OWASP Secure Headers Project

The OWASP Secure Headers Project describes HTTP response headers that your application can use to increase the security of your application. Once set, these HTTP response headers can restrict modern browsers from running into easily preventable vulnerabilities. The OWASP Secure Headers Project intends to raise awareness and use of these headers.

Introduction

HTTP headers are well known and also despised. Seeking the balance between usability and security developers implement functionality through the headers that can make your more versatile or secure application. But in practice how the headers are being implemented? What sites follow the best implementation practices? Big companies, small, all or none?

Description

We aim to publish reports on header usage stats, developments and changes. Code libraries that make these headers easily accessible to developers on a range of platforms. Data sets concerning the general usage of these headers.

The OWASP Secure Headers Project is migrating to this new OWASP website. For now you can still access the old website here https://wiki.owasp.org/index.php/OWASP_Secure_Headers_Project.

Licensing

OWASP Secure Headers is free to use. It is licensed under the Apache 2.0 License.


Response Headers

  • HTTP Strict Transport Security (HSTS)
  • Public Key Pinning Extension for HTTP (HPKP)
  • X-Frame-Options
  • X-XSS-Protection
  • X-Content-Type-Options
  • Content-Security-Policy
  • X-Permitted-Cross-Domain-Policies
  • Referrer-Policy
  • Expect-CT
  • Feature-Policy

HTTP Strict Transport Security (HSTS)

HTTP Strict Transport Security (HSTS) is a web security policy mechanism which helps to protect websites against protocol downgrade attacks and cookie hijacking. It allows web servers to declare that web browsers (or other complying user agents) should only interact with it using secure HTTPS connections, and never via the insecure HTTP protocol. HSTS is an IETF standards track protocol and is specified in RFC 6797. A server implements an HSTS policy by supplying a header (Strict-Transport-Security) over an HTTPS connection (HSTS headers over HTTP are ignored).

Values Value Description max-age=SECONDS The time, in seconds, that the browser should remember that this site is only to be accessed using HTTPS. includeSubDomains If this optional parameter is specified, this rule applies to all of the site’s subdomains as well. Example Strict-Transport-Security: max-age=31536000 ; includeSubDomains

References

  • https://tools.ietf.org/html/rfc6797
  • https://www.owasp.org/index.php/HTTP_Strict_Transport_Security
  • https://www.owasp.org/index.php/Test_HTTP_Strict_Transport_Security_(OTG-CONFIG-007)
  • https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
  • https://www.chromium.org/hsts
  • https://developer.mozilla.org/en-US/docs/Web/Security/HTTP_strict_transport_security
  • https://raymii.org/s/tutorials/HTTP_Strict_Transport_Security_for_Apache_NGINX_and_Lighttpd.html

Public Key Pinning Extension for HTTP (HPKP)

HTTP Public Key Pinning (HPKP) is a security mechanism which allows HTTPS websites to resist impersonation by attackers using mis-issued or otherwise fraudulent certificates. (For example, sometimes attackers can compromise certificate authorities, and then can mis-issue certificates for a web origin.).

The HTTPS web server serves a list of public key hashes, and on subsequent connections clients expect that server to use one or more of those public keys in its certificate chain. Deploying HPKP safely will require operational and organizational maturity due to the risk that hosts may make themselves unavailable by pinning to a set of public key hashes that becomes invalid. With care, host operators can greatly reduce the risk of man-in-the-middle (MITM) attacks and other false authentication problems for their users without incurring undue risk.

Before implement HPKP please read this https://www.chromestatus.com/feature/5903385005916160.

Values Value Description pin-sha256=”" The quoted string is the Base64 encoded Subject Public Key Information (SPKI) fingerprint. It is possible to specify multiple pins for different public keys. Some browsers might allow other hashing algorithms than SHA-256 in the future. max-age=SECONDS The time, in seconds, that the browser should remember that this site is only to be accessed using one of the pinned keys. includeSubDomains If this optional parameter is specified, this rule applies to all of the site's subdomains as well. report-uri="" If this optional parameter is specified, pin validation failures are reported to the given URL. Example Public-Key-Pins: pin-sha256="d6qzRu9zOECb90Uez27xWltNsj0e1Md7GkYYkVoZWmM="; pin-sha256="E9CZ9INDbd+2eRQozYqqbQ2yXLVKB9+xcprMF+44U1g="; report-uri="http://example.com/pkp-report"; max-age=10000; includeSubDomains

References

  • https://tools.ietf.org/html/rfc7469
  • https://www.owasp.org/index.php/Certificate_and_Public_Key_Pinning#HTTP_pinning
  • https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning
  • https://developer.mozilla.org/en-US/docs/Web/Security/Public_Key_Pinning
  • https://raymii.org/s/articles/HTTP_Public_Key_Pinning_Extension_HPKP.html
  • https://labs.detectify.com/2016/07/05/what-hpkp-is-but-isnt/
  • https://blog.qualys.com/ssllabs/2016/09/06/is-http-public-key-pinning-dead
  • https://scotthelme.co.uk/im-giving-up-on-hpkp/
  • https://groups.google.com/a/chromium.org/forum/m/#!msg/blink-dev/he9tr7p3rZ8/eNMwKPmUBAAJ

X-Frame-Options

X-Frame-Options response header improve the protection of web applications against Clickjacking. It declares a policy communicated from a host to the client browser on whether the browser must not display the transmitted content in frames of other web pages.

Values Value Description deny No rendering within a frame. sameorigin No rendering if origin mismatch. allow-from: DOMAIN Allows rendering if framed by frame loaded from DOMAIN. Example X-Frame-Options: deny

References

  • https://tools.ietf.org/html/rfc7034
  • https://tools.ietf.org/html/draft-ietf-websec-x-frame-options-01
  • https://tools.ietf.org/html/draft-ietf-websec-frame-options-00
  • https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options
  • https://www.owasp.org/index.php/Clickjacking
  • https://blogs.msdn.microsoft.com/ieinternals/2010/03/30/combating-clickjacking-with-x-frame-options/

X-XSS-Protection

This header enables the Cross-site scripting (XSS) filter in your browser.

Values Value Description 0 Filter disabled. 1 Filter enabled. If a cross-site scripting attack is detected, in order to stop the attack, the browser will sanitize the page. 1; mode=block Filter enabled. Rather than sanitize the page, when a XSS attack is detected, the browser will prevent rendering of the page. 1; report=http://[YOURDOMAIN]/your_report_URI Filter enabled. The browser will sanitize the page and report the violation. This is a Chromium function utilizing CSP violation reports to send details to a URI of your choice. Example X-XSS-Protection: 1; mode=block

References

  • https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
  • https://www.virtuesecurity.com/blog/understanding-xss-auditor/
  • https://www.veracode.com/blog/2014/03/guidelines-for-setting-security-headers
  • http://zinoui.com/blog/security-http-headers#x-xss-protection

X-Content-Type-Options

Setting this header will prevent the browser from interpreting files as something else than declared by the content type in the HTTP headers.

Values Value Description nosniff Will prevent the browser from MIME-sniffing a response away from the declared content-type. Example X-Content-Type-Options: nosniff

References

  • https://msdn.microsoft.com/en-us/library/gg622941%28v=vs.85%29.aspx
  • https://blogs.msdn.microsoft.com/ie/2008/09/02/ie8-security-part-vi-beta-2-update/

Content-Security-Policy

A Content Security Policy (CSP) requires careful tuning and precise definition of the policy. If enabled, CSP has significant impact on the way browsers render pages (e.g., inline JavaScript disabled by default and must be explicitly allowed in policy). CSP prevents a wide range of attacks, including Cross-site scripting and other cross-site injections.

Values Directive Description base-uri Define the base uri for relative uri. default-src Define loading policy for all resources type in case of a resource type dedicated directive is not defined (fallback). script-src Define which scripts the protected resource can execute. object-src Define from where the protected resource can load plugins. style-src Define which styles (CSS) the user applies to the protected resource. img-src Define from where the protected resource can load images. media-src Define from where the protected resource can load video and audio. frame-src Deprecated and replaced by child-src. Define from where the protected resource can embed frames. child-src Define from where the protected resource can embed frames. frame-ancestors Define from where the protected resource can be embedded in frames. font-src Define from where the protected resource can load fonts. connect-src Define which URIs the protected resource can load using script interfaces. manifest-src Define from where the protected resource can load manifest. form-action Define which URIs can be used as the action of HTML form elements. sandbox Specifies an HTML sandbox policy that the user agent applies to the protected resource. script-nonce Define script execution by requiring the presence of the specified nonce on script elements. plugin-types Define the set of plugins that can be invoked by the protected resource by limiting the types of resources that can be embedded. reflected-xss Instructs a user agent to activate or deactivate any heuristics used to filter or block reflected cross-site scripting attacks, equivalent to the effects of the non-standard X-XSS-Protection header. block-all-mixed-content Prevent user agent from loading mixed content. upgrade-insecure-requests Instructs user agent to download insecure resources using HTTPS. referrer Define information user agent must send in Referer header. report-uri Specifies a URI to which the user agent sends reports about policy violation. report-to Specifies a group (defined in Report-To header) to which the user agent sends reports about policy violation. Example Content-Security-Policy: script-src ‘self’

References

  • https://www.w3.org/TR/CSP/
  • https://developer.mozilla.org/en-US/docs/Web/Security/CSP
  • https://www.owasp.org/index.php/Content_Security_Policy
  • https://scotthelme.co.uk/content-security-policy-an-introduction/
  • https://report-uri.io
  • http://www.cspplayground.com/home
  • http://content-security-policy.com

X-Permitted-Cross-Domain-Policies

A cross-domain policy file is an XML document that grants a web client, such as Adobe Flash Player or Adobe Acrobat (though not necessarily limited to these), permission to handle data across domains. When clients request content hosted on a particular source domain and that content make requests directed towards a domain other than its own, the remote domain needs to host a cross-domain policy file that grants access to the source domain, allowing the client to continue the transaction. Normally a meta-policy is declared in the master policy file, but for those who can’t write to the root directory, they can also declare a meta-policy using the X-Permitted-Cross-Domain-Policies HTTP response header.

Values Value Description none No policy files are allowed anywhere on the target server, including this master policy file. master-only Only this master policy file is allowed. by-content-type [HTTP/HTTPS only] Only policy files served with Content-Type: text/x-cross-domain-policy are allowed. by-ftp-filename [FTP only] Only policy files whose file names are crossdomain.xml (i.e. URLs ending in /crossdomain.xml) are allowed. all All policy files on this target domain are allowed. Example X-Permitted-Cross-Domain-Policies: none

References

  • https://www.adobe.com/devnet-docs/acrobatetk/tools/AppSec/xdomain.html
  • https://www.adobe.com/devnet/adobe-media-server/articles/cross-domain-xml-for-streaming.html
  • https://www.perpetual-beta.org/weblog/security-headers.html#rule-8470-2-establish-a-cross-domain-meta-policy
  • https://danielnixon.org/http-security-headers/
  • https://rorsecurity.info/portfolio/new-http-headers-for-more-security
  • https://github.com/twitter/secureheaders/issues/88

Referrer-Policy

The Referrer-Policy HTTP header governs which referrer information, sent in the Referer header, should be included with requests made.

Values Value Description no-referrer The Referer header will be omitted entirely. No referrer information is sent along with requests. no-referrer-when-downgrade This is the user agent’s default behavior if no policy is specified. The origin is sent as referrer to a-priori as-much-secure destination (HTTPS->HTTPS), but isn’t sent to a less secure destination (HTTPS->HTTP). origin Only send the origin of the document as the referrer in all cases. The document https://example.com/page.html will send the referrer https://example.com/. origin-when-cross-origin Send a full URL when performing a same-origin request, but only send the origin of the document for other cases. same-origin A referrer will be sent for same-site origins, but cross-origin requests will contain no referrer information. strict-origin Only send the origin of the document as the referrer to a-priori as-much-secure destination (HTTPS->HTTPS), but don’t send it to a less secure destination (HTTPS->HTTP). strict-origin-when-cross-origin Send a full URL when performing a same-origin request, only send the origin of the document to a-priori as-much-secure destination (HTTPS->HTTPS), and send no header to a less secure destination (HTTPS->HTTP). unsafe-url Send a full URL (stripped from parameters) when performing a a same-origin or cross-origin request. Example Referrer-Policy: no-referrer

References

  • https://www.w3.org/TR/referrer-policy/
  • https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy

Expect-CT

The Expect-CT header is used by a server to indicate that browsers should evaluate connections to the host emitting the header for Certificate Transparency compliance.

Values Value Description report-uri The optional report-uri directive indicates the URL to which the browser should report Expect-CT failures. enforce The optional enforce directive is a valueless directive that, if present, signals to the browser that compliance to the CT Policy should be enforced (rather than report-only) and that the browser should refuse future connections that violate its CT Policy. When both the enforce directive and report-uri directive are present, the configuration is referred to as an “enforce-and-report” configuration, signalling to the browser both that compliance to the CT Policy should be enforced and that violations should be reported. max-age The max-age directive specifies the number of seconds after the reception of the Expect-CT header field during which the browser should regard the host from whom the message was received as a Known Expect-CT Host. Example Expect-CT: max-age=86400, enforce, report-uri=”https://foo.example/report”

References

  • https://tools.ietf.org/html/draft-ietf-httpbis-expect-ct-02
  • http://httpwg.org/http-extensions/expect-ct.html
  • https://scotthelme.co.uk/a-new-security-header-expect-ct/

Feature-Policy

The Feature-Policy header allows developers to selectively enable and disable use of various browser features and APIs..

Values Value Description accelerometer Controls access to accelerometer sensors on the device. ambient-light-sensor Controls access to ambient light sensors on the device. autoplay Controls access to autoplay through play() and autoplay. camera Controls access to video input devices. encrypted-media Controls whether requestMediaKeySystemAccess() is allowed. fullscreen Controls whether requestFullscreen() is allowed. geolocation Controls access to Geolocation interface. gyroscope Controls access to gyroscope sensors on the device. magnetometer Controls access to magnetometer sensors on the device. microphone Controls access to audio input devices. midi Controls access to requestMIDIAccess() method. payment Controls access to PaymentRequest interface. picture-in-picture Controls access to Picture in Picture. speaker Controls access to audio output devices. usb Controls access to USB devices. vibrate Controls access to vibrate() method. vr Controls access to VR displays. Example Feature-Policy: vibrate ‘none’; geolocation ‘none’

References

  • https://wicg.github.io/feature-policy/
  • https://github.com/WICG/feature-policy/blob/master/features.md
  • https://scotthelme.co.uk/a-new-security-header-feature-policy/

Browser Support

Internet Explorer Edge Firefox Chrome Safari Opera Android HTTP Strict Transport Security (HSTS) 11 13 47 49 9.1 39 4.4 Public Key Pinning Extension for HTTP (HPKP) NS NS 47 49 NS 39 51 X-Frame-Options 8 13 47 49 9.1 39 4.4 X-XSS-Protection 8 NS 4+ X-Content-Type-Options 8 51 1.0 NS 13 Content-Security-Policy 11 13 47 49 9.1 39 4.4 X-Permitted-Cross-Domain-Policies Referrer-Policy NS NS 50 56 NS 43 Expect-CT 61 48 Feature-Policy NS = Not Supported

  • = Specified version and above

References

  • HTTP Strict Transport Security (HSTS) https://blogs.windows.com/msedgedev/2015/06/09/http-strict-transport-security-comes-to-internet-explorer-11-on-windows-8-1-and-windows-7/ https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security https://www.owasp.org/index.php/HTTP_Strict_Transport_Security_Cheat_Sheet http://caniuse.com/#search=HSTS
  • Public Key Pinning Extension for HTTP (HPKP) http://caniuse.com/#search=Public%20Key%20Pinning https://groups.google.com/a/chromium.org/forum/m/#!msg/blink-dev/he9tr7p3rZ8/eNMwKPmUBAAJ
  • X-Frame-Options http://caniuse.com/#search=X-Frame-Options
  • X-XSS-Protection https://wiki.mozilla.org/Security/Features/XSS_Filter https://blogs.msdn.microsoft.com/ieinternals/2011/01/31/controlling-the-xss-filter/
  • X-Content-Type-Options https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
  • Content-Security-Policy http://caniuse.com/#search=Content%20Security%20Policy
  • X-Permitted-Cross-Domain-Policies https://www.adobe.com/devnet-docs/acrobatetk/tools/AppSec/xdomain.html
  • Referrer-Policy https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
  • Expect-CT https://www.chromestatus.com/feature/5677171733430272
  • Feature-Policy [update needed]

Technical Resources

This section cover a list of tools to analyze, develop and administrate HTTP secure headers in order to help achieve more secure and trustworthy web systems.

Analysis Tools Reference hsecscan

A security scanner for HTTP response headers.

Github: https://github.com/riramar/hsecscan

headers

Python script to get some response headers from Alexa top sites file and store in a MySQL database.

Github: https://github.com/oshp/headers/

securityheaders.io

There are services out there that will analyse the HTTP response headers of other sites but I also wanted to add a rating system to the results. The HTTP response headers that this site analyses provide huge levels of protection and it’s important that sites deploy them. Hopefully, by providing an easy mechanism to assess them, and further information on how to deploy missing headers, we can drive up the usage of security based headers across the web.

Site: https://securityheaders.io/

Mozilla Observatory

A Mozilla project designed to help developers, system administrators, and security professionals configure their sites safely and securely.

Site: https://mozilla.github.io/http-observatory-website/

High-Tech Bridge Web Security Scanner

An online service that will retrieve and analyse headers syntax and proper configuration in a comprehensive way. It will be able for instance to highlight Public-Key-Pins that matches one certificate of the chain or if Content-Security-Policy contains values that could be unsafe or too permissive.

Site: https://www.htbridge.com/websec/

Check Your Headers

Just another web scanner for HTTP response headers.

Site: https://cyh.herokuapp.com/cyh

Recx Security Analyser

Chrome extension that allows the inspection of security aspects of a site’s HTTP headers, cookies and other key security settings.

Site: https://chrome.google.com/webstore/detail/recx-security-analyser/ljafjhbjenhgcgnikniijchkngljgjda

KickOff

While each project you launch may have a different feature set, they often share many of the same performance, SEO and security requirements. This tool aims to automate the process of checking your list of requirements shortly before launch or directly after a deployment.

Site: https://github.com/frickelbruder/kickoff

testssl.sh

Easy to use shell script which tests not only SSL/TLS encryption but also checks common headers and analyzes those. Output is screen, JSON, CSV and HTML.

Site: https://github.com/drwetter/testssl.sh

DrHEADer

DrHEADer helps with the audit of security headers received in response to a single request or a list of requests.

Site: https://github.com/Santandersecurityresearch/DrHeader

Development Libraries Language Reference secureheaders

Security related headers all in one gem.

Ruby

Github: https://github.com/twitter/secureheaders

Security Header Injection Module (SHIM)

SHIM is a HTTP module that provides protection for many vulnerabilities by injecting security-specific HTTP headers into ASP.NET web applications.

ASP.NET

Site: https://shim.codeplex.com/

Spring Security

Spring Security’s support for adding various security headers to the response.

Java

Site: http://docs.spring.io/spring-security/site/docs/current/reference/html/headers.html

SecureHeaders

A PHP class aiming to make the use of browser security features more accessible.

PHP

Site: https://github.com/aidantwoods/SecureHeaders

rack-secure_headers

Security related HTTP headers for Rack applications.

Rack

Site: https://github.com/frodsan/rack-secure_headers

helmet and hood

Node.js (express).

Node.js (express)

Site: https://github.com/helmetjs/helmet Site: https://github.com/seanmonstar/hood

blankie

A CSP plugin for hapi.

Node.js (hapi)

Site: https://github.com/nlf/blankie

NWebsec

NWebsec consists of several security libraries for ASP.NET applications.

ASP.NET

Site: https://docs.nwebsec.com

django-csp + commonware; django-security

django-csp + commonware; django-security.

Python

Site: https://github.com/mozilla/django-csp Site: https://github.com/jsocol/commonware/ Site: https://github.com/sdelements/django-security

Secure

Secure is a lightweight package that adds optional security headers and cookie attributes for Python web frameworks.

Python

Site: https://github.com/cakinney/secure

secureheader

Package secureheader adds some HTTP header fields widely considered to improve safety of HTTP requests.

Go

Site: https://github.com/kr/secureheader

secure_headers

This Plug will automatically apply several security headers to the Plug.Conn response. By design SecureHeaders will attempt to apply the most strict security policy. Although, security headers are configurable and are validated to avoid misconfiguration.

Elixir

Site: https://github.com/anotherhale/secure_headers

dropwizard-web-security

A bundle for applying default web security functionality to a dropwizard application.

Dropwizard

Site: https://github.com/palantir/dropwizard-web-security

ember-cli-content-security-policy

This addon makes it easy to use Content Security Policy (CSP) in your project. It can be deployed either via a Content-Security-Policy header sent from the Ember CLI Express server, or as a meta tag in the index.html file.

Ember.js

Site: https://github.com/rwjblue/ember-cli-content-security-policy/

Operation Tools Web Servers Supported Reference http_hardening

Puppet module to enable, configure and manage secure http headers on web servers.

Apache HTTP Server NGINX Lighttpd

Github: https://github.com/amenezes/http_hardening Puppet Forge: https://forge.puppet.com/amenezes/http_hardening


Top Websites Examples

HTTP response headers from the top websites in the world.

Command used to extract the headers:

curl -L -A “Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36” -s -D - https://www.example.com -o /dev/null

Google $ curl -L -A “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.89 Safari/537.36” -s -D - https://www.google.com -o /dev/null HTTP/1.1 302 Found Location: https://www.google.com.br/?gws_rd=cr&dcr=0&ei=rtcKWpnkNYaawATUn6agCg Cache-Control: private Content-Type: text/html; charset=UTF-8 P3P: CP=”This is not a P3P policy! See g.co/p3phelp for more info.” Date: Tue, 14 Nov 2017 11:46:54 GMT Server: gws Content-Length: 273 X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Set-Cookie: NID=117=GENZIllQGZFmhCBmap1YThta_hUvvZ9Xm517XXWpF9eCKNqW6_luvZm1b_ai7BN4lAA2pP2Z22BveHqjUrqZxpY38NKSYLKWFGrVh6tGAHcbNw6OHQ_F77bNJWV0BZOZ; expires=Wed, 16-May-2018 11:46:54 GMT; path=/; domain=.google.com; HttpOnly Alt-Svc: quic=”:443”; ma=2592000; v=”41,39,38,37,35”

HTTP/1.1 200 OK Date: Tue, 14 Nov 2017 11:46:55 GMT Expires: -1 Cache-Control: private, max-age=0 Content-Type: text/html; charset=UTF-8 Strict-Transport-Security: max-age=3600 P3P: CP=”This is not a P3P policy! See g.co/p3phelp for more info.” Server: gws X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Set-Cookie: 1P_JAR=2017-11-14-11; expires=Thu, 14-Dec-2017 11:46:55 GMT; path=/; domain=.google.com.br Set-Cookie: NID=117=fR73jhascV3B9fbiVfYdvGlilR_tgYNhela9rXdCavJiJoYpkNSTq0NtFqNSV8im602zM7Of-S1GUr_ncSuT3p6tzlw3e6_9ccqPttSuniTHWZEgBtUL1VXTgXBdjKMe; expires=Wed, 16-May-2018 11:46:55 GMT; path=/; domain=.google.com.br; HttpOnly Alt-Svc: quic=”:443”; ma=2592000; v=”41,39,38,37,35” Accept-Ranges: none Vary: Accept-Encoding Transfer-Encoding: chunked Facebook $ curl -L -A “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.89 Safari/537.36” -s -D - https://www.facebook.com -o /dev/null HTTP/1.1 200 OK X-XSS-Protection: 0 Pragma: no-cache content-security-policy: default-src * data: blob:;script-src .facebook.com *.fbcdn.net *.facebook.net *.google-analytics.com *.virtualearth.net *.google.com 127.0.0.1: .spotilocal.com: ‘unsafe-inline’ ‘unsafe-eval’ fbstatic-a.akamaihd.net fbcdn-static-b-a.akamaihd.net .atlassolutions.com blob: data: ‘self’;style-src data: blob: ‘unsafe-inline’ *;connect-src *.facebook.com *.fbcdn.net *.facebook.net *.spotilocal.com: .akamaihd.net wss://.facebook.com:* https://fb.scanandcleanlocal.com:* .atlassolutions.com attachment.fbsbx.com ws://localhost: blob: *.cdninstagram.com ‘self’ chrome-extension://boadgeojelhgndaghljhdicfkmllpafd chrome-extension://dliochdbjfkdbacpmhlcpmleaejidimm; Cache-Control: private, no-cache, no-store, must-revalidate X-Frame-Options: DENY expect-ct: max-age=10, report-uri=”http://reports.fb.com/expectct/” Strict-Transport-Security: max-age=15552000; preload X-Content-Type-Options: nosniff Expires: Sat, 01 Jan 2000 00:00:00 GMT Set-Cookie: fr=0Bf96eRMD0zCulvzh..BaCtgp.jl.AAA.0.0.BaCtgp.AWVGQojt; expires=Mon, 12-Feb-2018 11:48:57 GMT; Max-Age=7776000; path=/; domain=.facebook.com; secure; httponly Set-Cookie: sb=KdgKWqMf8J84KfUg99AxaG1B; expires=Thu, 14-Nov-2019 11:48:57 GMT; Max-Age=63072000; path=/; domain=.facebook.com; secure; httponly Vary: Accept-Encoding Content-Type: text/html; charset=UTF-8 X-FB-Debug: llncdeFRYCCoWkXqx2VCdUGtdHZvjsr6OA7JNrtEe18ZuZAqcKCH4km9SSkNTHIcuXmzwRMzyBQt0Uz7T6ltQg== Date: Tue, 14 Nov 2017 11:48:57 GMT Transfer-Encoding: chunked Connection: keep-alive Twitter $ curl -L -A “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.89 Safari/537.36” -s -D - https://www.twitter.com -o /dev/null HTTP/1.1 301 Moved Permanently content-length: 0 date: Tue, 14 Nov 2017 11:50:11 GMT location: https://twitter.com/ server: tsa_d set-cookie: personalization_id=”v1_nyz+ctxxDiBbh4s6VjzQIg==”; Expires=Thu, 14 Nov 2019 11:50:11 UTC; Path=/; Domain=.twitter.com set-cookie: guest_id=v1%3A151066021116455299; Expires=Thu, 14 Nov 2019 11:50:11 UTC; Path=/; Domain=.twitter.com strict-transport-security: max-age=631138519 x-connection-hash: d9a9eea848268dae67e7743d5bfd2dd5 x-response-time: 135

HTTP/1.1 200 OK cache-control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 content-length: 345977 content-security-policy: script-src https://connect.facebook.net https://cm.g.doubleclick.net https://ssl.google-analytics.com https://graph.facebook.com ‘nonce-f/+1f61E6Z0qq8p+L4UIQw==’ https://twitter.com ‘unsafe-eval’ https://.twimg.com https://api.twitter.com https://analytics.twitter.com https://publish.twitter.com https://ton.twitter.com https://syndication.twitter.com https://www.google.com https://t.tellapart.com https://platform.twitter.com https://www.google-analytics.com blob: ‘self’; frame-ancestors ‘self’; font-src https://twitter.com https://.twimg.com data: https://ton.twitter.com https://fonts.gstatic.com https://maxcdn.bootstrapcdn.com https://netdna.bootstrapcdn.com ‘self’; media-src https://rmpdhdsnappytv-vh.akamaihd.net https://prod-video-eu-central-1.pscp.tv https://v.cdn.vine.co https://dwo3ckksxlb0v.cloudfront.net https://twitter.com https://amp.twimg.com https://smmdhdsnappytv-vh.akamaihd.net https://.twimg.com https://prod-video-eu-west-1.pscp.tv https://rmmdhdsnappytv-vh.akamaihd.net https://prod-video-us-west-2.pscp.tv https://prod-video-us-west-1.pscp.tv https://prod-video-ap-northeast-1.pscp.tv https://smdhdsnappytv-vh.akamaihd.net https://ton.twitter.com https://rmdhdsnappytv-vh.akamaihd.net https://mmdhdsnappytv-vh.akamaihd.net https://smpdhdsnappytv-vh.akamaihd.net https://prod-video-sa-east-1.pscp.tv https://mdhdsnappytv-vh.akamaihd.net https://prod-video-ap-southeast-2.pscp.tv https://mtc.cdn.vine.co https://dev-video-us-west-2.pscp.tv https://prod-video-us-east-1.pscp.tv blob: ‘self’ https://prod-video-ap-southeast-1.pscp.tv https://mpdhdsnappytv-vh.akamaihd.net https://dev-video-eu-west-1.pscp.tv; connect-src https://rmpdhdsnappytv-vh.akamaihd.net https://prod-video-eu-central-1.pscp.tv https://graph.facebook.com https://.giphy.com https://dwo3ckksxlb0v.cloudfront.net https://vmaprel.snappytv.com https://smmdhdsnappytv-vh.akamaihd.net https://.twimg.com https://embed.pscp.tv https://api.twitter.com https://prod-video-eu-west-1.pscp.tv https://rmmdhdsnappytv-vh.akamaihd.net https://prod-video-us-west-2.pscp.tv https://pay.twitter.com https://prod-video-us-west-1.pscp.tv https://analytics.twitter.com https://vmap.snappytv.com https://.twprobe.net https://prod-video-ap-northeast-1.pscp.tv https://smdhdsnappytv-vh.akamaihd.net https://syndication.twitter.com https://sentry.io https://rmdhdsnappytv-vh.akamaihd.net https://media.riffsy.com https://mmdhdsnappytv-vh.akamaihd.net https://embed.periscope.tv https://smpdhdsnappytv-vh.akamaihd.net https://prod-video-sa-east-1.pscp.tv https://vmapstage.snappytv.com https://upload.twitter.com https://proxsee.pscp.tv https://mdhdsnappytv-vh.akamaihd.net https://prod-video-ap-southeast-2.pscp.tv https://dev-video-us-west-2.pscp.tv https://prod-video-us-east-1.pscp.tv ‘self’ https://vmap.grabyo.com https://prod-video-ap-southeast-1.pscp.tv https://mpdhdsnappytv-vh.akamaihd.net https://dev-video-eu-west-1.pscp.tv; style-src https://fonts.googleapis.com https://twitter.com https://.twimg.com https://translate.googleapis.com https://ton.twitter.com ‘unsafe-inline’ https://platform.twitter.com https://maxcdn.bootstrapcdn.com https://netdna.bootstrapcdn.com ‘self’; object-src https://twitter.com https://pbs.twimg.com; default-src ‘self’; frame-src https://staticxx.facebook.com https://twitter.com https://.twimg.com https://5415703.fls.doubleclick.net https://player.vimeo.com https://pay.twitter.com https://www.facebook.com https://ton.twitter.com https://syndication.twitter.com https://vine.co twitter: https://www.youtube.com https://platform.twitter.com https://upload.twitter.com https://s-static.ak.facebook.com https://4337974.fls.doubleclick.net https://8122179.fls.doubleclick.net ‘self’ https://donate.twitter.com; img-src https://prod-video-eu-central-1.pscp.tv https://prod-profile.pscp.tv https://graph.facebook.com https://prod-thumbnail.pscp.tv https://.giphy.com https://twitter.com https://.twimg.com https://ad.doubleclick.net https://prod-video-eu-west-1.pscp.tv data: https://prod-video-us-west-2.pscp.tv https://prod-video-us-west-1.pscp.tv https://prod-video-ap-northeast-1.pscp.tv https://lumiere-a.akamaihd.net https://fbcdn-profile-a.akamaihd.net https://www.facebook.com https://ton.twitter.com https://*.fbcdn.net https://syndication.twitter.com https://media.riffsy.com https://www.google.com https://prod-profile.periscope.tv https://prod-video-sa-east-1.pscp.tv https://stats.g.doubleclick.net https://platform.twitter.com https://prod-video-ap-southeast-2.pscp.tv https://api.mapbox.com https://www.google-analytics.com https://dev-video-us-west-2.pscp.tv https://prod-video-us-east-1.pscp.tv blob: https://prod-thumbnail-small.pscp.tv https://prod-thumbnail-small.periscope.tv ‘self’ https://prod-thumbnail.periscope.tv https://prod-video-ap-southeast-1.pscp.tv https://dev-video-eu-west-1.pscp.tv; report-uri https://twitter.com/i/csp_report?a=NVQWGYLXFVZXO2LGOQ%3D%3D%3D%3D%3D%3D&ro=false; content-type: text/html;charset=utf-8 date: Tue, 14 Nov 2017 11:50:11 GMT expires: Tue, 31 Mar 1981 05:00:00 GMT last-modified: Tue, 14 Nov 2017 11:50:11 GMT pragma: no-cache server: tsa_d set-cookie: fm=0; Expires=Tue, 14 Nov 2017 11:50:02 UTC; Path=/; Domain=.twitter.com; Secure; HTTPOnly set-cookie: _twitter_sess=BAh7CSIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoPY3JlYXRlZF9hdGwrCMOCXbpfAToMY3NyZl9p%250AZCIlOTk3MjYzYzc1NDhkOTA1ZTlhZTIyNGE2Zjk5Nzg0NTk6B2lkIiU0ODIw%250AZWRkNjc4Njg2M2IzYmI3ZTA3N2YxMTA4YzE5Nw%253D%253D–7abf7eef950088f9f728686ce29881ef501487dd; Path=/; Domain=.twitter.com; Secure; HTTPOnly set-cookie: personalization_id=”v1_rrHzrB5h0Qs1Oz4uhOjFJg==”; Expires=Thu, 14 Nov 2019 11:50:11 UTC; Path=/; Domain=.twitter.com set-cookie: guest_id=v1%3A151066021139105511; Expires=Thu, 14 Nov 2019 11:50:11 UTC; Path=/; Domain=.twitter.com set-cookie: ct0=ba98c8a6cb4c664151a98c8bd9eb4b4d; Expires=Tue, 14 Nov 2017 17:50:11 UTC; Path=/; Domain=.twitter.com; Secure status: 200 OK strict-transport-security: max-age=631138519 x-connection-hash: 769f9dcd87b9274776136b99b3181a44 x-content-type-options: nosniff x-frame-options: SAMEORIGIN x-response-time: 359 x-transaction: 007d216900cbc2ad x-twitter-response-tags: BouncerCompliant x-ua-compatible: IE=edge,chrome=1 x-xss-protection: 1; mode=block Github $ curl -L -A “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.89 Safari/537.36” -s -D - https://www.github.com -o /dev/null HTTP/1.1 301 Moved Permanently Content-length: 0 Location: https://github.com/

HTTP/1.1 200 OK Server: GitHub.com Date: Tue, 14 Nov 2017 11:51:27 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Status: 200 OK Cache-Control: no-cache Vary: X-PJAX X-UA-Compatible: IE=Edge,chrome=1 Set-Cookie: logged_in=no; domain=.github.com; path=/; expires=Sat, 14 Nov 2037 11:51:27 -0000; secure; HttpOnly Set-Cookie: _gh_sess=eyJzZXNzaW9uX2lkIjoiODI5ZGZjZDhlZDFlMjBjZTBhMTljMjk5ZDU1ZDBlODgiLCJsYXN0X3JlYWRfZnJvbV9yZXBsaWNhcyI6MTUxMDY2MDI4NzMxNywiX2NzcmZfdG9rZW4iOiIvTjkya2RHLzJJN2dtbU12eWQ3UGJDeTJ0aU1tZHJrci8wVzlpMi9yajFZPSJ9–5920790d2e11e8d4a32177a14ac25fae6e8f9789; path=/; secure; HttpOnly X-Request-Id: b31804a05047fd1326fe28cf3d6f33aa X-Runtime: 0.036845 Expect-CT: max-age=2592000, report-uri=”https://api.github.com/_private/browser/errors” Content-Security-Policy: default-src ‘none’; base-uri ‘self’; block-all-mixed-content; child-src render.githubusercontent.com; connect-src ‘self’ uploads.github.com status.github.com collector.githubapp.com api.github.com www.google-analytics.com github-cloud.s3.amazonaws.com github-production-repository-file-5c1aeb.s3.amazonaws.com github-production-upload-manifest-file-7fdce7.s3.amazonaws.com github-production-user-asset-6210df.s3.amazonaws.com wss://live.github.com; font-src assets-cdn.github.com; form-action ‘self’ github.com gist.github.com; frame-ancestors ‘none’; img-src ‘self’ data: assets-cdn.github.com identicons.github.com collector.githubapp.com github-cloud.s3.amazonaws.com *.githubusercontent.com; media-src ‘none’; script-src assets-cdn.github.com; style-src ‘unsafe-inline’ assets-cdn.github.com Strict-Transport-Security: max-age=31536000; includeSubdomains; preload Public-Key-Pins: max-age=0; pin-sha256=”WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18=”; pin-sha256=”RRM1dGqnDFsCJXBTHky16vi1obOlCgFFn/yOhI/y+ho=”; pin-sha256=”k2v657xBsOVe1PQRwOsHsw3bsGT2VzIqz5K+59sNQws=”; pin-sha256=”K87oWBWM9UZfyddvDfoxL+8lpNyoUB2ptGtn0fv6G2Q=”; pin-sha256=”IQBnNBEiFuhj+8x6X8XLgh01V9Ic5/V3IRQLNFFc7v4=”; pin-sha256=”iie1VXtL7HzAMF+/PVPR9xzT80kQxdZeJ+zduCB3uj0=”; pin-sha256=”LvRiGEjRqfzurezaWuj8Wie2gyHMrW5Q06LspMnox7A=”; includeSubDomains X-Content-Type-Options: nosniff X-Frame-Options: deny X-XSS-Protection: 1; mode=block X-Runtime-rack: 0.043225 X-GitHub-Request-Id: 9AB0:25783:6A523:B814E:5A0AD8BE