Thanks to everyone who submitted to the Secure Developer Challenge for May 2021!
For this month’s challenge (https://go.shiftleft.io/developer-challenge-05-2021), we asked you to identify which of these statements about HTTP security headers are false:
The correct answer is that options C and F are incorrect. Did you get it right?
X-XSS-Protection turns on the XSS auditor of the browser and protects against XSS attacks. But the best practice is actually to disable XSS filtering by specifying the header “X-XSS-Protection: 0”. Using this header to prevent XSS attacks is insufficient because it sometimes interferes with custom XSS protection code, and security researchers have found numerous X-XSS-Protection bypasses. You should use the Content-Security-Policy header instead.
MIME-sniffing is when browsers try to determine the file type of the document by examining its content. X-Content-Type-Options turns off MIME-sniffing on the browser, and tells the browser that the content type of the page is specified in the Content-Type header. The best practice for this header is “X-Content-Type-Options: nosniff”. This prevents the browser from interpreting non-executable files as executable scripts.
Thanks for reading! What is the most challenging part of developing secure software for you? I’d love to know. Feel free to connect on Twitter @vickieli7.
*** This is a Security Bloggers Network syndicated blog from ShiftLeft Blog - Medium authored by Vickie Li. Read the original post at: https://blog.shiftleft.io/secure-developer-challenge-may-2021-d5779ec6ac1e?source=rss----86a4f941c7da---4