Assessing HTTP Security Header implementations : A study of Swedish government agencies’ first line of defense against XSS and client-side supply chain attacks

Johnson, Ludwig, Mårtensson, Lukas

January 2021

Background. Security on the web is a fundamental requirement as it becomes a bigger part of society and more information than ever is shared over it. However, as recent incidents have shown, even Swedish government agencies have had issues with their website security. One such example is when a client-side supply chain for several governmental websites was hacked and malicious javascript was subsequently found on several governmental websites. Hence this study is aimed at assessing the security of Swedish government agencies’ first line of defense against attacks like XSS and client-side supply chain. Objectives. The main objective of the thesis is to assess the first line of defense, namely HTTP security headers, of Swedish government agency websites. In addition, collecting statistics of what HTTP security headers are actually used by Swedish government agencies today were gathered for comparison with similar studies. Methods. To fulfill the objectives of the thesis, a scan of all Swedish government agency websites, found on Myndighetsregistret, was completed and an algorithm was developed to assess the implementation of the security features. In order to facilitate tunable assessments for different types of websites, the algorithm has granular weights that can be assigned to each test to make the algorithm more generalized. Results. The results show a low overall implementation rate of the various HTTP security headers among the Swedish government agency websites. However, when compared to similar studies, the adoption of all security features are higher among the Swedish government agency websites tested in this thesis. Conclusions. Previous tools/studies mostly checked if a header was implemented or not. With our algorithm, the strength of the security header implementation is also assessed. According to our results, there is a significant difference between if a security header has been implemented, and if it has been implemented well, and provides adequate security. Therefore, traditional tools for testing HTTP security headers may be inefficient and misleading.

http

security headers

web

csp

algorithm

Computer Systems

Datorsystem

An automated tool for website security assessment : Demonstration on Swedish authorities’ websites

Valdaserides Olofsson, Max, Stengård, Malte

January 2024

The evolution of internet has affected society in many ways. Organizations and authorities offer their services on their many corresponding websites. Consequently, secure connections to these websites are a necessity, in addition to continuously evaluate their security. Many studies exist on website security analysis of some set of websites and it is found that researchers often develop and utilize several toolsand scripts for their studies - one for collecting data, one for parsing the output, and one for visualizing the data. Undoubtedly, this whole process is labor intensive, and for this reason we in this thesis propose a tool that automates this whole process. Moreover, the Swedish authorities and their corresponding websites provide information and services regarding their specific areas of expertise that are essential for the functioning of the Swedish society. As such, this puts a high expectation of the usage of state-of-the-art security technology and best practice implementations on these websites in order to keep the Swedish society functioning and keep their websites’ visitors safe. For this reason, we in this thesis focus on mainly two things: 1. Design and develop a tool that will be easy to use to collect a set of websites’ security parameter implementations and best practices, and thereafter automatically and adequately visualize this data to assess the websites’ security readiness; and 2. Demonstrate the developed tool on the Swedish authorities’ websites to assess their website security readiness. The result shows a good overall security in the Swedish authorities’ websites, though there is room for improvement.

security.txt

TLS

https

http security headers

cipher suite

Swedish authorities

automation

Computer Sciences

Datavetenskap (datalogi)