Chrome – OTS parsing error: invalid version tag

2018-03-132018-03-13 Andy BurnsHTTPLeave a comment

I saw this weird warning in Chrome’s DevTools while looking at a site:

OTS parsing error: invalid version tag

Uh-huh. That’s a bit strange. Unable to download fonts? What caused that?

Well, I tried going to the font’s URL – and got the ‘Page Not Found’ page! Well, that’s annoying – but a 404 page is clearly not a font.

However, this site’s error pages return HTTP 200 – so Chrome expects a font…

Make sure your error pages return a correct HTTP status code. If you don’t, it can cause problems. Normally, I find that it’s false positives on automated penetration tests, but this is a new and exciting variation.

Secure your Sitecore Cookies

2016-10-212016-10-21 Andy BurnsASP.NET, cookies, HTTP, HTTPS, Security, SSL2 Comments

So a Sitecore site I’ve been working on recently underwent a penetration test, which turned up an interesting item. The ASP.NET_SessionId and SC_ANALYTICS_GLOBAL_COOKIE cookies aren’t set with the ‘Secure’ flag. Further, my own checking showed that the .ASPXAUTH token was also set without the ‘Secure’ flag.

As the entire site is only served over HTTPS, this seems to be a bit remiss.

Fortunately, there are a couple of easy fixes to this that can be set in the Web.config

Under <System.Web> and <httpCookies> set requireSSL:

<httpCookies requireSSL="true" />

And in <forms> set requireSSL too.

<forms name=".ASPXAUTH" cookieless="UseCookies" requireSSL="true" />

This latter one is needed for the .ASPXAUTH cookie, but that seems to do it.

Don’t forget to set the HTTPOnly flag as appropriate for your cookies too!

IIS Redirect HTTP to HTTPS

2016-04-06 Andy BurnsHTTP, IISLeave a comment

Just a quick note – if you want to use an IIS rule to redirect users from HTTP to HTTPS, the following rule seems to work pretty well. You’ll need the IIS URL Rewrite module installed.

<rule name="Redirect to HTTPS" stopProcessing="true"> <match url="(.*)" /> <conditions> <add input="{HTTPS}" pattern="^OFF$" /> </conditions> <action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirectType="SeeOther" /> </rule>

Lock down your HTTP Verbs

2016-01-222015-12-16 Andy BurnsHTTP, IIS, SecurityLeave a comment

Something that has come up in some of our testing recently is that some of our websites have HTTP verbs allowed that probably should be blocked – and with IIS they can be.

To recap, we’re use to the idea of GET or POST requests, but there are a lot more… Continue reading “Lock down your HTTP Verbs” →

Configuring a Content-Security-Policy

2016-01-072015-12-09 Andy BurnsContentSecurityPolicy, HTTP, HTTPHeaders, IIS, SecurityLeave a comment

I’ve talked about how to how to remove HTTP Headers that you don’t need from IIS – but there are some that you probably will want. This particular post is about the Content Security Policy (CSP).

I’m not going to describe what one is. @Scott_Helme has already described what a Content Security Policy is far better than I can. Rather, I’m going to describe how to figure out what your policy should be… Continue reading “Configuring a Content-Security-Policy” →

Removing Chatty IIS Headers

2016-01-062015-12-09 Andy BurnsHTTP, HTTPHeaders, IIS, SecurityLeave a comment

IIS is, by default, a bit too damn chatty, which isn’t what you want if you’re trying to harden your server:

You can check this with a site like SecurityHeaders.io, which will review all your HTTP Headers for you. It’s very good, I recommend it.

Why would I need to tell the world what ASP version, webserver, etc. that I’m using? Isn’t this just helping potential attackers? Well, yes. How do you remove these headers, though? Continue reading “Removing Chatty IIS Headers” →

You’re checking your HTTP Headers, right?

2016-01-052015-11-27 Andy BurnsHTTP, HTTPHeaders, IISLeave a comment

In the rush to build a website, it’s pretty easy to overlook something as mundane as HTTP headers – until someone runs an automated pen-test against the site you’ve built and starts asking about why you’re not using them – or why you are. Then you have to run around quickly trying to fix this – and some of these tasks aren’t so easy.

All of this can be fixed with a little testing beforehand, and there is a nifty site called SecurityHeaders.io…

This will tell you:

What headers you’re using and probably shouldn’t. IIS seems determined to include lots of HTTP Headers that you don’t need. This just leaks information to someone who is potentially malicious, and wastes a little bandwidth.

What headers you should use. There are a number of slightly obscure security related headers, and some new (and good) ones, such as a Content Security Policy, or HTTP Public Key Pinning.

Also, for what it’s worth, SecurityHeaders.io is by a chap called Scott Helme – https://scotthelme.co.uk/ (@Scott_Helme). He’s written about a lot of this stuff quite extensively, and also has written report-uri.io, which as we’ll see is fantastically useful.

Other ways of seeing your HTTP Headers…

Fiddler (Of course)
Browser Developer tools – such as Chrome’s – can show the response headers
Chrome’s HTTP Headers plugin – there are other plugins (and plugins for other browsers), but I find it very good for just doing what it says.

Handling 404s in Sitecore

2015-11-17 Andy Burns404, HTTPLeave a comment

Sitecore lets you specify a page to use for ‘ItemNotFound’ errors in web.config, and it’s always good practice to have a pretty ‘page not found’ page:

<setting name="ItemNotFoundUrl" value="/404" />

However, Sitecore hasn’t always been the best for actually returning the right HTTP status code for the 404 page. It redirects (more on that later) your failed request to a specified page in Sitecore – but the serves that page correctly, including an HTTP 200 status. This is sad, as search engines don’t understand that the page actually hasn’t been found. Continue reading “Handling 404s in Sitecore” →

The X-SharePointHealthScore header

2011-06-102014-11-30 Andy BurnsHTTP, SP2010 DevelopmentLeave a comment

A reminder to myself – there is a response header for SharePoint requests called the X-SharePointHealthScore. It indicates how stressed the server is with a score from zero (unstressed) to 10 (highly stressed). I first stumbled across it when debugging something in Fiddler, but others have written about it:

Andrew Connell has a brief write up
Mick Breeze dug into it with Reflector
Michel Barneveld seems to have found it the same way as I did – but looks at how it is calculated. He also describes how to force SharePoint to return a given value, in case you need to test something (like how your client code handles a stressed server)

So how do we test the loadbalancer if we set it up in this fashion? Do we need to DDoS a WFE? There is a better way 😉 There is a registry setting that will override the Health Score and it will return the value from the registry.

Create a DWORD with the name ServerHealthScore in the following location: HKLMSOFTWAREMicrosoftShared ToolsWeb Server Extensions14.0WSS and give it the value you want.

So what’s it useful for? Well, the main things that strike me would be:

Server Monitoring – Pretty obvious, really.
Client Applications – Can warn or take corrective actions if the server is loaded and may implement throttling.
Client Side scripts – Similar to above, though I haven’t yet been able to figure out who you’d get this value in the Client Object Model. I’m assuming there is a way to get the response headers in the Client Object Model – otherwise you may have to use normal XMLHttpRequests if you want to see the response headers.

Andy Burns' Blog

Whatever I'm working on

HTTP