Is it necessary to set secure header for JavaScript file?

[owem777]

Hi Leaders,

As we know secure headers that can improve web application security to protect against malicious JavaScript, cross-site scripting, and other common attacks. We have already set secure headers for HTML page, but there are some exceptions such as JavaScript file (ex: xxx.yyy.com/plugin/jquery.js)

Is it necessary to set secure header for JavaScript file?

Would you please provide the some suggestion for me?
Thank you very much^^

[righettod]

Hi,

Thank you very much for your very interesting question 😃

For your context (self hosted static JS script), I propose to set the following HTTP response header:

• Strict-Transport-Security: To ensure that the script is delivered using a secure channel (HTTPS).
• X-Content-Type-Options: To prevent MIME type abuse for IE/Chrome context.
• Cross-Origin-Embedder-Policy + Cross-Origin-Opener-Policy + Cross-Origin-Resource-Policy: To prevent a remote site to load your script and also isolate the browsing context at browser level.

@riramar What do you think about my proposal?

@owem777 I hope this can help you, feel free to indicate to us if it is not the case and then we will deep dive into your context 😃

[pfreitag]

The answer also depends on if the content-type HTTP response header is properly set to something like application/javascript or not.

[righettod]

Indeed, thank you very much @pfreitag for this clarification, it is important to ensure that the content-type is correctly specified 👍

More information about:

• content-type.
• content-type for JavaScript.

Note that Mozilla seems recommending using text/javascript as content-type value for JS scripts:

However, CDN like one for JQuery use value application/javascript:

Same thing regarding Cloudflare JS CDN:

[owem777]

Hi @righettod and @pfreitag,

Your suggestion has been received. Thank you very much.

[riramar]

That's an interesting question and I think you @righettod are right.
I see if I can research more about it and post here if I find something that make sense.

[mozfreddyb]

There have been numerous attacks that relied on abusing non-HTML resources as HTML.

1. Protecting Browsers from Cross-Origin CSS Attacks from 2010
2. Abusing JSONP with Rosetta Flash

It's strongly recommended to set headers like X-Content-Type-Options and Content-Type on those resources. Essentially, the requests to all same-origin/same-site resources are cookied and authenticated. Best to set all headers.

[righettod]

Thank you very much for this additional very useful answer 👍

[owem777]

Hi Leaders,

I have another issue about setting secure header for RESTful APIs and need your suggestion, thanks.
I set six secure headers for HTML page (web-based) as below:
No1. Content-Security-Policy
No2. X-Frame-Options
No3. X-XSS-Protection
No4. X-Content-Type-Options
No5. Referrer-Policy
No6. HTTP Strict-Transport-Security

Are they useful for RESTful APIs?
My understanding: No1~No3 are not necessary due to RESTful APIs can't execute script and frame.
Please correct me if my understanding is not correct.

Thank you very much!

[righettod]

Hi @owem777

Assuming your API only return JSON content type (and without any CORS headers), I will say like you but adding Content-Security-Policy to harden the usage context of the response of the API.

@riramar What do you think about it?

[riramar]

Without a context it's difficult to determine which headers and values.
Keep in mind all these headers are designed to be consumed by a browser. So if your client it's not a browser there'll be no effect on them.
If there is a malicious scenario where an attack can use an API response to take some advantage those headers can help you to mitigate this scenario.

[owem777]

Hi @riramar

Thank you for suggestion.

[righettod]

@riramar Can you remove the ✔ emoji in the title?

[riramar]

Done.