HTTP has been gradually adding lots of new and exotic headers, and more are on the way. Learn about current best practices with Vary, Link, Content-Security-Policy, Referrer-Policy, Client-Hints, Clear-Site-Data and Alt-Svc, upcoming features such as Feature-Policy and proposals like Variants, Early-Hints and Origin-Policy. HTTP gives you incredibly powerful control over many aspects of the way a browser will process the page and is often a more effective or more secure option than trying to achieve the same effect with tags or script in the page.
11. • Alexa top 1,000,000 websites
• Around 500,000 pages analysed
• Over 50 million requests per run
• Captures full request and
response data, timing metrics etc.
• Runs using WebPageTest
• Makes raw result data available in
BigQuery
15. P3PP3P
Machine readable privacy policy
https://www.w3.org/TR/P3P11/
Domains sending
9.8%
Commonly set to
cp="this is not a p3p policy"
Standardised in
2002
16.
17. • Intended as a declaration of privacy policy
• Too hard for users to understand/use
• Only ever implemented by Internet Explorer, to gate access to third party
cookies in IFRAMEs.
– ... but not validated
• Commonly set to “this is not a P3P policy” which satisfies the check
Platform for Privacy Preferences Project?
https://bigquery.cloud.google.com/savedquery/598614557294:9c69db8c47f84c4d9a4b57668ac8ba58
18. ExpiExpires
Sets expiry time for local caching
https://tools.ietf.org/html/rfc7234#section-5.3
Domains sending
78%
Standardised in
1997
26. X-CacX-Cache
Records whether the page came from cache
upstream (probably)
Domains sending
13%
Standardised in
Never
Commonly set to
HIT
27. x-cache x-aspnet-version x-varnish x-request-id
x-cache-hits x-cacheable x-aspnetmvc-version
x-runtime x-generator x-drupal-cache host
referer x-served-by x-proxy-cache server
x-type x-cache-group x-cache-status
x-accel-version
Meaningless to the browser
All headers shown above are returned by at least 5,000 domains in the HTTP Archive dataset
https://bigquery.cloud.google.com/savedquery/598614557294:2463981d0f444b6ba6c1a8c376079b90
28. ExpressJS vs Varnish/edge cache
if (!req.http.Reveal-Debug && !req.http.Cookie:RevealDebug) {
unset resp.http.Server;
unset resp.http.X-Powered-By;
unset resp.http.X-Cache;
// ... etc
}
Works in Fastly and Varnish cache
app.disable('x-powered-by');
29. X-FraX-Frame-Options
Prohibits third party framing of your site
https://tools.ietf.org/html/rfc7034
Domains sending
22.7%
Standardised in
2013
Almost always set to
sameorigin
30. X-Frame-Options: SAMEORIGIN
Stop anyone from framing your site:
Content-Security-Policy: frame-ancestors 'self'
But... equivalent to...
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors
31. ViaVia
Lists proxies through which the request passes
https://httpwg.org/specs/rfc7230.html#header.via
Domains sending
8.7%
Standardised in
1997
37. Content-Security-Policy: default-src 'self'; img-src *; media-src media1.com
media2.com; script-src userscripts.example.com
Simple CSP example:
By default, only allow access to the same origin as the page. But allow images to come from
anywhere. Media and scripts from a whitelist of specific origins.
40. ExpecX-Content-Type-
Options
aka “Please actually believe my content type”
https://fetch.spec.whatwg.org/#x-content-type-options-header
Domains sending
20.0%
Introduced in
IE8
Almost always set to
nosniff
41. • You operate a site that accepts user uploads and provides a means of
rendering user content
• Attacker uploads a dangerous file, pretending to be something else
• Attacker somehow gets your site’s users to view that file
• Even though your server applies an image Content-Type, the browser
executes the file as script or renders a web page because it detects the
type.
"MIME confusion attack"
42. • Content-Type-Options only applies to script-like and style destinations
– Does not apply to navigations
– Browsers already refuse to sniff content on navigation
• Chrome and Firefox will refuse to sniff JavaScript if the advertised content
type starts with ‘image/’
• In practice, attack window is exceptionally small
However...
http://great-sausage.glitch.me/
47. AccepWhat to send in referrals from this page
https://w3c.github.io/webappsec-referrer-policy/
Referrer-Policy
Domains sending
2.4%
Standardised in
2017
54. AccepRequests client hints data be sent in future
http://httpwg.org/http-extensions/client-hints.html
Accept-CH
Domains sending
0.001%
Status
Proposed
55. Accept-CH: DPR, Width, Viewport-Width, Save-Data
Accept-CH-Lifetime: 86400
Request that client send all current CHs:
DPR: 2.0
Width: 320
Viewport-Width: 320
Save-Data: 1
Subsequent requests:
58. LinkLink (preload)
Declare a resource that’s important early on
https://w3c.github.io/preload/#x2.link-type-preload
Domains sending
19.1%
Standardised in
2016
62. The status code problem
DNS
Lookup
TLS TTFB
Status code +
LINK headers
received
Database
Auth
Templating
API queries
63. EarlySends headers before status code
https://tools.ietf.org/html/draft-ietf-httpbis-early-hints-05
103 Early Hints
Domains sending
Unknown
Status
Proposed
64. HTTP/1.1 103 Early Hints
Link: <some-font-face.woff2>; rel="preload"; as="font"; crossorigin
Link: <main-styles.css>; rel="preload"; as="style"
HTTP/1.1 200 OK
Date: Fri, 26 May 2017 10:02:11 GMT
Content-Length: 1234
Content-Type: text/html; charset=utf-8
Link: <some-font-face.woff2>; rel="preload"; as="font"; crossorigin
Link: <main-styles.css>; rel="preload"; as="style"
<!doctype html>
Get your fonts and styles down even sharper:
65. Preloaded resources start preloading earlier
DNS
Lookup
TLS
Early hints +
Link headers
received
Real status
received
66. ServeAllows exposure of granular server-timing data
https://www.w3.org/TR/server-timing
Server-Timing
67. Server-Timing: miss, db;dur=53, app;dur=47.2
Server-Timing: customView, dc;desc=atl
Server-Timing: cache;desc="Cache Read";dur=23.2
Tell the browser what happened on the server:
72. But server-timing might be unknown in headers
DNS
Lookup
TLS TTFB
Headers
sent
Only now we know:
Total bytes sent
Last byte timestamp
Client data rate
77. Feature-Policy: autoplay 'none'; speaker 'self'; unsized-media some3rdparty.com
Turn off the bad stuff
No-one can
autoplay video on
this page
Only I can use the
speakers. No noisy
ads, thanks.
Images only take size
from their contents when
loaded from
some3rdparty.com
78. What policies are available?
autoplay
camera
document-domain
encrypted-media
fullscreen
geolocation
microphone
midi
payment
vr