domain with any headers without OPTIONS preflights. (Preflights are completely useless and were only created to “protect” a tiny minority of websites relying on some header like X-Requested-With, not on a CSRF token). You can even get rid of preflights now.
  • Sane defaults for all cookie flags. Secure;Httponly; and maybe SameSite too?
  • meta charset utf8
  • … and other things most websites do manually

This way, our only job would be to make everyone serve an up to date SOTA header (and there should be a website explaining what each version of SOTA sets by default), not hey your X cookie needs Y flag or your <a> must set that attribute to stop opener hijacking or you need a meta tag because you’re leaking referrers all over the place.

This would solve back-compatibility vs security problem for client side web.