Hacker News new | past | comments | ask | show | jobs | submit login

Am I the only person who thinks that relying on client behaviour for "security" is, well, a bit naive?



It's part of "defense in depth." Mess up one input validation? No problem, your CSP prevents client-side execution of injected scripts for most users.

Returning user, temporarily on an untrustworthy network? No problem, your HSTS header ensures they only attempt to talk to you over SSL.

It's the same reason you should set cookies to `secure; HttpOnly` -- you don't expect untrustworthy scripts to run on your page, but if they somehow do, you've got a second line of defense.


For X-FRAME-OPTIONS there is no alternate way to protect yourself server side. This one really has no other option, you could hack something with checks on window.top in javascript but then you are still relying on client side behaviour.

For the others you shouldn't rely on them, just use as backup.

And to be nitty picky, you are always relying on client side behavior. What if suddenly Firefox one day allows cross site requests in javascript, or starts making random requests to other sites containing all your cookies, or allows executing javascript on embedded iframes.


It is not about securing your server. It's about securing the user who connects to your server.


client security is about enabling your clients to be secure. Securing yourself from your clients is a totally different topic. If a client goes out of their way to break client security, the only risk is to themselves.

Headers like these are somewhat analogous to reminding people to lock their doors at night. Not everybody is going to listen to you, but you might help those who do.


Well, it makes perfect sense. You are protecting the client it self - by dictating which sources can be used for fetching information and code. XSS is about malicious code injected on your site, in their browser - it's not the client who's misbehaving.


No-one said you should rely on only these techniques. These should form part of your security approach. Yes use HSTS, but also set you webserver to always redirect http to https, etc.

Remember an attacker only has to find one way in, but you need to defend against everything. You should make it as hard as possible for an attack. Every brick in the wall helps.


In this case you are protecting the client from other connections it is making at the same time, such as when they have multiple tabs open.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: