HTTP Headers required for PCI Scan Compliance

THREATS:

• X-Content-Type-Options: This HTTP header will prevent the browser from interpreting files as a different MIME type to what is specified in the Content-Type HTTP header.
• Strict-Transport-Security: The HTTP Strict-Transport-Security response header (HSTS) allows web servers to declare that web browsers (or other complying user agents) should only interact with it using secure HTTPS connections, and never via the insecure HTTP protocol
• Content-Security-Policy: The HTTP Content-Security-Policy response header allows web servers to apply an additional layer of security to help prevent certain types of attacks, such as Cross-Site Scripting (XSS) and data injection attacks

IMPACT:

Depending on the vulnerability being exploited, an unauthenticated remote attacker could conduct cross-site scripting, clickjacking or MIME-type sniffing attacks.

SOLUTION:

The following HTTP headers need to be added to the server responses. How this is done depends on the web server (Apache, IIS etc.) and the host. In the case of Apache the host may be willing to add the headers server wide or they may advise on how to add them to the site using .htaccess file for Apache or some other mechanism.

• X-Content-Type-Options: nosniff
• Strict-Transport-Security max-age=63072000; includeSubDomains
• Content-Security-Policy frame-ancestors 'none'

In the above, max-age is a time in seconds. The minimum allowed value is 1 year but 2 years (as used above) is recommended.

The HTTP header Content-Security-Policy frame-ancestors 'none', prevents somebody hosting your site in an iFrame on their site without blocking iFrames used by your site.

If the site uses a .htaccess file then the changes can be applied to the site by adding the following to the, .htaccess file: -