idw – Informationsdienst Wissenschaft
Nachrichten, Termine, Experten
Nachrichten, Termine, Experten
More than 35 years after the first website went online, the web has evolved from static pages to complex interactive systems, often with security added as an afterthought. To mitigate risks, developers use security headers that instruct browsers how to handle content securely. Early on, browser support was inconsistent. A systematic study by CISPA researcher Jannis Rautenstrauch and colleagues shows that browsers now behave far more consistently. To identify remaining deviations, the team developed an open-source testing tool.
Web security is not a fixed state but, in many respects, a negotiation process between server and browser. Browsers retrieve a website from one or multiple servers and assemble its various components—such as images, fonts, or JavaScript files—into the familiar web view we see. “In this process, they constantly make security decisions,” explains Rautenstrauch.
What Do Security Headers Specify?
Website operators can use security headers to send specific security instructions to the browser. For example, a website can tell the browser: “Only execute code that originates from me,” “Do not allow my page to be embedded in other pages,” or “Only load images from these sources….” This can prevent or hinder widespread web attacks such as clickjacking and cross-site scripting. “Over the years, more and more security headers have been added, each with its own syntax and specific rules. As a result, their correct implementation remains a complex task for both browser and website developers,” says Rautenstrauch. In practice, small typos, extra whitespace, or other deviations in the instructions occur repeatedly—issues that browsers somehow have to deal with.
How Do Browsers Implement Security Instructions, and What Did the Researchers Test?
A central component of the browser is the parser. This is a program that converts security headers, HTML, CSS, or JavaScript code into a data structure the browser can understand. “Browsers may look different, but they often share the same technical core, which includes the parser. 97 percent of commonly used browsers are based on just three different engines: Blink, for example, in Chrome, Edge, and Opera, Gecko in Firefox and Tor, and WebKit in Safari,” says Rautenstrauch. The researchers therefore carried out 177,146 tests systematically across the most widely used browsers. “We tested the 16 most security-relevant headers across different browser configurations. In 5,606 tests—that is, 3.16 percent of cases—different browsers behaved inconsistently,” explains Rautenstrauch. “That’s not a disaster, but we discovered various causes, some of them previously unknown, and sent bug reports to browser manufacturers and the specification bodies for security headers. This has already led to fixes and thus improves security for website visitors.”
Regular Testing Leads to Better Results
The results also show that differences between browsers and browser versions within the same browser engine are rare, whereas deviations between the three main browser engines—Blink, Gecko, and WebKit—occur more frequently. “This means that security headers are not always parsed and enforced consistently yet, but they are increasingly so.” The researchers did, however, find frequent differences in browser behavior for one particular security header: HSTS, short for HTTP Strict Transport Security. “HSTS instructs browsers to load a website exclusively over a secure HTTPS connection and to block insecure HTTP connections. The reason for the large number of deviations is obvious: Unlike other headers, there are no systematic tests for this header across different browsers. That should change.”
Testing Tool Uncovers Edge Cases
Rautenstrauch and his research colleagues are making their testing tool available as open source so that browser vendors can use it. “Unfortunately, many browser vendors are reluctant to permanently integrate our testing tool into their development chain, because developers still have to manually check, in cases of inconsistent behavior, whether a bug needs to be fixed and how it arises. Yet, our work shows that regular testing is worthwhile.”
Jannis Rautenstrauch jannis.rautenstrauch@cispa.de
https://doi.org/10.60882/cispa.30251392
https://zenodo.org/records/17129544 Software for: Head(er)s Up! Detecting Security Header Inconsistencies in Browsers
In a systematic study of the most commonly used browsers, CISPA researcher Jannis Rautenstrauch and ...
Criteria of this press release:
Journalists, Scientists and scholars
Information technology
transregional, national
Research results
English
In a systematic study of the most commonly used browsers, CISPA researcher Jannis Rautenstrauch and ...
You can combine search terms with and, or and/or not, e.g. Philo not logy.
You can use brackets to separate combinations from each other, e.g. (Philo not logy) or (Psycho and logy).
Coherent groups of words will be located as complete phrases if you put them into quotation marks, e.g. “Federal Republic of Germany”.
You can also use the advanced search without entering search terms. It will then follow the criteria you have selected (e.g. country or subject area).
If you have not selected any criteria in a given category, the entire category will be searched (e.g. all subject areas or all countries).
