Understanding the X-Permitted-Cross-Domain-Policies HTTP Security Header

Security Benefit: Control and restrict cross-domain policy files to prevent unauthorized access to your resources from legacy applications.

Modern web security goes beyond safeguarding web applications solely from common threats like SQL injection or cross-site scripting (XSS). In certain scenarios—particularly those involving legacy technologies like Adobe Flash Player, Microsoft Silverlight, or even Adobe Acrobat—cross-domain policy files can inadvertently expose resources across different origins.

What Is X-Permitted-Cross-Domain-Policies?

Definition and Purpose

X-Permitted-Cross-Domain-Policies is an HTTP response header that specifies if and how cross-domain policy files can be loaded from a particular host. It acts as a meta-policy to control access to resources across different domains, particularly for legacy applications.

Directive Values

none

Completely prohibits all cross-domain policy files. The server effectively disallows legacy clients from using any policy files to load resources.

master-only

Only the primary (or "master") policy file in the root directory is allowed. Sub-policy files in other directories will be ignored.

by-content-type

Restricts valid policy files to those served with the specific MIME type text/x-cross-domain-policy.

by-ftp-filename

Only allows policy files named crossdomain.xml (primarily relevant for FTP-based hosting environments).

all

Permits policy files from any location on the domain. This is the most permissive setting and is usually discouraged.

Risks of Not Implementing

Unexpected Cross-Domain Access

Without proper configuration, maliciously uploaded or modified crossdomain.xml files might allow unauthorized cross-domain resource requests.

Legacy Attack Vectors

Enterprise setups with legacy technologies may be vulnerable to exploits in cross-domain policy implementations.

False Sense of Security

Overlooking these policy files can lead to failing security audits or tool-based checks.

Server Implementation Guide

Apache Configuration

<IfModule mod_headers.c>
    Header set X-Permitted-Cross-Domain-Policies "none"
</IfModule>
  1. Enable mod_headers using LoadModule headers_module modules/mod_headers.so
  2. Add the directive to your Apache configuration or .htaccess
  3. Choose appropriate directive value (e.g., "none")
  4. Restart Apache to apply changes

Nginx Configuration

server {
    listen 80;
    server_name example.com;

    add_header X-Permitted-Cross-Domain-Policies "none";

    # Other configuration directives...
}
  1. Edit your server block configuration
  2. Add the header with appropriate value
  3. Test configuration with nginx -t
  4. Reload Nginx to apply changes

IIS Configuration

<configuration>
    <system.webServer>
        <httpProtocol>
            <customHeaders>
                <add name="X-Permitted-Cross-Domain-Policies" 
                     value="none" />
            </customHeaders>
        </httpProtocol>
    </system.webServer>
</configuration>
  1. Open IIS Manager and select your website
  2. Edit the web.config file
  3. Add the custom header configuration
  4. Save changes and restart the website if needed

Additional Security Insight

Although X-Permitted-Cross-Domain-Policies focuses on older technologies, modern browsers typically rely on CORS for managing cross-origin requests. Properly implementing both CORS and X-Permitted-Cross-Domain-Policies helps ensure comprehensive protection.

If your application strictly uses JavaScript-based front ends, setting X-Permitted-Cross-Domain-Policies to "none" serves as a best-practice safeguard against any inadvertent or malicious policy file additions.

Additional Resources

Adobe Cross-Domain Policy Guide

Official documentation on cross-domain policy files and their implementation

OWASP Secure Headers Project

Comprehensive guide on implementing secure headers including X-Permitted-Cross-Domain-Policies

MDN: Cross-Origin Resource Sharing

Modern approach to cross-origin requests and how they relate to legacy solutions

Related Security Headers

Learn about other HTTP security headers to strengthen your website's security:

Cross-Origin-Embedder-Policy (COEP) Cross-Origin-Resource-Policy (CORP) Content-Security-Policy (CSP) Content-Security-Policy-Report-Only Expect-CT (Deprecated) Permissions-Policy Reporting-Endpoints (Experimental) Strict-Transport-Security (HSTS) Upgrade-Insecure-Requests X-Content-Type-Options X-Frame-Options (XFO) X-Permitted-Cross-Domain-Policies X-Powered-By X-XSS-Protection (Deprecated)