HTTP offers a number of methods like GET, POST, OPTIONS, PUT, and DELETE etc… To process a request, a web server provides HTTP methods and each HTTP method have a different function. For example, a GET method is used to retrieve web pages from the server and POST method is used to send a request with the entity enclosed with a body.
Some of these methods are typically dangerous to expose.
HEAD, GET, POST, CONNECT – these are safe, at least as far as the HTTP Method itself. Of course, the request itself may have malicious parameters, but that is separate from the Method… these are typically (note exception below) the only ones that should be enabled.
PUT, DELETE – these methods are intended as file management operations. That is, you can change or delete files from the server’s file system, arbitrarily. Obviously, if these are enabled, it opens you to some dangerous attacks. PUT method can be used to introduce malicious codes and shells to the target. File access permissions should be very strictly limited if you absolutely MUST have these methods enabled.
OPTIONS – a diagnostic method, which HTTP Methods are active on the web server.
TRACE – that returns in the response body, the entire HTTP Request. This includes the request body, but also the request headers, including e.g. cookies, authorization headers, and more. This should definitely be disabled.
Each HTTP method performs a different function and each has an associated level of risk when their use is permitted on the web server. In above example, we can see OPTIONS method is enabled, so an attacker can use OPTIONS method within request query to identify which methods are allowed.
The HTTP Strict Transport Security (HSTS) header is a mechanism that websites have to communicate to the web browsers that all traffic exchanged with a given domain must always be sent over https, this will help protect the information from being passed over unencrypted requests.
Considering the importance of this security measure it is important to verify that the website is using this HTTP header, in order to ensure that all the data travels encrypted from the web browser to the server.
The HTTP Strict Transport Security (HSTS) feature lets a web application to inform the browser, through the use of a special response header, that it should never establish a connection to the specified domain servers using HTTP. Instead, it should automatically establish all connection requests to access the site through HTTPS.
The HTTP strict transport security header uses two directives:
Here’s an example of the HSTS header implementation:
Strict-Transport-Security: max-age=60000; includeSubDomains
The use of this header by web applications must be checked to find if the following security issues could be produced:
Attackers sniffing the network traffic and accessing the information transferred through an unencrypted channel.
Attackers exploiting a man in the middle attack because of the problem of accepting certificates that are not trusted.
Users who mistakenly entered an address in the browser putting HTTP instead of HTTPS, or users who click on a link in a web application which mistakenly indicated the HTTP protocol.
HTTP Strict Transport Security (HSTS) is a powerful key to provide protection against man in the middle attack and many other attacks. We recommend providing awareness of HSTS early in web application development lifecycle.