Update: HTTP_Headers_Cheat_Sheet

[kjerabek]

What is missing or needs to be updated?

My colleague Polčák and I have been conducting research on Network Error Logging (NEL) and its (in)security aspects. Please refer to https://arxiv.org/pdf/2305.05343.pdf (accepted for publication at SECRYPT'23).

For a quick introduction to NEL, please visit https://dcreager.net/nel/intro/.

From an OWASP perspective, only the part of the article addressing the installation of a long-term tracker in case of a MitM position or the ability to influence content on a server portion is relevant. An example from our university: I have the ability to manipulate the content of https://www.fit.vutbr.cz/~ijerabek/, including HTTP headers. If I correctly send NEL-related headers, I will receive information about all visitors' movements on my website section, as well as on all other pages within the domain www.fit.vutbr.cz, potentially including subdomains.

In the article, we propose a simple prevention measure: if a web server does not send its own NEL headers, sending an NEL policy with a zero validity period will remove any previously installed policies (if they have reached the browser). In my example, this would mean that during the first visit to https://www.fit.vutbr.cz outside of /~ijerabek/, the attacker-inserted policy would be deleted, and the attacker would not receive reports of the user's further activity on this website.

We believe that it would be beneficial to add a short description of NEL header in HTTP Headers cheat sheet and add the recommendation with default zero validity policy that we came up with.

How should this be resolved?

update: cheatsheets/HTTP_Headers_Cheat_Sheet.md

Add a short description of NEL header and add the recommendation to prevent the described attacks behavior by setting the default policy with 0 time policy.