- Georgios Karopoulos ORCID:orcid.org/0000-0002-0142-750313,
- Dimitris Geneiatakis ORCID:orcid.org/0000-0001-6455-502X14 &
- Georgios Kambourakis ORCID:orcid.org/0000-0001-6348-503113
Part of the book series:Lecture Notes in Computer Science ((LNSC,volume 12927))
Included in the following conference series:
788Accesses
Abstract
HTTP security-focused response headers can be of great aid to web applications towards augmenting their overall security level. That is, if set at the server side, these headers define whether certain security countermeasures are in place for protecting end-users. By utilising the curated Tranco list, this work conducts a wide-scale internet measurement that provides timely answers to the following questions: (a) How the adoption of these headers is developing over time?, (b) What is the penetration ratio of each key header in the community?, (c) Are there any differences in the support of these headers between diverse major browsers and platforms?, (d) Does the version of a browser (outdated vs. new) affects the support rate per key header?, and (e) Is the status of a header (active vs. deprecated) reflected to its support rate by web servers? Setting aside the use of the more robust Tranco corpus, to our knowledge, with reference to the literature, the contributions regarding the third and fifth questions are novel, while for the rest an updated, up-to-the-minute view of the state of play is provided. Amongst others, the results reveal that the support of headers is somewhat related to the browser version, the penetration ratio of all headers is less than 17% across all platforms, outdated browser versions may be better supported in terms of headers, while deprecated headers still enjoy wide implementation.
This is a preview of subscription content,log in via an institution to check access.
Access this chapter
Subscribe and save
- Get 10 units per month
- Download Article/Chapter or eBook
- 1 Unit = 1 Article or 1 Chapter
- Cancel anytime
Buy Now
- Chapter
- JPY 3498
- Price includes VAT (Japan)
- eBook
- JPY 5719
- Price includes VAT (Japan)
- Softcover Book
- JPY 7149
- Price includes VAT (Japan)
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
Available athttps://tranco-list.eu/list/5QWN.
- 2.
- 3.
- 4.
References
Alashwali, E.S., Szalachowski, P., Martin, A.: Exploring HTTPS security inconsistencies: a cross-regional perspective. Comput. Secur.97, 101975 (2020)
Amann, J., Gasser, O., Scheitle, Q., Brent, L., Carle, G., Holz, R.: Mission accomplished? HTTPS security after diginotar. In: Proceedings of the 2017 Internet Measurement Conference, IMC 2017, New York, NY, USA, pp. 325–340. ACM, November 2017
April King: Analysis of the Alexa Top 1M sites, April 2019.https://pokeinthe.io
Buchanan, W.J., Helme, S., Woodward, A.: Analysis of the adoption of security headers in HTTP. IET Inf. Secur.12(2), 118–126 (2017). Publisher: IET Digital Library
Calzavara, S., Roth, S., Rabitti, A., Backes, M., Stock, B.: A Tale of Two Headers: A Formal Analysis of Inconsistent Click-Jacking Protection on the Web, pp. 683–697 (2020)
CDNetworks: State of the Web Security, H1 (2020).https://www.cdnetworks.com
Kambourakis, G., Draper-Gil, G., Sanchez, I.: What email servers can tell to Johnny: an empirical study of provider-to-provider email security. IEEE Access8, 130066–130081 (2020).https://doi.org/10.1109/ACCESS.2020.3009122
Kranch, M., Bonneau, J.: Upgrading HTTPS in mid-air: an empirical study of strict transport security and key pinning. In: Proceedings 2015 Network and Distributed System Security Symposium, Internet Society, San Diego, CA (2015)
Lavrenovs, A., Melón, F.J.R.: HTTP security headers analysis of top one million websites. In: 2018 10th International Conference on Cyber Conflict (CyCon), pp. 345–370, May 2018
Le Pochat, V., Van Goethem, T., Tajalizadehkhoob, S., Korczyński, M., Joosen, W.: Tranco: a research-oriented top sites ranking hardened against manipulation. In: Proceedings of the 26th Annual Network and Distributed System Security Symposium, NDSS 2019, February 2019
Mendoza, A., Chinprutthiwong, P., Gu, G.: Uncovering HTTP header inconsistencies and the impact on desktop/mobile websites. In: Proceedings of the 2018 World Wide Web Conference, WWW 2018, Republic and Canton of Geneva, CHE, pp. 247–256. April 2018
OWASP: OWASP Top Ten.https://owasp.org/www-project-top-ten/
OWASP: Secure Headers Project.https://owasp.org/www-project-secure-headers/
Petrov, I., et al.: Measuring the Rapid Growth of HSTS and HPKP Deployments p. 7
Scott Helme: Top 1 Million Analysis - March 2020.https://scotthelme.co.uk/top-1-million-analysis-march-2020/
Some, D.F., Bielova, N., Rezk, T.: On the Content Security Policy Violations due to the Same-Origin Policy. In: Proceedings of the 26th International Conference on World Wide Web, WWW 2017, Republic and Canton of Geneva, CHE, April 2017
Sood, A.K., Enbody, R.J.: The Conundrum of Declarative Security HTTP Response Headers: Lessons Learned, p. 6
Stock, B., Johns, M., Steffens, M., Backes, M.: How the Web Tangled Itself: Uncovering the History of Client-Side Web (In)Security, pp. 971–987 (2017)
Wang, C.C., Chen, S.Y.: Using header session messages to anti-spamming. Comput. Secur.26(5), 381–390 (2007).https://doi.org/10.1016/j.cose.2006.12.012
Weissbacher, M., Lauinger, T., Robertson, W.: Why Is CSP failing? Trends and challenges in CSP adoption. In: Stavrou, A., Bos, H., Portokalidis, G. (eds.) RAID 2014. LNCS, vol. 8688, pp. 212–233. Springer, Cham (2014).https://doi.org/10.1007/978-3-319-11379-1_11
Author information
Authors and Affiliations
European Commission, Joint Research Centre (JRC), Via E. Fermi 2749, 21027, Ispra, Italy
Georgios Karopoulos & Georgios Kambourakis
European Commission, Directorate-General for Informatics, 1000, Bruxelles/Brussel, Belgium
Dimitris Geneiatakis
- Georgios Karopoulos
You can also search for this author inPubMed Google Scholar
- Dimitris Geneiatakis
You can also search for this author inPubMed Google Scholar
- Georgios Kambourakis
You can also search for this author inPubMed Google Scholar
Corresponding author
Correspondence toGeorgios Karopoulos.
Editor information
Editors and Affiliations
Karlstad University, Karlstad, Sweden
Simone Fischer-Hübner
University of Piraeus, Piraeus, Greece
Costas Lambrinoudakis
Johannes Kepler University of Linz, Linz, Austria
Gabriele Kotsis
Vienna University of Technology, Vienna, Austria
A Min Tjoa
Johannes Kepler University of Linz, Linz, Austria
Ismail Khalil
Rights and permissions
Copyright information
© 2021 Springer Nature Switzerland AG
About this paper
Cite this paper
Karopoulos, G., Geneiatakis, D., Kambourakis, G. (2021). Neither Good nor Bad: A Large-Scale Empirical Analysis of HTTP Security Response Headers. In: Fischer-Hübner, S., Lambrinoudakis, C., Kotsis, G., Tjoa, A.M., Khalil, I. (eds) Trust, Privacy and Security in Digital Business. TrustBus 2021. Lecture Notes in Computer Science(), vol 12927. Springer, Cham. https://doi.org/10.1007/978-3-030-86586-3_6
Download citation
Published:
Publisher Name:Springer, Cham
Print ISBN:978-3-030-86585-6
Online ISBN:978-3-030-86586-3
eBook Packages:Computer ScienceComputer Science (R0)
Share this paper
Anyone you share the following link with will be able to read this content:
Sorry, a shareable link is not currently available for this article.
Provided by the Springer Nature SharedIt content-sharing initiative