Upgrade to Pro — share decks privately, control downloads, hide ads and more …

HTTP Security Headers

Kennysan
November 20, 2013

HTTP Security Headers

Build But Don't Break: Lessons in Implementing HTTP Security Headers

Kennysan

November 20, 2013
Tweet

More Decks by Kennysan

Other Decks in Technology

Transcript

  1. This Talk Was Brought To You By Hosted by OWASP

    & the NYC Chapter The Etsy Security Team Wednesday, November 20, 13
  2. Security Headers? Why Security Headers? Hosted by OWASP & the

    NYC Chapter Wednesday, November 20, 13
  3. Security Headers Fundamentally, a user security issue Hosted by OWASP

    & the NYC Chapter Wednesday, November 20, 13
  4. Security Headers Fundamentally, a user security issue Changes are browser-impacting

    Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13
  5. Security Headers Fundamentally, a user security issue Changes are browser-impacting

    Unfortunately, browsers != users Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13
  6. Security Headers Fundamentally, a user security issue Changes are browser-impacting

    Unfortunately, browsers != users Often requires non-trivial changes Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13
  7. Security Headers Strategies for deployment Lessons learned from our bug

    bounty Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13
  8. Overview HTTP Strict Transport Security (HSTS) Hosted by OWASP &

    the NYC Chapter Wednesday, November 20, 13
  9. Overview HTTP Strict Transport Security (HSTS) Content Security Policy (CSP)

    Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13
  10. Overview HTTP Strict Transport Security (HSTS) Content Security Policy (CSP)

    X-Frame-Options (XFO) Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13
  11. Overview HTTP Strict Transport Security (HSTS) Content Security Policy (CSP)

    X-Frame-Options (XFO) Miscellaneous Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13
  12. HSTS --What is it? A guarantee to visit the url

    using HTTPS Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13
  13. HSTS --What is it? A guarantee to visit the url

    using HTTPS You have to have seen the site before Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13
  14. What’s the Attack? The Classic Man-in-the-Middle Attack Let’s just turn

    on TLS/SSL for everything Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13
  15. What’s the Attack? The Classic Man-in-the-Middle Attack Let’s just turn

    on TLS/SSL for everything Make HTTPS canonical for your site Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13
  16. HSTS Background Infrastructure changes needed for SSL Hosted by OWASP

    & the NYC Chapter Wednesday, November 20, 13
  17. HSTS Background Infrastructure changes needed for SSL Bundle HSTS as

    part of an SSL preference for users Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13
  18. The Old Ways Split Architecture Hosted by OWASP & the

    NYC Chapter Wednesday, November 20, 13
  19. The Old Ways Split Architecture Most pages HTTP, “secure” ones

    HTTPS Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13
  20. The Old Ways Split Architecture Most pages HTTP, “secure” ones

    HTTPS Load balancers constrained rollout Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13
  21. On Load Balancers HTTP-> HTTPS logic handled by the LB

    Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13
  22. On Load Balancers HTTP-> HTTPS logic handled by the LB

    Difficult and slow to change Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13
  23. On Load Balancers HTTP-> HTTPS logic handled by the LB

    Difficult and slow to change Broke HTTPS plugins Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13
  24. Refactoring HTTP-> HTTPS logic handled by the app Hosted by

    OWASP & the NYC Chapter Wednesday, November 20, 13
  25. Refactoring HTTP-> HTTPS logic handled by the app Make it

    easy to add new secure pages Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13
  26. Refactoring HTTP-> HTTPS logic handled by the app Make it

    easy to add new secure pages Transparency for developers Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13
  27. How Do I HTTPS Ramp it up! Hosted by OWASP

    & the NYC Chapter Wednesday, November 20, 13
  28. How Do I HTTPS Ramp it up! Enabled HSTS if

    SSL preference “on” Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13
  29. How Do I HTTPS Ramp it up! Enabled HSTS if

    SSL preference “on” Bail-out Mechanism: Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13
  30. The HSTS Header Enabled header when full-site SSL “on” Hosted

    by OWASP & the NYC Chapter Wednesday, November 20, 13
  31. The HSTS Header Enabled header when full-site SSL “on” Strict-Transport-Security:

    max-age=631138520; includeSubDomains Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13
  32. HSTS Part 2 Strict-Transport-Security: max-age=631138520; includeSubDomains All subdomains get HSTS

    that match the host Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13
  33. HSTS Part 3 Note the difference: HSTS on ‘www.etsy.com’ Hosted

    by OWASP & the NYC Chapter Wednesday, November 20, 13
  34. HSTS Part 3 Note the difference: HSTS on ‘www.etsy.com’ Hosted

    by OWASP & the NYC Chapter Wednesday, November 20, 13
  35. HSTS Part 3 Note the difference: HSTS on ‘www.etsy.com’ Hosted

    by OWASP & the NYC Chapter Wednesday, November 20, 13
  36. HSTS Part 2 Check out Chrome’s HSTS settings chrome://net-internals/#hsts Hosted

    by OWASP & the NYC Chapter Wednesday, November 20, 13
  37. HSTS Rollout Implement HTTPS management on app level Hosted by

    OWASP & the NYC Chapter Wednesday, November 20, 13
  38. HSTS Rollout Implement HTTPS management on app level Rolled out

    to admins -> sellers -> buyers Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13
  39. HSTS Rollout Implement HTTPS management on app level Rolled out

    to admins -> sellers -> buyers Code-based “SSL wrangler” in repo Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13
  40. SSL Wranglin’ Controller to handle SSL transition Hosted by OWASP

    & the NYC Chapter Wednesday, November 20, 13
  41. SSL Wranglin’ Controller to handle SSL transition Skipped for users

    with full-site SSL pref on Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13
  42. SSL Wranglin’ Controller to handle SSL transition Skipped for users

    with full-site SSL pref on On sign-out, set HSTS max-age=0 Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13
  43. Wins Fixes on-domain mixed content Hosted by OWASP & the

    NYC Chapter Wednesday, November 20, 13
  44. Wins Fixes on-domain mixed content Browser transparently 302 redirects Hosted

    by OWASP & the NYC Chapter Wednesday, November 20, 13
  45. SSL Concerns Do your CDNs support it? Hosted by OWASP

    & the NYC Chapter Wednesday, November 20, 13
  46. SSL Concerns Do your CDNs support it? What about 3rd

    party content providers? Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13
  47. SSL Concerns Do your CDNs support it? What about 3rd

    party content providers? Can your servers/LBs handle it? Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13
  48. Kill Mixed Content You still need to fix off-domain HTTP

    Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13
  49. Kill Mixed Content You still need to fix off-domain HTTP

    Browser mixed content warnings Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13
  50. Kill Mixed Content You still need to fix off-domain HTTP

    Browser mixed content warnings Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13
  51. Mobile HSTS supported on mobile browsers Hosted by OWASP &

    the NYC Chapter Wednesday, November 20, 13
  52. Mobile HSTS supported on mobile browsers Notably absent from others

    Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13
  53. Mobile HSTS supported on mobile browsers Notably absent from others

    Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13
  54. HSTS: Be Ready Not a crutch for fixing routing problems!

    Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13
  55. HSTS: Be Ready Not a crutch for fixing routing problems!

    There will be outliers Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13
  56. HSTS: Be Ready Not a crutch for fixing routing problems!

    There will be outliers SSL/TLS errors confuse users Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13
  57. HSTS: Be Ready Not a crutch for fixing routing problems!

    There will be outliers SSL/TLS errors confuse users Have a process for managing HSTS Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13
  58. X-Frame-Options Framing sucks, get rid of framing! Hosted by OWASP

    & the NYC Chapter Wednesday, November 20, 13
  59. X-Frame-Options How do you prevent this type of attack? Hosted

    by OWASP & the NYC Chapter Wednesday, November 20, 13
  60. X-Frame-Options How do you prevent this type of attack? <script>

    if (top!=self) top.location.href=self.location.href </script> Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13
  61. X-Frame-Options How do you prevent this type of attack? <script>

    if (top!=self) top.location.href=self.location.href </script> Not really a defense at all Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13
  62. How Do I Use XFO? Figure out when you’re being

    framed Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13
  63. How Do I Use XFO? Figure out when you’re being

    framed Log the framing attempts Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13
  64. How Do I Use XFO? Figure out when you’re being

    framed Log the framing attempts Whitelist specific framing sites (search engines) Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13
  65. How Do I Use XFO? Figure out when you’re being

    framed Log the framing attempts Whitelist specific framing sites (search engines) Only allow whitelisted sites to frame Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13
  66. Be Careful Thoroughly vet your whitelist Hosted by OWASP &

    the NYC Chapter Wednesday, November 20, 13
  67. Be Careful Thoroughly vet your whitelist Read about XFO’s options

    Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13
  68. Be Careful Thoroughly vet your whitelist Read about XFO’s options

    Test thoroughly Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13
  69. Don’t Forget... If you’re taking away framing, warn your users

    Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13
  70. Don’t Forget... If you’re taking away framing, warn your users

    Whitelisting will break everyone else Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13
  71. Let’s Talk CSP Policies can grow fairly large Hosted by

    OWASP & the NYC Chapter Wednesday, November 20, 13
  72. Let’s Talk CSP Policies can grow fairly large Doesn’t like

    inline javascript by default Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13
  73. Let’s Talk CSP Policies can grow fairly large Doesn’t like

    inline javascript by default Where do I start? Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13
  74. CSP 1.0 Most websites have inline JS Hosted by OWASP

    & the NYC Chapter Wednesday, November 20, 13
  75. CSP 1.0 Most websites have inline JS Removing/refactoring some of

    it just isn’t possible Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13
  76. CSP 1.0 Most websites have inline JS Removing/refactoring some of

    it just isn’t possible FF & Chrome use unprefixed ‘Content-Security-Policy’ Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13
  77. CSP 1.1 Will have browser javascript API support Hosted by

    OWASP & the NYC Chapter Wednesday, November 20, 13
  78. CSP 1.1 Will have browser javascript API support Support for

    inline CSP in a <meta> tag Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13
  79. CSP 1.1 CSP 1.1 will allow for script-nonce and script-hash

    Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13
  80. CSP Lessons CSP introduced the idea of a reporting mechanism

    Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13
  81. CSP Lessons CSP introduced the idea of a reporting mechanism

    Identify pages with inline scripts => smaller policy size Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13
  82. CSP Lessons CSP introduced the idea of a reporting mechanism

    Identify pages with inline scripts => smaller policy size Log, aggregate reports to find mixed content Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13
  83. CSP Lessons CSP introduced the idea of a reporting mechanism

    Identify pages with inline scripts => smaller policy size Log, aggregate reports to find mixed content Some interesting results Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13
  84. How Do I Deploy CSP? Organize and assess your existing

    javascript Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13
  85. How Do I Deploy CSP? Organize and assess your existing

    javascript Have specific template logic for handling javascript Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13
  86. How Do I Deploy CSP? Organize and assess your existing

    javascript Have specific template logic for handling javascript Give devs an ‘opt-out’ mechanism for inline js Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13
  87. How Do I Deploy CSP? Organize and assess your existing

    javascript Have specific template logic for handling javascript Give devs an ‘opt-out’ mechanism for inline js Deploy to specific parts/subdomains of your site Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13
  88. CSP Compliance Actively monitor the # of inline scripts you

    have left Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13
  89. Some CSP Tools Some tools for CSP Generation Hosted by

    OWASP & the NYC Chapter Wednesday, November 20, 13
  90. Some CSP Tools Some tools for CSP Generation http://cspisawesome.com/ Hosted

    by OWASP & the NYC Chapter Wednesday, November 20, 13
  91. CSP Tools Browser proxy, automated browser, and csp parser Hosted

    by OWASP & the NYC Chapter Wednesday, November 20, 13
  92. CSP Tools Browser proxy, automated browser, and csp parser Lets

    you create/test a CSP for your prod environment Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13
  93. CSP Tools Browser proxy, automated browser, and csp parser Lets

    you create/test a CSP for your prod environment https://github.com/Kennysan/CSPTools Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13
  94. X-XSS-Protection Originally IE XSS blocking mechanism Looks for parameter arguments

    in response Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13
  95. X-XSS-Protection Originally IE XSS blocking mechanism Looks for parameter arguments

    in response Side effect: Clients can break your javascript Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13
  96. X-XSS-Protection X-XSS-Protection: 1; mode=block Reflected XSS protection, but now... Chrome

    lets you specify a report url Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13
  97. X-XSS-Protection X-XSS-Protection: 1; mode=block Reflected XSS protection, but now... Chrome

    lets you specify a report url Clientside protection; serverside reporting Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13
  98. XSS Logging X-XSS-Protection: 1; mode=block; report-uri=/log.php Allows Chrome reflected XSS

    logging, ala CSP-style Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13
  99. XSS Logging X-XSS-Protection: 1; mode=block; report-uri=/log.php Allows Chrome reflected XSS

    logging, ala CSP-style Other browsers: Implement server-side XSS-Auditor Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13
  100. XSS Logging X-XSS-Protection: 1; mode=block; report-uri=/log.php Allows Chrome reflected XSS

    logging, ala CSP-style Other browsers: Implement server-side XSS-Auditor Look for this functionality in CSP 1.1 Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13
  101. X-Content-Type-Options X-Content-Type-Options: nosniff Older versions of IE will guess response

    content-type Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13
  102. X-Content-Type-Options X-Content-Type-Options: nosniff Older versions of IE will guess response

    content-type Ignores Content-Type specified! Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13
  103. X-Content-Type-Options X-Content-Type-Options: nosniff Older versions of IE will guess response

    content-type Ignores Content-Type specified! Example: query parameter lets you specify .html Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13
  104. X-Content-Type-Options X-Content-Type-Options: nosniff Older versions of IE will guess response

    content-type Ignores Content-Type specified! Example: query parameter lets you specify .html IE will consider the content to be text/html! Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13
  105. Final Thoughts Treat header deployment like any other code Hosted

    by OWASP & the NYC Chapter Wednesday, November 20, 13
  106. Final Thoughts Treat header deployment like any other code Be

    agile with header development Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13
  107. Final Thoughts Treat header deployment like any other code Be

    agile with header development Can’t deploy everywhere? Have a plan--deploy in part Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13
  108. Final Thoughts Treat header deployment like any other code Be

    agile with header development Can’t deploy everywhere? Have a plan--deploy in part Starting with security is easier than baking it in later Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13
  109. Final Thoughts Treat header deployment like any other code Be

    agile with header development Can’t deploy everywhere? Have a plan--deploy in part Starting with security is easier than baking it in later Log early and often--you learn a lot Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13