Increasing web apps security with the power of http headers

Transcript

1. None
2. None

3. Increasing web apps security with the power of http headers

4. Agenda HTTP Strict Transport Security (HSTS) HTTP Public Key Pinning

   (HPKP) Content Security Policy (CSP)

5. HSTS • The browser strictly upgrades the connection to HTTPS

   protocol • Avoid MITM attacks that try intercept the initial HTTP request • SSLStripping attacks

6. SSLStrip

7. HSTS

8. HSTS server { listen 443 ssl; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains"

   always; # This 'location' block inherits the STS header location / { root /usr/share/nginx/html; } }

9. HSTS Directives • max-age tells user-agent how long to cache

   the STS setting in seconds • includeSubDomains tells user-agent to include any subdomains

10. chrome://net-internals/#hsts

11. http://caniuse.com/#feat=stricttransportsecurity

12. HTTPS Everywhere plugin • Redirects users to HTTPS version of

    the site • https://www.eff.org/https-everywhere • Available for Chrome,Firefox,Opera

13. HPKP • Certificate Pinning is a security mechanism which allows

    HTTPS websites to resist impersonation by attackers using mis-issued or otherwise fraudulent certificates • The HTTPS web server serves a list of public key hashes, and on subsequent connections clients expect that server to use one or more of those public keys in its certificate chain.

14. HPKP • Minimize MITM attacks by pinning certificate • The

    pin is saved by the browser in the first request and in next requests this pin is used to verify the public key • In this way we can check that the certificate has not been altered

15. HPKP add_header Public-Key-Pins: 'pin-sha256="vDGd5BIsPtpEDVrOzMypcp9CjSQ8QIiIQq6i Rg59UOg="; pin-sha256="Mfyz5Zy4hGa1yrs93hMGGPo57r42fM+mttvE mHuXIdI="; max-age=60; includeSubdomains;

16. HPKP • Decide which certificate's public keys you will pin

    • Create SHA-256 hashes for the public keys • Set your site to send a header with the pins • Visit your site multiple times to verify that you are not blocked • Check chrome://net-internals/#hsts and query your domain to verify that the pins are stored • Verify dynamic_pkp_observed and dynamic_spki_hashes

17. HPKP

18. None

19. HPKP • PinPatrol firefox plugin • Check HSTS and HPKP

    headers
20. None

21. CSP • Helps to detect and mitigate data injection attacks

    such as XSS • Prevent XSS, clickjacking, code injection attacks

22. CSP • Load everything from the same origin • 'self'

    --> Content of this type can only be loaded from the same origin • add_header Content-Security-Policy "default-src 'self';";

23. CSP Source expressions

24. https://csp-evaluator.withgoogle.com/

25. http://cspisawesome.com/

26. Conclusions • HSTS assures that the browser won’t open unencrypted

    HTTP requests to your domain • HPKP assures that nobody can exchange your certificate as a man-in-the-middle.

27. More headers • X-XSS-Protection:Enables Web Browser’s self XSS (Cross-site-scripting) attack

    protection mechanism • X-Frame-Options:Provides protection against Clickjacking / UI Redress attacks. • X-Content-Type-Options:Used to prevent MIME content-sniffing attacks.

28. • curl --head <domain>

29. • Helmet module

30. References • https://securityheaders.io • https://www.ssllabs.com/ssltest • https://www.chromium.org/hsts • https://hstspreload.org •

    https://www.owasp.org/index.php/HTTP_St rict_Transport_Security_Cheat_Sheet

31. PinPatrol firefox plugin

32. • https://observatory.mozilla.org/

33. • https://report-uri.io

34. Thank you! @jmortegac jmortega.github.io about.me/jmortegac