Upgrade insecure requests что это

Нюансы перехода на https

Upgrade-Insecure-Requests

Спецификация Upgrade-Insecure-Requests состоит из двух частей: на стороне браузера и на стороне сайта. Сайт можно отправить заголовок Content-Security-Policy: upgrade-insecure-requests, который обяжет браузеры, которые поддерживают спецификацию Upgrade-Insecure-Requests, отправлять запросы на сайт в защищенном режиме. Спецификация HTTP Strict Transport Security (HSTS) и Upgrade Insecure Requests.

Со стороны браузера может быть отправлен заголовок Upgrade-Insecure-Requests: 1, который говорит серверу, что браузер хочет получать сайт в защищенном режиме (если такой для сайта предусмотрен). Для перевода сайта в защищенный режим необходимо выпустить SSL-сертификат. При наличии SSL-сертификата сайт будет сигнализировать всем браузерам, которые поддерживают этот стандарт, о переходе в безопасный режим и сам переходить в безопасный режим, если получит сигнал от браузера.

Переход на https (SSL) с помощью NGINX

Рабочий конфиг виртуального хоста, замените _ДОМЕН_ на имя своего домена:

Приведет ли HTTPS к тому, что мой сайт станет работать медленнее?

Да, т.к. HTTPS – это в HTTP + кодирование + проверка сертификата, т.е. переход на HTTPS будет отражается на производительности. Однако в случае с современными платформами это практически незаметно. Более того, если вы переходите на HTTPS + HTTP/2 это фактически может привести к лучшей производительности. Протокол HTTP/2 позволяет добиться значительного улучшения производительности по сравнению с HTTP/1.1, и во всех современных браузерах оно доступно только для защищенных сайтов.

Источник

CSP: upgrade-insecure-requests

The HTTP Content-Security-Policy (CSP) upgrade-insecure-requests directive instructs user agents to treat all of a site’s insecure URLs (those served over HTTP) as though they have been replaced with secure URLs (those served over HTTPS). This directive is intended for web sites with large numbers of insecure legacy URLs that need to be rewritten.

Note: The upgrade-insecure-requests directive is evaluated before block-all-mixed-content and if it is set, the latter is effectively a no-op. It is recommended to set either directive, but not both, unless you want to force HTTPS on older browsers that do not force it after a redirect to HTTP.

The upgrade-insecure-requests directive will not ensure that users visiting your site via links on third-party sites will be upgraded to HTTPS for the top-level navigation and thus does not replace the Strict-Transport-Security (HSTS) header, which should still be set with an appropriate max-age to ensure that users are not subject to SSL stripping attacks.

Syntax

Examples

Using the HTTP header

Using the HTML meta element

With the above header set on a domain example.com that wants to migrate from HTTP to HTTPS, non-navigational insecure resource requests are automatically upgraded (first-party as well as third-party requests).

These URLs will be rewritten before the request is made, meaning that no insecure requests will hit the network. Note that, if the requested resource is not actually available via HTTPS, the request will fail without any fallback to HTTP.

Navigational upgrades to third-party resources brings a significantly higher potential for breakage, these are not upgraded:

Finding insecure requests

With the help of the Content-Security-Policy-Report-Only header and the report-uri directive, you can set-up an enforced policy and a reported policy like this:

That way, you still upgrade insecure requests on your secure site, but the only monitoring policy is violated and reports insecure resources to your endpoint.

Источник

WordPress. Заголовки безопасности (security headers)

Заголовки безопасности WordPress

HTTP Strict Transport Security (HSTS)

Заголовок безопасности HSTS сообщает браузеру, что все запросы к сайту WordPress должны выполняться через HTTPS.

Строка заголовка HTTP Strict Transport Security:

Upgrade-Insecure-Requests

Заголовок безопасности Upgrade-Insecure-Requests является дополнительным методом принудительного выполнения запросов к сайту WordPress через HTTPS при обновлении.

Строка заголовка Upgrade-Insecure-Requests:

X-XSS-Protection

Заголовок безопасности X-XSS-Protection останавливает загрузку страниц при обнаружении вредоносного кода межсайтового скриптинга (XSS).

Строка заголовка X-XSS-Protection:

X-Content-Type-Options

Заголовок безопасности X-Content-Type-Options позволяет защитить сайт от атак с подменой типов MIME. Он указывает браузеру фильтровать передаваемые данные и передавать только те, которые по содержанию соответствуют расширению. Например, если расширение файла «.docx», браузер должен получить файл Word, а не какой-нибудь исполняемый файл, у которого расширение «.exe», «.bat» заменено на «.docx».

Строка заголовка X-Content-Type-Options:

Expect-CT (Certificate Transparency)

Заголовок безопасности Expect-CT (Certificate Transparency) сообщает браузеру, что он должен выполнить дополнительные проверки сертификата на подлинность по открытым журналам прозрачности сертификатов.

Строка заголовка Expect-CT (Certificate Transparency):

No Referrer When Downgrade

Заголовок безопасности No Referrer When Downgrade запрещает браузеру добавлять реферер при переходе на сайт с более низкой версией протокола (с HTTPS-сайта на HTTP-сайт).

Строка заголовка No Referrer When Downgrade:

X-Frame-Options

Заголовок безопасности X-Frame-Options предотвращает загрузку сайта в iframe. Использование этого заголовка заблокирует отображение вашего сайта WordPress в iframe на других сайтах.

Строка заголовка X-Frame-Options:

Если вы хотите, чтобы ваш сайт отображался в iframe на других сайтах, удалите эту строку из списка заголовков безопасности.

А если на вашем хостинге установлен X-Frame-Options по умолчанию, но вы хотите чтобы ваш сайт отображался в iframe на других сайтах, добавьте в список заголовков безопасности следующую строку:

Источник

Что такое HTTP-заголовок «Upgrade-Insecure-Requests»?

Я сделал запрос POST на сайт HTTP (не HTTPS), проверил запрос в инструментах разработчика Chrome и обнаружил, что он добавил свой собственный заголовок перед отправкой его на сервер:

это кажется связанным, но все же очень отличается, так как в моем случае клиент отправляет заголовок в запрос, тогда как вся информация, которую я нашел, касается сервера, отправляющего связанный заголовок в ответ.

Итак, почему Chrome (44.0.2403.130 m) добавляет Upgrade-Insecure-Requests на мой запрос и что он делает?

обновление 2016-08-24:

этот заголовок с тех пор был добавлен как рекомендация кандидата W3C и теперь официально признаны.

для тех, кто только что наткнулся этот вопрос и смущает, то отличный ответ!—10—> Саймон Ист хорошо объясняет это.

на Upgrade-Insecure-Requests: 1 заголовок, используемый, чтобы быть HTTPS: 1 в предыдущем рабочем проекте W3C и был переименован в спокойно Chrome до того, как изменение стало официально принято.

(этот вопрос был задан во время этого перехода, когда не было официальной документации по этому заголовку, и Chrome был единственным браузером, который отправил это заголовок.)

2 ответов

короткий ответ: это тесно связано с Content-Security-Policy: upgrade-insecure-requests заголовок ответа, указывающий, что браузер поддерживает его (и фактически предпочитает его).

мне потребовалось 30 минут гуглить, но я, наконец, нашел его похороненным в спецификации W3.

«Я прошу прощения за поломку; я, по-видимому, недооценил влияние, основанное на обратной связи во время dev и beta.»
— Майк Уэст, в Выпуск Chrome 501842

на HTTPS поле заголовка HTTP-запроса отправляет сигнал на сервер выражение предпочтений клиента для зашифрованного и аутентифицированного ответа, и это он может успешно обрабатывать директиву upgrade-insecure-requests для того, чтобы сделать это предпочтение как можно более простым, чтобы обеспечить.

когда сервер обнаруживает это предпочтение в заголовках HTTP-запроса, он должен перенаправьте пользователя на потенциально безопасное представление запрашиваемого ресурса.

когда сервер обнаруживает это предпочтение в заголовках HTTPS-запроса, он должен включать Strict-Transport-Security заголовок в ответе, если хост запроса является HSTS-безопасным или условно HSTS-безопасным [RFC6797].

директива upgrade-insecure-requests является оцененный ранее block-all-mixed-content, и если он установлен, последний фактически является нет-ОП. Рекомендуется установить ту или иную директиву, но не оба.

директива upgrade-insecure-requests не гарантирует, что пользователи посещение вашего сайта по ссылкам на сторонних сайтах будет обновлено до HTTPS для навигации верхнего уровня и таким образом не заменить Заголовок Strict-Transport-Security (HSTS), который все равно должен быть установлен с соответствующим максимального возраста убедитесь, что пользователи не Зачистки атак на SSL.

Источник

Upgrade Insecure Requests

W3C Candidate Recommendation, 8 October 2015

Abstract

This document defines a mechanism which allows authors to instruct a user agent to upgrade a priori insecure resource requests to secure transport before fetching them.

Status of this document

This section describes the status of this document at the time of its publication. Other documents may supersede this document. A list of current W3C publications and the latest revision of this technical report can be found in the W3C technical reports index at http://www.w3.org/TR/.

This document was published by the Web Application Security Working Group as a Candidate Recommendation. This document is intended to become a W3C Recommendation. This document will remain a Candidate Recommendation at least until 8 November 2015 in order to ensure the opportunity for wide review.

The (archived) public mailing list public-webappsec@w3.org (see instructions) is preferred for discussion of this specification. When sending e-mail, please put the text “upgrade-insecure-requests” in the subject, preferably like this: “[upgrade-insecure-requests] …summary of comment…

Publication as a Candidate Recommendation does not imply endorsement by the W3C Membership. This is a draft document and may be updated, replaced or obsoleted by other documents at any time. It is inappropriate to cite this document as other than work in progress.

The entrance criteria for this document to enter the Proposed Recommendation stage is to have a minimum of two independent and interoperable user agents that implementation all the features of this specification, which will be determined by passing the user agent tests defined in the test suite developed by the Working Group. The Working Group will prepare an implementation report to track progress.

This document was produced by a group operating under the 5 February 2004 W3C Patent Policy. W3C maintains a public list of any patent disclosures made in connection with the deliverables of the group; that page also includes instructions for disclosing a patent. An individual who has actual knowledge of a patent which the individual believes contains Essential Claim(s) must disclose the information in accordance with section 6 of the W3C Patent Policy.

Table of Contents

1. Introduction

This section is not normative.

Increasingly, we encourage authors to transition their sites and applications away from insecure transport, and onto encrypted and authenticated connections [WEB-HTTPS]. While this migration has significant advantages for both authors and users, it isn’t without negative side-effects.

Most notably, mixed content checking [MIX] has the potential to cause real headache for administrators tasked with moving substantial amounts of legacy content onto HTTPS. In particular, going through old content and rewriting resource URLs manually is a huge undertaking. Moreover, it’s often the case that truly legacy content is difficult or impossible to update. Consider the BBC’s archived websites [BBC-ARCHIVE], or the New York Times’ hard-coded URLs [NYT-HTTPS].

We should remove this burden from site authors by allowing them to assert to a user agent that they intend a site to load only secure resources, and that insecure URLs ought to be treated as though they had been replaced with equivalent secure URLs.

1.1. Goals

The overarching goal is to reduce the burden of migrating websites from a priori insecure origins by reducing the negative side effects of mixed content blocking [MIX].

Note: This requirement is not met by Mixed Content’s strict mode, which makes something like the opposite assertion.

Note: The mechanism defined here does not intend to supplant Strict Transport Security [RFC6797]. See §8.2 Relation to HSTS for details.

1.2. Examples

1.2.1. Non-navigational Upgrades

They quickly realize, however, that the majority of their content is locked up in a database tied to an old content management system, and it contains hardcoded links to insecure resources (e.g., http:// URLs to images and other content). Unfortunately, it’s a substantial amount of work to update it.

As a stopgap measure, Megacorp injects the following header field into every HTML response that goes out from their servers:

This automatically upgrades all insecure resource requests from their pages to secure variants, allowing a user agent to treat the following HTML code:

as though it had been delivered as:

The URL will be rewritten before the request is made, meaning that no insecure requests will hit the network. Users will be safer, and Megacorp’s administrators will be happier, as all resource requests will be transparently upgraded with no effort on their part.

1.2.2. Navigational Upgrades

This allows user agents to treat the following HTML code:

as though it had been delivered as:

Links to third-party sites will not be upgraded. That is, the following HTML code:

1.2.3. Failed Upgrade

There is no fallback in this scenario: the user agent acts just as though the request had been intentionally made, and the request fails.

1.3. Recommendations

We recommend that authors who wish to ensure that user agents which support upgrade-insecure-requests are as secure as possible do the following:

This is, of course, greatly simplified; your configuration will likely be significantly more complex.

This is, of course, greatly simplified; your configuration will likely be significantly more complex.

This is, of course, greatly simplified; your configuration will likely be significantly more complex.

Additionally, work with user agent vendors to add the origin to HSTS Preload Lists (for example, by submitting the origin to hstspreload.appspot.com).

This is, of course, greatly simplified; your configuration will likely be significantly more complex.

2. Key Concepts and Terminology

An origin is said to be HSTS-safe if no resource representations it returns requires the the upgrade-insecure-requests mechanism described in this document to avoid breakage, and if all resource representations it returns can be served over HTTPS.

An origin is said to be conditionally HSTS-safe if one or more resource representations it returns requires the upgrade-insecure-requests mechanism described in this document to avoid breakage, and if all resource representations it returns can be served over HTTPS.

A host host is a preloadable HSTS host if, when performing Known HSTS Host Domain Name Matching, host is a superdomain match for a Known HSTS Host which asserts both the includeSubDomains directive and the preload directive, or host is a congruent matchfor a Known HSTS Host which asserts the preload directive.

Note: This is a long way of saying «any host the user agent has pinned with a Strict-Transport-Security header that contained a preload directive».

The Augmented Backus-Naur Form (ABNF) notation used in §3.1 The upgrade-insecure-requests Content Security Policy directive is specified in RFC5234. [ABNF]

3. Upgrading Insecure Resource Requests

In order to allow authors to mitigate the negative side-effects of migration away from a priori insecure origins, authors may instruct the user agent to transparently upgrade resource requests to potentially secure variants of the original request’s URL.

To support this instruction:

3.1. The upgrade-insecure-requests Content Security Policy directive

A server MAY instruct a user agent to upgrade insecure requests for a particular protected resource by sending a Content-Security-Policy header [CSP] that contains a directive, defined via the following ABNF grammar:

When enforcing the upgrade-insecure-requests directive:

3.1.1. Relation to «Mixed Content»

The upgrade-insecure-requests directive results in requests being rewritten at the top of the Fetching algorithm [FETCH], as specified in §4.1 Upgrade request to a potentially secure URL, if appropriate. It’s important to note that the rewrite happens before either Mixed Content [MIX] or Content Security Policy checks take effect [CSP].

This ordering means that upgraded requests will not be flagged as mixed content. Moreover, it means that upgrade-insecure-requests ’s effect takes place before the block-all-mixed-content directive would have a chance to block the request. If the former is set, the latter is effectively a no-op.

We recommend that authors set one directive or the other, as outlined in §1.3 Recommendations.

3.2. Feature Detecting Clients Capable of Upgrading

Sites which require the upgrade mechanism laid out in this document in order to provide users with a reasonable experience over secure transit need some way to determine whether or not a particular request can safely be redirected from HTTP to HTTPS (and vice-versa). Moreover, conditionally HSTS-safe origins can only opt-into Strict-Transport-Security for supported user agents, and doing otherwise could have negative consequences for the site’s users.

Rather than relying on user-agent sniffing to make this decision, user agents can advertise their upgrade capability when making navigation requests by including an Upgrade-Insecure-Requests header field as described in §3.2.1 The Upgrade-Insecure-Requests HTTP Request Header Field.

3.2.1. The Upgrade-Insecure-Requests HTTP Request Header Field

The sends a signal to the server expressing the client’s preference for an encrypted and authenticated response, and that it can successfully handle the upgrade-insecure-requests directive in order to make that preference as seamless as possible to provide.

This preference is represented by the following ANBF:

Note: Though the Upgrade-Insecure-Requests header expresses a preference, sending it via the existing Prefer header is problematic, as we expect the response from the server to use it as part of the cache key. Vary: Prefer is too broad, as discussed in w3/webappsec#216.

User agent conformance details are described in step #1 of the the §4.1 Upgrade request to a potentially secure URL, if appropriate algorithm. That step represents the following requirements:

Note: Servers can use this signal to upgrade HTTP requests to HTTPS for pages that require upgrade-insecure-requests support.

Note: Servers can use the absence of this signal to downgrade HTTPS requests to HTTP for pages that require upgrade-insecure-requests support.

Note: preloadable HSTS hosts have asserted that they are HSTS-safe, and therefore don’t need a downgrade signal. They will need to refresh HSTS status before the asserted max-age expires, and the Upgrade-Insecure-Requests header field serves as a fine signal that HSTS could be refreshed.

When a server encounters this preference in an HTTP request’s headers, it SHOULD redirect the user to a potentially secure representation of the resource being requested.

When a server encounters this preference in an HTTPS request’s headers, it SHOULD include a Strict-Transport-Security header in the response if the request’s host is HSTS-safe or conditionally HSTS-safe [RFC6797].

The server parses the preference, notices that the user’s client can deal well with upgrade requests, and therefore responds to the request by redirecting the user to a secure version of the resource she’s requesting:

The Upgrade-Insecure-Requests header field is listed in the Vary header, as the redirect response might otherwise be served by caches to clients that don’t support the upgrade mechanism defined here. A similar effect could be achieved by making this redirect response uncachable via the Cache-Control header:

3.3. Policy Inheritance

If a Document ‘s incumbent settings object’s insecure requests policy is set to Upgrade, the user agent MUST ensure that all nested browsing contexts inherit the setting in the following ways:

Likewise, when spinning up a worker, the user agent MUST ensure that it inherits the setting from the context that created it in the following ways:

3.4. Reporting Upgrades

Upgrading insecure requests MUST not interfere with an authors’ ability to track down requests that would be insecure in a user agent that does not support upgrades. To that end, upgrades MUST be performed after evaluating request against all monitored security policies, but before evaluating request against all enforced policies.

The user agent will fire off a request request that:

Note: This will be significantly clarified once [CSP] is rewritten in terms of [FETCH].

4. Processing Algorithms

4.1. Upgrade request to a potentially secure URL, if appropriate

We will not upgrade cross-origin navigation requests, with the exception of form submissions. Form submissions will be upgraded to mitigate the risk of data leakage via plaintext submissions.

Note: This algorithm is called as step #3 of the Main Fetch algorithm.

Note: We only upgrade top-level navigation requests for hosts that have explicitly opted-into the behavior for a particular protected resource, as described in §1.2 Examples. Performing upgrades for navigations to third-party resources brings a significantly higher potential for breakage, so we’re avoiding it for the moment.

Note: Due to [FETCH]’s recursive nature, this algorithm will upgrade insecurely-redirected requests as well as insecure initial requests.

Given an request’s client client (an environment settings object), this algorithm returns Enforced Upgrade if a priori insecure requests associated with that client should be upgraded, or Do Not Upgrade otherwise. In short, this will check the client and return the appropriate insecure requests policy set on it or its browsing context.

Note: This catches Document s or Worker s whose policy is set directly by the upgrade-insecure-requests directive, or which have inherited the policy from an embedding document.

Note: This catches requests triggered from detached clients. Not sure this is necessary, really, given the inheritance structure defined in §3.3 Policy Inheritance.

5. Modifications to WebSockets

WebSockets do not use the fetching algorithm, so we need to handle those requests separately.

6. Security Considerations

6.1. Interaction with HSTS

The upgrade-insecure-requests directive does not replace the Strict-Transport-Security HTTP response header [RFC6797]. Authors who serve their site over secure transport SHOULD send that header with an appropriate max-age in order to ensure that users are not subject to SSL stripping attacks by maliciously active network attackers, or monitoring by maliciously passive network attackers.

6.2. CSP Violation Reports

When sending a violation report for an upgraded resource, user agents MUST target the Document or Worker that triggered the request, rather than the Document or Worker on which the upgrade-insecure-requests directive was set. Due to §3.3 Policy Inheritance, the latter might be a cross-origin ancestor of the former, and sending violation reports to that set of reporting endpoints could leak data in unexpected ways.

Likewise, the SecurityPolicyViolationEvent MUST NOT target any Document other than the one which triggered the request, for the same reasons.

7. Performance Considerations

The upgrade mechanism specified here adds Upgrade-Insecure-Requests: 1\r\n to every outgoing navigation request to non-preloadable HSTS hosts (as discussed at length on public-webappsec@, and w3c/webappsec#216). The advantages and intent of the header are laid out in §3.2.1 The Upgrade-Insecure-Requests HTTP Request Header Field, and though we’ve taken some steps to ensure that it won’t be a permanent fixture of the platform (by carving out preloadable HSTS hosts), it’s going to be a long, long time before the header vanishes.

User agents are encouraged to find additional carveouts, and implement them.

8. Authoring Considerations

8.1. Legacy Clients

Legacy clients which do support mixed content blocking [MIX], but do not support the upgrade-insecure-requests directive will continue to have a suboptimal experience on pages containing a priori insecure URLs. Authors SHOULD ensure that they collect violation reports in order to determine which resources are most problematic for their users, and SHOULD use that information to prioritize fixes for URLs in legacy content that users will most likely request.

8.2. Relation to HSTS

The mechanism specified here deals only with the security policy for a specific protected resource. It does not deprecate, replace, or in any way reduce the value of the Strict-Transport-Security HTTP response header [RFC6797]. Authors can and should continue to use that header to ensure that their users are not subject to SSL stripping downgrade attacks, as the upgrade-insecure-requests directive will not ensure that users visiting your site via links on third-party sites will be upgraded to HTTPS for the top-level navigation.

Likewise, the Strict-Transport-Security header does not imply the behavior that upgrade-insecure-requests activates. It only ensures that resources requested from an origin will never hit the network insecurely.

We are intentionally keeping these concepts distinct, as authors may choose to activate one or the other behavior, but ought not be forced to bind them together.

9. IANA Considerations

The permanent message header field registry should be updated with the following registration: [RFC3864]

9.1. Upgrade-Insecure-Requests

10. Acknowledgements

Anne van Kesteren helped ensure that the initial draft of this document was sane. Peter Eckersley and Daniel Kahn Gillmor clarified the problem space, and helped point out the impact.

Conformance

Document conventions

Conformance requirements are expressed with a combination of descriptive assertions and RFC 2119 terminology. The key words «MUST», «MUST NOT», «REQUIRED», «SHALL», «SHALL NOT», «SHOULD», «SHOULD NOT», «RECOMMENDED», «MAY», and «OPTIONAL» in the normative parts of this document are to be interpreted as described in RFC 2119. However, for readability, these words do not appear in all uppercase letters in this specification.

All of the text of this specification is normative except sections explicitly marked as non-normative, examples, and notes. [RFC2119]

This is an example of an informative example.

Note, this is an informative note.

Conformant Algorithms

Requirements phrased in the imperative as part of algorithms (such as «strip any leading space characters» or «return false and abort these steps») are to be interpreted with the meaning of the key word («must», «should», «may», etc) used in introducing the algorithm.

Conformance requirements phrased as algorithms or specific steps can be implemented in any manner, so long as the end result is equivalent. In particular, the algorithms defined in this specification are intended to be easy to understand and are not intended to be performant. Implementers are encouraged to optimize.

Источник

Добавить комментарий

Ваш адрес email не будет опубликован. Обязательные поля помечены *