This paper investigates whether security headers are enforced to mitigate
cyber-attacks in web-based systems in
cyberspace. The security headers examined include X-Content-Type-Options, X-Frame-Options,
Strict-Transport-Security, Referrer-Policy, Content-Security-Policy, and
Permissions-Policy. The study employed a controlled experiment using a security
header analysis tool. The web-based applications (websites) were analyzed to
determine whether security headers have been correctly implemented. The
experiment was iterated for 100 universities in Africa which are ranked high.
The purposive sampling technique was employed to understand the status quo of
the security headers implementations. The results revealed that 70% of the
web-based applications in Africa have not enforced security headers in
web-based applications. The study proposes a secure system architecture design
for addressing web-based applications’ misconfiguration and insecure design. It
presents security techniques for securing web-based applications through
hardening security headers using automated threat modelling techniques. Furthermore,
it recommends adopting the security headers in web-based applications using the proposed secure system
architecture design.
References
[1]
SANS (2022) Securing Web Application Technologies [SWAT] Checklist. https://www.sans.org/cloud-security/securing-web-application-technologies
Mshangi, M., Nfuka, E.N. and Sanga, C. (2017) An Innovative Soft Design Science Methodology for Improving Development of a Secure Information System in Tanzania Using Multi-Layered Approach. Journal of Information Security, 8, 141-165. https://doi.org/10.4236/jis.2017.83010
[4]
Mshangi, M., Sanga, C. and Ngemera Nfuka, E. (2016) Designing Secure Web and Mobile-Based Information System for Dissemination of Students’ Examination Results: The Suitability of Soft Design Science Methodology. International Journal of Computing and ICT Research, 10, 10-40. https://www.researchgate.net/publication/313469379
[5]
CISA (2022) Weak Security Controls and Practices Routinely Exploited for Initial Access. https://www.cisa.gov/uscert/ncas/current-activity/2022/05/17/weak-security-controls-and-practices-routinely-exploited-initial
[6]
Weamie, S.J.Y. (2022) Cross-Site Scripting Attacks and Defensive Techniques: A Comprehensive Survey. International Journal of Communications, Network and System Sciences, 15, 126-148. https://doi.org/10.4236/ijcns.2022.158010
[7]
NIST (2020) National Institute of Standards and Technology Special Publication 800-53, Revision 5: Security and Privacy Controls for Information Systems and Organizations. NIST Special Publication, NIST-800-5 (Revision 5), 1-465.
[8]
Buchanan, W.J., Helme, S. and Woodward, A. (2018) Analysis of the Adoption of Security Headers in HTTP. IET Information Security, 12, 118-126. https://doi.org/10.1049/iet-ifs.2016.0621
[9]
Petkova, L. and Technologies, I. (2019) HTTP Security Headers. Knowledge— International Journal, 30, 701-706. https://doi.org/10.35120/kij3003701p
[10]
Lavrenovs, A. and Melón, F.J.R. (2018) HTTP Security Headers Analysis of Top One Million Websites. International Conference on Cyber Conflict, CYCON, Tallinn, 29 May-1 June 2018, 345-370. https://doi.org/10.23919/CYCON.2018.8405025
[11]
Mozilla (2021) Content Security Policy (CSP). https://developer.mozilla.org/en-US/docs/Web/ HTTP/CSP
[12]
Braun, F. (2019) Chrome Switching the XSSAuditor to Filter Mode Re-Enables the Old Attack. https://frederik-braun.com/xssauditor-bad.html
[13]
Dolnak, I. (2017) Content Security Policy (CSP) as Countermeasure to Cross-Site Scripting (XSS) Attacks. ICETA 2017—15th IEEE International Conference on Emerging eLearning Technologies and Applications, Proceedings, Stary Smokovec, 26-27 October 2017, 1-4. https://doi.org/10.1109/ICETA.2017.8102476
[14]
Wu, L., Brandt, B., Du, X. and Ji, B. (2017) Analysis of Clickjacking Attacks and an Effective Defense Scheme for Android Devices. 2016 IEEE Conference on Communications and Network Security, CNS 2016, Philadelphia, 17-19 October 2016, 55-63. https://doi.org/10.1109/CNS.2016.7860470
Jackson, C. and Barth, A. (2012) HTTP Strict Transport Security (HSTS). Internet Engineering Task Force (IETF), 1-46. https://www.rfc-editor.org/rfc/pdfrfc/rfc6797.txt.pdf
[17]
Albeniz, Z., Morgenroth, S. and Yildirimkaya, U. (2018) X-Frame-Options Content-Security-Policy (CSP) HTTP Strict Transport Security (HSTS) Public Key Pinning (PKP). The Most Commonly Used HTTP Security Headers and How They Work. Netsparker.
[18]
Kalim, A., Jha, C.K., Tomar, D.S. and Sahu, D.R. (2021) Novel Detection Technique for Framejacking Vulnerabilities in Web Applications. 2021 2nd International Conference on Computation, Automation and Knowledge Management (ICCAKM), Dubai, 19-21 January 2021, 1-6. https://doi.org/10.1109/ICCAKM50778.2021.9357764
[19]
WEBOMETRICS (2022) Ranking Web of Universities. https://www.webometrics.info/en/Africa
[20]
Cohen, L., Manion, L. and Morrison, K. (2018) Research Methods in Education. 8th Edition, Routledge, Taylor & Francis Group, London.
[21]
TCU (2022) University Institutions Operating in Tanzania. https://www.tcu.go.tz/sites/default/files/Bachelor-Degree-Admission-Guidebook-Direct-Entry_06.06.2022.pdf
Conklin, L. (2022) Threat Modeling Process. https://owasp.org/www-community/Threat_Modeling_Process
[24]
Goodwin, M. (2020) OWASP Threat Dragon. https://owasp.org/www-project-threat-dragon
[25]
MICROSOFT (2016) Microsoft Threat Modeling Tool. https://www.microsoft.com/en-us/securityengineering/sdl/threatmodeling
[26]
Rao, K.S., Jain, N., Limaje, N., Gupta, A., Jain, M. and Menezes, B. (2016) Two for the Price of One: A Combined Browser Defense against XSS and Clickjacking. 2016 International Conference on Computing, Networking and Communications, ICNC, Kauai, 15-18 February 2016, 1-6. https://doi.org/10.1109/ICCNC.2016.7440629