The Content-Security-Policy Header
The Content-Security-Policy Header
Content Security Policy (CSP) is a security standard used by modern browsers to protect against data injection attacks, such as cross-site scripting (XSS). CSP uses a whitelist to determine which resources are safe to load and ignores unverified sources. It also logs any attempts to bypass the security policy.To make use of this policy, the server must have a Content-Security-Policy HTTP header with one or more directives set up, with each directive responsible for a specific resource type. Directives set out a security policy by declaring rules for resources.To set up CSP for your browser, add the following code into your web.config file:Note: If you need to integrate ABBYY FlexiCapture with third-party systems and require access to other hosts, specify them in the web.config file. Be sure to check the operation of the software each time you change your security configuration settings.For more information about the Content-Security-Policy header, see this website.
The HTTP Strict-Transport-Security Header
The HTTP Strict-Transport-Security Header
HTTP Strict-Transport-Security (HSTS) is a website protection mechanism that restricts all interactions between the browser and the website to a secure connection using the SSL protocol. A web server that has HSTS set up contains an instruction for the browser to exclusively use HTTPS and forbids it from using HTTP. HSTS is primarily used to fend off interception attacks involving queries and responses, e.g. MITM (Man-In-The-Middle) attacks.To be able to use this security policy, you need to use URL address rewrite rules to add a Strict-Transport-Security (STS) header to HTTP responses. This is necessary to prevent unwanted HTTP queries and redirect all HTTP traffic to HTTPS (based on the logic set out in the rules). To set up the rules, you need to install the URL Rewrite module. For more information, please see the Microsoft website.To set up HSTS for your browser, add the following code into your web.config file:Note: The max-age directive specifies the time period (in seconds) during which the rule will be applied. The value specified in the code snippet above equals a period of one year.For more information about HSTS, please see the Microsoft website.
The X-Powered-By and X-AspNet-Version Headers
The X-Powered-By and X-AspNet-Version Headers
Apart from HTTP headers that are essential for improving the security of your web server, there are also headers that are optional. Often, such optional headers are not governed by any standards and their use increases the amount of traffic generated by each HTTP query, making it easier to carry out malicious attacks.The following are two such optional headers:To remove the X-AspNet-Version header from your IIS configuration, paste the following code into your web.config file:
- X-Powered-By is an HTTP header that contains information about various technologies used by the web server.
- X-AspNet-Version is an HTTP header that contains information about the ASP.NET version that is used to deploy applications on the web server.
The X-XSS-Protection Header
The X-XSS-Protection Header
X-XSS-Protection is an HTTP header that is used by browsers to prevent Cross-Site Scripting attacks. The header works by enabling an XSS filter, which intercepts unwanted attempts to insert malicious third-party code into web pages opened on a browser.X-XSS-Protection is compatible with the following browsers: Internet Explorer 8+, Chrome, and Safari. However, most modern browsers use a stricter security policy (e.g. Content-Security-Policy), which makes this header necessary only if you are using an older browser that does not support CSP.To enable the X-XSS-Protection header for your browser, copy the following code to your web.config file:
The X-Content-Type-Options Header
The X-Content-Type-Options Header
X-Content-Type-Options is an HTTP header that is used by browsers to prevent attacks that exploit MIME (Multipurpose Internet Mail Extensions) vulnerabilities. MIME is an Internet standard for content that is sent over an internet connection. All files served by the web server are processed by browsers in a manner that depends on the MIME type of those particular files. Browsers determine the resource type by either using the Content-Type response, or by inspecting the resource contents, which makes it possible for attackers to mask HTML files as files of a different type.The only directive available for this header is the nosniff directive. It instructs browsers to use only the MIME type that was specified by the web server.To enable the X-Content-Type-Options header for your browser, paste the following code into your web.config file:
The Server Header
The Server Header
Server Header is a response header that contains information about the application used by the source server to process a request (e.g. the version number of the application). Potential availability of this kind of information to third parties is a security threat. For this reason, we recommend deleting the contents of the Server Header.To delete the contents of the Server Header, add the following code into your web.config file:If you are using IIS 10.0, Windows Server 2016 or later, use the following code instead:Note: The settings described above require the URL Rewrite module to be installed. For more information, please see the Microsoft documentation.
The X-Frame-Options header
The X-Frame-Options header
By default, it is allowed to embed ABBYY FlexiCapture Web Stations via iFrame into other companies’ web sites. However, if you become aware of framesniffing, you can do the following to prevent content from being hosted in a cross-domain iFrame:
- In the Connections pane on the left side, expand the Sites folder and select the site that you want to protect.
- Double-click the HTTP Response Headers icon in the feature list in the middle.
- In the Actions pane on the right side, click Add.
- In the dialog box that opens, type X-Frame-Options in the Name field and type SAMEORIGIN or DENY in the Value field.
Slow HTTP POST vulnerability
Slow HTTP POST vulnerability
Slow HTTP POST vulnerability is a variation of a slow HTTP Denial of Service attack (DoS), otherwise referred to as the Slowloris HTTP attack. In a slow HTTP POST attack, the attacker declares a large amount of data to be sent in an HTTP POST request and then sends it very slowly. To resolve the Slow HTTP POST vulnerability on the customer’s side, it is necessary to set up Web Limits in the IIS configs on the machines where Application Server is installed. The limits should be set for the following parameters:
- ConnectionTimeout
- MinFileBytesPerSec.
Using HTTPS instead of HTTP
Using HTTPS instead of HTTP
The HTTP protocol lacks security mechanisms to encrypt data, whereas HTTPS provides SSL or TLS Digital Certificate to secure the communication between server and client. Please ensure that all traffic between the user’s browser and the web server is forced over an encrypted channel using HTTPS. HTTP operates on port 80 by default. Close this port to prevent the use of HTTP.
Using up-to-date TLS version and strong ciphers
Using up-to-date TLS version and strong ciphers
TLSv1.1 is considered a weak encryption protocol. An attacker can exploit weaknesses in the protocol to read secure communications or maliciously modify messages. We recommend that you always use the latest possible version of TLS and only strong ciphers (a list appropriate ciphers can be found at https://wiki.mozilla.org/Security/Server_Side_TLS). To configure the SSL Cipher via group policy:
- At a command prompt, enter gpedit.msc. The Group Policy Object Editor appears**.**
- Expand Computer Configuration, Administrative Templates, Network, and then click SSL Configuration Settings.
- Under SSL Configuration Settings, click the SSL Cipher Suite Order setting.
- In the SSL Cipher Suite Order pane, scroll to the bottom of the pane.
- Follow the instructions labeled How to modify this setting.
Protection Against Distributed Denial-of-Service Attacks
Protection Against Distributed Denial-of-Service Attacks
Distributed denial-of-service (DDoS) attacks involve overloading an application with HTTP requests, causing a significant increase in the amount of traffic and making the application inaccessible to legitimate users. It may not be easy to detect such attacks, as it is often difficult to distinguish between legitimate and malicious traffic.To protect your web server from DDoS attacks, we recommend that you set up your IIS server to block access to your application if someone exceeds either the allowed number of requests over a certain period of time or the allowed number of concurrent requests.To set up DDoS protection in IIS as described above, do the following:
- Launch IIS Manager.
- Select your website in the treeview and double-click the IP Address and Domain Restrictions icon on the site home page.
- In the Actions pane, click Edit Dynamic Restriction Settings.
- In the dialog box that opens, select the preferred method: Deny IP Address based on the number of concurrent requests or Deny IP Address based on the number of requests over a period of time.
- Click OK.
- Launch IIS Manager.
- Select your website in the treeview and double-click the IP Address and Domain Restrictions icon on the site home page.
- In the Actions pane, click Edit Dynamic Restriction Settings.
- In the dialog box that opens, select the desired type of action from the Deny Action Type drop-down list.
- Click OK.
- Launch IIS Manager.
- Select your website in the treeview and double-click the IP Address and Domain Restrictions icon on the site home page.
- In the Actions pane, click Edit Feature Settings.
- In the Edit IP and Domain Restriction Settings dialog box, select Enable Proxy Mode.
- Click OK.