Securing the Web: Analysis of HTTP Security Headers in Popular Global Websites
Pages 87 - 106
Abstract
The surge in website attacks, including Denial of Service (DoS), Cross-Site Scripting (XSS), and Clickjacking, underscores the critical need for robust HTTPS implementation—a practice that, alarmingly, remains inadequately adopted. Regarding this, we analyzed HTTP security headers across globally popular websites. Initially, we employed automated categorization using Google NLP to organize these websites into functional categories and validated this categorization through manual verification using Symantec Sitereview. Subsequently, we assessed HTTPS implementation across these websites by analyzing security factors, including compliance with HTTP Strict Transport Security (HSTS) policies, Certificate Pinning practices, and other security postures using the Mozilla Observatory. Our analysis revealed over half of the websites examined () received a dismal security grade of ‘F’ and most websites scored low for various metrics, which is indicative of weak HTTP header implementation. These low scores expose multiple issues such as weak implementation of Content Security Policies (CSP), neglect of HSTS guidelines, and insufficient application of Subresource Integrity (SRI). Alarmingly, healthcare websites () are particularly concerning; despite being entrusted with sensitive patient data and obligations to comply with data regulations, these sites recorded the lowest average score (18.14). We conclude by recommending that developers should prioritize secure redirection strategies and use implementation ease as a guide when deciding where to focus their development efforts.
References
[1]
Aaron Gee-Clough: Mirror, mirror, on the wall, who’s the fairest (website) of them all? (2023). https://www.domaintools.com/resources/blog/mirror-mirror-on-the-wall-whos-the-fairest-website-of-them-all/. Accessed 15 Mar 2023
[2]
Act A Health insurance portability and accountability act of 1996 Public Law 1996 104 191
[3]
Al-Sanea, M.S., Al-Daraiseh, A.A.: Security evaluation of Saudi Arabia’s websites using open source tools. In: 2015 First International Conference on Anti-Cybercrime (ICACC), Riyadh, Saudi Arabia, pp. 1–5. IEEE (2015)
[4]
Aldwairi M and Alsalman R MALURLS: a lightweight malicious website classification based on URL features J. Emerg. Technol. Web Intell. 2012 4 2 128-133
[5]
Baker, D.B.: Privacy and security in public health: maintaining the delicate balance between personal privacy and population safety. In: 2006 22nd Annual Computer Security Applications Conference (ACSAC 2006), pp. 3–22. IEEE (2006)
[6]
Bianchi, T.: Most popular websites worldwide as of November 2022, by total visits (2023). https://www.statista.com/statistics/1201880/most-visited-websites-worldwide/
[7]
Bruni R and Bianchi G Website categorization: a formal approach and robustness analysis in the case of e-commerce detection Expert Syst. Appl. 2020 142 113001
[8]
Callegati F, Cerroni W, and Ramilli M Man-in-the-middle attack to the HTTPS protocol IEEE Secur. Priv. 2009 7 1 78-81
[9]
Calzavara, S., Focardi, R., Nemec, M., Rabitti, A., Squarcina, M.: Postcards from the post-HTTP world: amplification of HTTPS vulnerabilities in the web ecosystem. In: 2019 IEEE Symposium on Security and Privacy (SP), pp. 281–298. IEEE (2019)
[10]
Calzavara, S., Roth, S., Rabitti, A., Backes, M., Stock, B.: A tale of two headers: a formal analysis of inconsistent Click-Jacking protection on the web. In: 29th USENIX Security Symposium (USENIX Security 2020), pp. 683–697 (2020)
[11]
Candan KS, Liu H, and Suvarna R Resource description framework: metadata and its applications ACM SIGKDD Explor. Newsl. 2001 3 1 6-19
[12]
Cernica, I., Popescu, N., et al.: Security evaluation of wordpress backup plugins. In: 2019 22nd International Conference on Control Systems and Computer Science (CSCS), New York, NY, USA, pp. 312–316. IEEE (2019)
[13]
Chang, L., Hsiao, H.C., Jeng, W., Kim, T.H.J., Lin, W.H.: Security implications of redirection trail in popular websites worldwide. In: Proceedings of the 26th International Conference on World Wide Web, Republic and Canton of Geneva, Switzerland, pp. 1491–1500. International World Wide Web Conferences Steering Committee (2017).
[14]
Chen, J., et al.: We still don’t have secure cross-domain requests: an empirical study of CORS. In: 27th USENIX Security Symposium (USENIX Security 2018), pp. 1079–1093 (2018)
[15]
Chen, P., Nikiforakis, N., Huygens, C., Desmet, L.: A dangerous mix: large-scale analysis of mixed-content websites. In: Information Security: 16th International Conference, ISC 2013, Dallas, Texas, 13–15 November 2013, Proceedings, pp. 354–363. Springer (2015)
[16]
Cheng, K., Gao, M., Guo, R.: Analysis and research on HTTPS hijacking attacks. In: 2010 Second International Conference on Networks Security, Wireless Communications and Trusted Computing, Piscataway, NJ, USA, vol. 2, pp. 223–226. IEEE (2010)
[17]
Dacosta I, Chakradeo S, Ahamad M, and Traynor P One-time cookies: preventing session hijacking attacks with stateless authentication tokens ACM Trans. Internet Technol. (TOIT) 2012 12 1 1-24
[18]
Heredia, D.: Website categorization with Python and Google NLP API (2023). https://www.danielherediamejias.com/website-categorization-python/. Accessed 15 Mar 2023
[19]
Das, S.: A risk-reduction-based incentivization model for human-centered multi-factor authentication. Indiana University (2020)
[20]
Das, S.: Design of secure, privacy-focused, and accessible e-payment applications for older adults. arXiv preprint arXiv:2410.08555 (2024)
[21]
Das, S., Abbott, J., Gopavaram, S., Blythe, J., Camp, L.J.: User-centered risk communication for safer browsing. In: Financial Cryptography and Data Security: FC 2020 International Workshops, AsiaUSEC, CoDeFi, VOTING, and WTSC, Kota Kinabalu, Malaysia, 14 February 2020, Revised Selected Papers 24, pp. 18–35. Springer (2020)
[22]
Das, S., Dev, J., Camp, L.J.: Privacy preserving policy framework: user-aware and user-driven. In: TPRC47: The 47th Research Conference on Communication, Information and Internet Policy (2019)
[23]
Das, S., Kim, A., Jelen, B., Streiff, J., Camp, L.J., Huber, L.: Towards implementing inclusive authentication technologies for older adults. Who are you (2019)
[24]
Das, S., Kim, A., Tingle, Z., Nippert-Eng, C.: All about phishing exploring user research through a systematic literature review. In: Proceedings of the Thirteenth International Symposium on Human Aspects of Information Security & Assurance (HAISA 2019) (2019)
[25]
Das S, Nippert-Eng C, and Camp LJ Evaluating user susceptibility to phishing attacks Inf. Comput. Secur. 2022 30 1 1-18
[26]
Das, S., Salman, A.: A review of security threats from e-waste. In: Development in E-Waste Management: Sustainability and Circular Economy Aspects, p. 165 (2023)
[27]
Debnath, B., Das, A., Das, S., Das, A.: Studies on security threats in waste mobile phone recycling supply chain in India. In: 2020 IEEE Calcutta Conference (CALCON), pp. 431–434. IEEE (2020)
[28]
Debnath, B., Das, S., Das, A.: Study exploring security threats in waste phones a life cycle based approach. In: 2019 IEEE SmartWorld, Ubiquitous Intelligence & Computing, Advanced & Trusted Computed, Scalable Computing & Communications, Cloud & Big Data Computing, Internet of People and Smart City Innovation. IEEE (2019)
[29]
Dev, J., Das, S., Camp, L.J.: Privacy practices, preferences, and compunctions: WhatsApp users in India. In: HAISA, pp. 135–146 (2018)
[30]
Dewald, A., Holz, T., Freiling, F.C.: ADSandbox: sandboxing JavaScript to fight malicious websites. In: Proceedings of the 2010 ACM Symposium on Applied Computing, pp. 1859–1864 (2010)
[31]
Dolnák, I., Litvik, J.: Introduction to HTTP security headers and implementation of HTTP strict transport security (HSTS) header for HTTPS enforcing. In: 2017 15th International Conference on Emerging eLearning Technologies and Applications (ICETA), Piscataway, NJ, USA, pp. 1–4. IEEE (2017)
[32]
Felt, A.P., Barnes, R., King, A., Palmer, C., Bentzel, C., Tabriz, P.: Measuring HTTPS adoption on the web. Technical report, Google (2017)
[33]
Felt, A.P., et al.: Rethinking connection security indicators. In: Twelfth Symposium on Usable Privacy and Security (SOUPS 2016), Berkeley, CA, USA, pp. 1–14. USENIX Association (2016)
[34]
Fernandes, A.N., Markert, P., Das, S.: Where you’re logged in: analyzing the usability of device activity pages (work-in-progress). In: Annual Computer Security Applications Conference, ser. ACSAC, vol. 22 (2023)
[35]
Fonseca J, Vieira M, and Madeira H Evaluation of web security mechanisms using vulnerability & attack injection IEEE Trans. Dependable Secure Comput. 2013 11 5 440-453
[36]
The OWASP Foundation: Web security testing framework (2022). https://owasp.org/www-project-web-security-testing-guide/latest/3-The_OWASP_Testing_Framework/0-The_Web_Security_Testing_Framework. Accessed 28 May 2024
[37]
Gadient, P., Nierstrasz, O., Ghafari, M.: Security header fields in HTTP clients. In: 2021 IEEE 21st International Conference on Software Quality, Reliability and Security (QRS), New York, NY, USA, pp. 93–101. IEEE (2021)
[38]
Google: Google NLP (2023). https://cloud.google.com/natural-language. Accessed 15 Mar 2023
[39]
Gopavaram, S., Dev, J., Grobler, M., Kim, D., Das, S., Camp, L.J.: Cross-national study on phishing resilience. In: Proceedings of the Workshop on Usable Security and Privacy (USEC) (2021)
[40]
Gopavaram, S.R., Dev, J., Das, S., Camp, J.: IoTMarketplace: informing purchase decisions with risk communication. Technical report, Working Paper (2019). ftp://svn.soic.indiana.edu/pub/techreports/TR742.pdf
[41]
Hadan, H., Serrano, N., Das, S., Camp, L.J.: Making IoT worthy of human trust. In: TPRC47: The 47th Research Conference on Communication, Information and Internet Policy (2019)
[42]
Harvey MJ and Harvey MG Privacy and security issues for mobile health platforms J. Am. Soc. Inf. Sci. 2014 65 7 1305-1318
[43]
Huang, L.S., Moshchuk, A., Wang, H.J., Schecter, S., Jackson, C.: Clickjacking: attacks and defenses. In: USENIX Security Symposium, Berkeley, CA, USA, pp. 413–428. USENIX Association (2012)
[44]
Ibrishimova, M.D., Li, K.F.: A machine learning approach to fake news detection using knowledge verification and natural language processing. In: Advances in Intelligent Networking and Collaborative Systems: The 11th International Conference on Intelligent Networking and Collaborative Systems (INCoS-2019), pp. 223–234. Springer (2020)
[45]
Jaar D and Zeller PE Canadian privacy law: the personal information protection and electronic documents act (PIPEDA) Int’l. In-House Counsel J. 2008 2 1135
[46]
Jammalamadaka, R.C., Van Der Horst, T.W., Mehrotra, S., Seamons, K.E., Venkasubramanian, N.: Delegate: a proxy based architecture for secure website access from an untrusted machine. In: 2006 22nd Annual Computer Security Applications Conference (ACSAC 2006), pp. 57–66. IEEE (2006)
[47]
Jiang L, Chen H, Deng F, and Zhong Q A security evaluation method based on threat classification for web service J. Softw. 2011 6 4 595-603
[48]
Johns, M., Engelmann, B., Posegga, J.: XSSDS: server-side detection of cross-site scripting attacks. In: 2008 Annual Computer Security Applications Conference (ACSAC), pp. 335–344. IEEE (2008)
[49]
Kishnani, U., Noah, N., Das, S., Dewri, R.: Privacy and security evaluation of mobile payment applications through user-generated reviews. In: Proceedings of the 21st Workshop on Privacy in the Electronic Society, pp. 159–173 (2022)
[50]
Kishnani, U., Noah, N., Das, S., Dewri, R.: Assessing security, privacy, user interaction, and accessibility features in popular e-payment applications. In: Proceedings of the 2023 European Symposium on Usable Security, pp. 143–157 (2023)
[51]
Ko H, Leitner J, Kim E, and Jeong J Structure and enforcement of data privacy law in South Korea Int. Data Priv. Law 2017 7 2 100-114
[52]
Kumar, A., Ghosal, T., Bhattacharjee, S., Ekbal, A.: Towards automated meta-review generation via an NLP/ML pipeline in different stages of the scholarly peer review process. Int. J. Digit. Libr. 1–12 (2023)
[53]
Lavrenovs, A., Melón, F.J.R.: HTTP security headers analysis of top one million websites. In: 2018 10th International Conference on Cyber Conflict (CyCon), New York, NY, USA, pp. 345–370. IEEE (2018)
[54]
Leonard Richardson: Beautiful soup (2021). https://pypi.org/project/beautifulsoup4/. Accessed 15 Mar 2023
[55]
Lichlyter, K., Kishnani, U., Hollenbach, K., Das, S.: Understanding professional needs to create privacy-preserving and secure emergent digital artworks. In: 9th Workshop on Inclusive Privacy and Security (WIPS) in Association with USENIX Symposium on Usable Privacy and Security (SOUPS) (2024)
[56]
Lukasik, M., Zens, R.: Content explorer: recommending novel entities for a document writer. In: Proceedings of the 2018 Conference on Empirical Methods in Natural Language Processing, pp. 3371–3380 (2018)
[57]
Majestic: Majestic (2023). https://majestic.com/. Accessed 15 Mar 2023
[58]
Meiser, G., Laperdrix, P., Stock, B.: Careful who you trust: studying the pitfalls of cross-origin communication. In: Proceedings of the 2021 ACM Asia Conference on Computer and Communications Security, pp. 110–122 (2021)
[59]
Mendoza, A., Chinprutthiwong, P., Gu, G.: Uncovering HTTP header inconsistencies and the impact on desktop/mobile websites. In: Proceedings of the 2018 World Wide Web Conference, Republic and Canton of Geneva, CHE, pp. 247–256. International World Wide Web Conferences Steering Committee (2018)
[60]
Momenzadeh, B., Gopavaram, S., Das, S., Camp, L.J.: Bayesian evaluation of user app choices in the presence of risk communication on Android devices. In: International Symposium on Human Aspects of Information Security and Assurance, pp. 211–223. Springer (2020)
[61]
Mozilla: Assessing security risk (2023). https://infosec.mozilla.org/guidelines/ assessing_security_risk. Accessed 15 Mar 2023
[62]
Mozilla: Mozilla observatory (2023). https://observatory.mozilla.org/
[63]
Mozilla: Mozilla web security guidelines (2023). https://infosec.mozilla.org/guidelines/ web_security. Accessed 15 Mar 2023
[64]
Neupane, S., et al.: On the data privacy, security, and risk postures of IoT mobile companion apps. In: IFIP Annual Conference on Data and Applications Security and Privacy, pp. 162–182. Springer (2022)
[65]
Nidhal Baccouri: Deep translator (2023). https://pypi.org/project/deep-translator/. Accessed 15 Mar 2023
[66]
Noah, N., Kishnani, U., Das, S., Dewri, R.: Privacy and security evaluation of mobile payment applications through user-generated reviews. In: Workshop on Privacy in the Electronic Society (WPES 2022) (2022)
[67]
Noah, N., Tayachew, A., Ryan, S., Das, S.: PhisherCop: developing an NLP-based automated tool for phishing detection. In: Proceedings of the Human Factors and Ergonomics Society Annual Meeting, vol. 66, pp. 2093–2097. SAGE Publications, Los Angeles (2022)
[68]
Noman, A.S.M., Das, S., Patil, S.: Techies against Facebook: understanding negative sentiment toward Facebook via user generated content. In: Proceedings of the 2019 CHI Conference on Human Factors in Computing Systems, pp. 1–15 (2019)
[69]
Park JS and Sandhu R Secure cookies on the web IEEE Internet Comput. 2000 4 4 36-44
[70]
Pochat, V.L., Van Goethem, T., Tajalizadehkhoob, S., Korczyński, M., Joosen, W.: Tranco: a research-oriented top sites ranking hardened against manipulation. In: Proceedings of the 2019 Network and Distributed System Security Symposium (NDSS), San Diego, CA, USA, pp. 1–15. Internet Society (2019)
[71]
Deva Prasad M and Suchithra Menon C The personal data protection bill, 2018: India’s regulatory journey towards a comprehensive data protection law Int. J. Law Inf. Technol. 2020 28 1 1-19
[72]
Quancast (2023). https://www.quantcast.com/. Accessed 15 Mar 2023
[73]
Rajalakshmi, R., Aravindan, C.: Naive bayes approach for website classification. In: Information Technology and Mobile Communication: International Conference, AIM 2011, Nagpur, Maharashtra, India, 21–22 April 2011, Proceedings, pp. 323–326. Springer, Heidelberg (2011)
[74]
de los Santos, S., Torrano, C., Rubio, Y., Brezo, F.: Implementation state of HSTS and HPKP in both browsers and servers. In: Cryptology and Network Security: 15th International Conference, CANS 2016, Milan, Italy, 14–16 November 2016, Proceedings 15, pp. 192–207. Springer, Cham (2016)
[75]
Selvi, J.: Bypassing HTTP strict transport security. In: Black Hat Europe, vol. 54, pp. 1–4. Black Hat, Amsterdam (2014)
[76]
Shabudin S, Sani NS, Ariffin KAZ, and Aliff M Feature selection for phishing website classification Int. J. Adv. Comput. Sci. Appl. 2020 11 4 311-317
[77]
Shah B Cisco umbrella: a cloud-based secure internet gateway (SIG) on and off network Int. J. Adv. Res. Comput. Sci. 2017 8 2 4-7
[78]
Shalkarbayuli, A., Kairbekov, A., Amangeldi, Y.: Comparison of traditional machine learning methods and Google services in identifying tonality on Russian texts. In: Journal of Physics: Conference Series, vol. 1117, p. 012002. IOP Publishing (2018)
[79]
Shi, H.Z., Chen, B., Yu, L.: Analysis of web security comprehensive evaluation tools. In: 2010 Second International Conference on Networks Security, Wireless Communications and Trusted Computing, Wuhan, China, vol. 1, pp. 285–289. IEEE (2010)
[80]
Skipfish (2023). https://www.kali.org/tools/skipfish/. Accessed 15 Mar 2023
[81]
Stock B, Mueller M, Johns M, and Steffens M The state of the art in client-side web security: standards, technologies, and shortcomings Computing 2014 96 12 1163-1190
[82]
Surani, A., et al.: Security and privacy of digital mental health: an analysis of web services and mobile applications. In: IFIP Annual Conference on Data and Applications Security and Privacy, pp. 319–338. Springer (2023)
[83]
Surani, A., et al.: Security and privacy of digital mental health: an analysis of web services and mobile apps. In: Conference on Data and Applications Security and Privacy (2023)
[84]
Surani, A., Das, S.: Understanding privacy and security postures of healthcare chatbots. In: ACM CHI Conference on Human Factors in Computing Systems 2022 (2022)
[85]
Szydlowski, M., Kruegel, C., Kirda, E.: Secure input for web applications. In: Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007), pp. 375–384. IEEE (2007)
[86]
Tally AC, Abbott J, Bochner A, Das S, and Nippert-Eng C What mid-career professionals think, know, and feel about phishing: opportunities for university it departments to better empower employees in their anti-phishing decisions Proc. ACM Hum.-Comput. Interact. 2023 7 CSCW1 1-27
[87]
Tally, A.C., Abbott, J., Bochner, A.M., Das, S., Nippert-Eng, C.: Tips, tricks, and training: supporting anti-phishing awareness among mid-career office workers based on employees’ current practices. In: Proceedings of the 2023 CHI Conference on Human Factors in Computing Systems, pp. 1–13 (2023)
[88]
Tazi, F., et al.: Accessibility evaluation of IoT Android mobile companion apps. In: Extended Abstracts of the 2023 CHI Conference on Human Factors in Computing Systems, pp. 1–7 (2023)
[89]
Tazi F, Shrestha S, De La Cruz J, and Das S SoK: an evaluation of the secure end user experience on the dark net through systematic literature review J. Cybersecurity Priv. 2022 2 2 329-357
[90]
Unchit, P., Das, S., Kim, A., Camp, L.J.: Quantifying susceptibility to spear phishing in a high school environment using signal detection theory. In: Human Aspects of Information Security and Assurance: 14th IFIP WG 11.12 International Symposium, HAISA 2020, Mytilene, Lesbos, Greece, 8–10 July 2020, Proceedings 14, pp. 109–120. Springer (2020)
[91]
Vallina, P., Feal, Á., Gamba, J., Vallina-Rodriguez, N., Anta, A.F.: Tales from the porn: a comprehensive privacy analysis of the web porn ecosystem. In: Proceedings of the Internet Measurement Conference, pp. 245–258 (2019)
[92]
Vallina, P., Gamba, J., Feal, A., Vallina-Rodriguez, N., Fernández Anta, A., et al.: This is my private business! privacy risks on adult websites. In: IV Jornadas Nacionales de Investigación en Ciberseguridad (JNIC 2018) (2018)
[93]
VeNoMouS: cloudscraper (2021). https://pypi.org/project/cloudscraper/. Accessed 15 Mar 2023
[94]
w3af (2023). http://w3af.org/. Accessed 15 Mar 2023
[95]
Walsh, K., Tazi, F., Markert, P., Das, S.: My account is compromised-what do i do? Towards an intercultural analysis of account remediation for websites. In: Proceedings of the Sixth Workshop on Inclusive Privacy and Security (WIPS 2021): in Association with the Seventeenth Symposium on Usable Privacy and Security (SOUPS 2021) (2021)
[96]
Wilson RF and Pettijohn JB Search engine optimisation: a primer on keyword strategies J. Direct Data Digit. Mark. Pract. 2006 8 121-133
Index Terms
- Securing the Web: Analysis of HTTP Security Headers in Popular Global Websites
Index terms have been assigned to the content through auto-classification.
Recommendations
A Website's Network Attack Analysis and Security Countermeasures
AbstractIn the Internet era, applications, websites, and personal computers that rely on network technology are faced with network snooping or network attacks by attackers with different purposes all the time. The number of viruses monitored by network ...
Online advertising on popular children's websites: Structural features and privacy issues
This study examined advertisements placed on popular children's websites. A total of 117 commercial children's websites, 933 unique ads and 813 advertising websites were included in the sample. Results show that a majority of children's websites carried ...
Securing e-business
Software quality and software testing in internet timesThis article describes the security measures typically in place in e-business websites (e.g. firewalls, authentication, encryption, anti-virus software etc.) and the threats that these security mechanisms are able to address (e.g. hacker attacks, ...
Comments
Information & Contributors
Information
Published In
Dec 2024
500 pages
ISBN:978-3-031-80019-1
DOI:10.1007/978-3-031-80020-7
© The Author(s), under exclusive license to Springer Nature Switzerland AG 2025.
Publisher
Springer-Verlag
Berlin, Heidelberg
Publication History
Published: 16 December 2024
Author Tags
Qualifiers
- Article
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 0Total Downloads
- Downloads (Last 12 months)0
- Downloads (Last 6 weeks)0
Reflects downloads up to 30 Jan 2025