Secure headers for REST

dark-angelus · June 27, 2019, 4:20pm

What are the specific HTTP headers that a mobile application must have for being secure?

blue-snot · June 27, 2019, 4:27pm

Could you add to your question the Internet links that includes your preliminar research on the topic?

dark-angelus · June 27, 2019, 4:56pm

OWASP Secure Headers
7 Security Response Headers
The 8 HTTP Security Headers Best Practices

all of them are explaining what are the secure headers for web applications, but no one say anything about mobile applications. Of course there are some headers that, I know, apply for both (web and mobile) but I want to know what are all of them.

martial-wolf · June 27, 2019, 4:59pm

Mobile apps generally use REST web services to transfer data between the server and the application, the headers that need validation are:

The ones from OWASP
HSTS

blue-snot · June 27, 2019, 5:01pm

The app has webviews?
The app communicates or not with a backend (REST or GraphQL)?

blue-snot · June 27, 2019, 5:02pm

Could interact via many architectural reference communications: REST, GraphQL, Websockets, etc

peaceful-jennings · June 27, 2019, 5:03pm

Hi
I think this might help https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/REST_Security_Cheat_Sheet.md
You can read the section on security headers.

dark-angelus · June 27, 2019, 5:11pm

@blue-snot It doesn’t use a webview. And it is a REST api.
@martial-wolf thanks it helped me alot.

blue-snot · June 27, 2019, 5:12pm

So just to check, the problem after all was secure headers for REST API communication, independent if there is a mobile client or not?

dark-angelus · June 27, 2019, 5:24pm

Kindof. it wasn’t a problem, just a little confusion that I had about how really is working the app I am checking.

blue-snot · June 27, 2019, 5:30pm

Then I will rename the topic to REST secure headers, that at the end is the question and the final answer.

Just for fun and profit, the only particularity about secure headers on mobile is regarding the appropiate way to handle the user-agent header:

hardcore-shaw · June 27, 2019, 6:03pm

Asserts has implemented the relevant checks for REST headers:

https://fluidattacks.com/asserts/fluidasserts.proto.rest/

blue-snot · June 27, 2019, 6:57pm

Great. Is this a bug or a feature:


fluidasserts.proto.rest.HDR_RGX = {'content-type': '^(\\s)*.+(\\/|-).+(\\s)*;(\\s)*charset.*$', 'strict-transport-security': '^\\s*max-age=\\s*\\d+', 'x-content-type-options': '^\\s*nosniff\\s*$', 'x-frame-options': '^\\s*deny.*$'}

hermit-purple · August 1, 2019, 12:47pm

@dark-angelus If this topic is solved, please mark it as such by checking the solution chart at the bottom of the post you consider that properly answers your question. If not, please update the post with fuhrer information about the issue and/or the proposed solutions of the participants.

Topic		Replies	Views
HTTP Secure Headers list hacking web	0	424	March 11, 2020
Common vulnerabilities on web applications hacking question	3	852	October 24, 2019
Session management in mobile applications hacking mobile , question	1	344	October 9, 2019
QueryString funcionability in code project only hacking question	4	578	November 5, 2019
What is our recommended crypto algorithm? hacking sca , question	1	437	January 17, 2020

Secure headers for REST

Related Topics