I've suggested that one of the less-obvious reasons why so few websites implement HTTP Security Response Headers — despite what seems an obvious cost-to-benefit ratio — is that there's no obvious business model.
In other words, there's not a lot of money to be made helping people learn that these settings exist, and helping people configure them.
The problem isn't easily scaled, so there’s no obvious lever for an SaaS (Software as a Service) business.
How long does it take to reach, educate, and sell each of the 3,143 county governments? Longer than it takes to fix the problem, most likely.
Unless you have an existing relationship with the counties providing security and web development work it might cost more to sell it than the revenue generated by fixing the problem.
So, that’s one reason it hasn’t been solved.
There's another reason, though.
The terminology we use to discuss various problems has a tendency to shift over time.
For the past few years, much of the attention in both the information systems industry "technology" press and the mainstream media has concerned a different type of attack, one that seems more modern, one that really started to get attention after 2015 when it was used in ransomware attacks costing billions of dollars a year: phishing.
Many articles have been written about ransomware and phishing, partly because this has been a growth industry for attackers.
Damages from ransomware alone grew from a few hundred million dollars a year in 2015 to about $32 billion last year (2023).
What few of these articles discuss, partly because it's a little complicated, is that many of these ransomware attacks, are sustained campaigns, not a single click on a single malicious link in a single unlucky email.
As with many other data theft and identity theft attacks, modern ransomware attacks seek a variety of means to gain entry to the network and systems of the target. More than one of these volleys may lob targeted phishing (if it’s very narrowly targeted this is sometimes called spear phishing) exploits at employees or visitors to your website and which use injection attacks including cross-site scripting in some way.
At some point in what might be a months-long assault on an IT infrastructure, the attacker may send an email with a link to click to one or tens of thousands of people.
Sometimes that link is an outright direct link to a malicious website that’s merely pretending to be your website. This is a pure phishing attack, strictly exploiting human frailty and trust, not necessarily involving XSS, and usually intended to harvest login credentials.
Other times the link is disguised to look like a website the user expects, perhaps using a “typo squatting” domain like "g00gle[.]com" looks enough like "google[.]com" to trick somebody, depending on the font.
This type of phishing might or might not involve an XSS component to the attack, depending on if the attacker is trying to trick people into thinking their experience was mundane — everything seems normal if the attacker website looks and acts enough like the actual website. It might even pass the user through to the authentic website or redirect the user to the normal website after their login credential have been harvested, for example.
Still other times the link in the email might be a link directly to the authentic website, with an XSS "reflection" attack embedded in the query string, for example, allowing the attacker to harvest credentials from the user in the course of their normal activity at the site.
Attacks like these are sometimes embedded not only in emails but also in advertising links, or on "spam" websites which are created for the dual purpose of harvesting ad revenue and login credentials.
The point is that when we talk about "phishing" that buries the technical details.
Modern attackers at all scales not merely the well-funded “advanced persistent threats” mix-and-match technical and psychological attack methods, trying to find their way around defenses like application firewalls on servers and antivirus software on a desktop computer.
When we talk about phishing, we're also talking about XSS, not only the psychological tricks.
Share this post