Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Increasing web apps security with the power of http headers

jmortegac
May 12, 2017
Programming
1
550

Increasing web apps security with the power of http headers

Nowadays everyone uses web browsers on a daily basis for various tasks such as reading emails or purchasing on ecommerce portals. Web developers often forget that a browser is a piece of software that can be used as remote code execution engine, an can be used to inject malicious code either by exploiting an Cross-Site Scripting (XSS) vulnerability or by executing a MITM attack. The focus of this talk is to explain how new browser headers (HSTS, HPKP, CSP) can help to easily add an extra layer of security in order to defend against common web security vulnerabilities. These could be the talking points: -Introduction about web browsers security,explaining why secure transport is important and what HTTPS provides in terms of confidentiality, authenticity and integrity -Analyze new headers, such as HTTP Strict Transport Security (HSTS), HTTP Public Key Pinning (HPKP) and Content Security Policy (CSP),explaining how they work for avoid HTTPS,XSS and Clickjacking attacks.

jmortegac

May 12, 2017
Tweet

More Decks by jmortegac

See All by jmortegac
Evolution of security strategies in K8s environments
jmortega
0
5
Implementing Observability for Kubernetes
jmortega
0
9
Computación distribuida usando Python
jmortega
0
39
Seguridad_en_arquitecturas_serverless_y_entornos_cloud.pdf
jmortega
0
61
Construyendo arquitecturas zero trust sobre entornos cloud
jmortega
0
33
Tips and tricks for data science projects with Python
jmortega
0
36
Sharing secret keys in Docker containers and K8s
jmortega
0
84
Implementing cert-manager in K8s
jmortega
0
120
Python para equipos de ciberseguridad(pycones)
jmortega
0
88

Other Decks in Programming

See All in Programming
認知負荷で考えるフロントエンドの組織体制
shibe23
0
590
Building Tebukuro with Hotwire and Rails
murajun1978
0
150
The impact of API Platform on Open-Source
loic425
0
120
技術選定の審美眼(2023年版) / Understanding the Spiral of Technologies 2023 edition
twada
PRO
49
15k
Twillio SDKをFlutterアプリに統合した話/twilio-in-flutter
minma_curama
0
110
Context Window のお話
schroneko
1
130
RDRA, ICONIX, DDDの実践から得た学び
hsawaji
5
780
外部APIとズブズブな開発どうしてますか?
kin29
1
330
マイクロサービス環境におけるToilを削減するTerraformの活用 in DMMプラットフォーム
pospome
1
210
Software Architecture
hschwentner
6
1.5k
Compose で Android/iOS アプリを作る
m_coder
0
1.9k
Domain-Driven Design (Tutorial)
hschwentner
13
18k

Featured

See All Featured
In The Pink: A Labor of Love
frogandcode
135
21k
StorybookのUI Testing Handbookを読んだ
zakiyama
9
3.9k
Fireside Chat
paigeccino
18
2.2k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
152
14k
ReactJS: Keep Simple. Everything can be a component!
pedronauck
657
120k
The MySQL Ecosystem @ GitHub 2015
samlambert
240
11k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
271
12k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
49
15k
5 minutes of I Can Smell Your CMS
philhawksworth
199
19k
The Illustrated Children's Guide to Kubernetes
chrisshort
26
45k
Designing for humans not robots
tammielis
246
24k
The Brand Is Dead. Long Live the Brand.
mthomps
48
5.1k

Transcript

  1. View Slide

  2. View Slide

  3. Increasing web
    apps security with
    the power of http
    headers

    View Slide

  4. Agenda
    HTTP Strict Transport Security (HSTS)
    HTTP Public Key Pinning (HPKP)
    Content Security Policy (CSP)

    View Slide

  5. HSTS
    ● The browser strictly upgrades the
    connection to HTTPS protocol
    ● Avoid MITM attacks that try intercept the
    initial HTTP request
    ● SSLStripping attacks

    View Slide

  6. SSLStrip

    View Slide

  7. HSTS

    View Slide

  8. HSTS
    server {
    listen 443 ssl;
    add_header Strict-Transport-Security
    "max-age=31536000; includeSubDomains"
    always;
    # This 'location' block inherits the STS header
    location / {
    root /usr/share/nginx/html;
    }
    }

    View Slide

  9. HSTS Directives
    ● max-age tells user-agent how long to cache the
    STS setting in seconds
    ● includeSubDomains tells user-agent to include
    any subdomains

    View Slide

  10. chrome://net-internals/#hsts

    View Slide

  11. http://caniuse.com/#feat=stricttransportsecurity

    View Slide

  12. HTTPS Everywhere plugin
    ● Redirects users to HTTPS version of the
    site
    ● https://www.eff.org/https-everywhere
    ● Available for Chrome,Firefox,Opera

    View Slide

  13. HPKP
    ● Certificate Pinning is a security mechanism which
    allows HTTPS websites to resist impersonation by
    attackers using mis-issued or otherwise fraudulent
    certificates
    ● The HTTPS web server serves a list of public key
    hashes, and on subsequent connections clients
    expect that server to use one or more of those public
    keys in its certificate chain.

    View Slide

  14. HPKP
    ● Minimize MITM attacks by pinning certificate
    ● The pin is saved by the browser in the first request
    and in next requests this pin is used to verify the
    public key
    ● In this way we can check that the certificate has not
    been altered

    View Slide

  15. HPKP
    add_header Public-Key-Pins:
    'pin-sha256="vDGd5BIsPtpEDVrOzMypcp9CjSQ8QIiIQq6i
    Rg59UOg=";
    pin-sha256="Mfyz5Zy4hGa1yrs93hMGGPo57r42fM+mttvE
    mHuXIdI="; max-age=60; includeSubdomains;

    View Slide

  16. HPKP
    ● Decide which certificate's public keys you will pin
    ● Create SHA-256 hashes for the public keys
    ● Set your site to send a header with the pins
    ● Visit your site multiple times to verify that you are not
    blocked
    ● Check chrome://net-internals/#hsts and query your
    domain to verify that the pins are stored
    ● Verify dynamic_pkp_observed and dynamic_spki_hashes

    View Slide

  17. HPKP

    View Slide

  18. View Slide

  19. HPKP
    ● PinPatrol firefox plugin
    ● Check HSTS and HPKP headers

    View Slide

  20. View Slide

  21. CSP
    ● Helps to detect and mitigate data
    injection attacks such as XSS
    ● Prevent XSS, clickjacking, code
    injection attacks

    View Slide

  22. CSP
    ● Load everything from the same origin
    ● 'self' --> Content of this type can only be
    loaded from the same origin
    ● add_header Content-Security-Policy "default-src 'self';";

    View Slide

  23. CSP Source expressions

    View Slide

  24. https://csp-evaluator.withgoogle.com/

    View Slide

  25. http://cspisawesome.com/

    View Slide

  26. Conclusions
    ● HSTS assures that the browser won’t open
    unencrypted HTTP requests to your
    domain
    ● HPKP assures that nobody can exchange
    your certificate as a man-in-the-middle.

    View Slide

  27. More headers
    ● X-XSS-Protection:Enables Web Browser’s
    self XSS (Cross-site-scripting) attack
    protection mechanism
    ● X-Frame-Options:Provides protection against
    Clickjacking / UI Redress attacks.
    ● X-Content-Type-Options:Used to prevent
    MIME content-sniffing attacks.

    View Slide

  28. • curl --head

    View Slide

  29. ● Helmet module

    View Slide

  30. References
    ● https://securityheaders.io
    ● https://www.ssllabs.com/ssltest
    ● https://www.chromium.org/hsts
    ● https://hstspreload.org
    ● https://www.owasp.org/index.php/HTTP_St
    rict_Transport_Security_Cheat_Sheet

    View Slide

  31. PinPatrol firefox plugin

    View Slide

  32. • https://observatory.mozilla.org/

    View Slide

  33. • https://report-uri.io

    View Slide

  34. Thank you!
    @jmortegac
    jmortega.github.io
    about.me/jmortegac

    View Slide