Upgrade to Pro — share decks privately, control downloads, hide ads and more …

HTTP Security Headers

Kennysan
November 20, 2013
Technology
0
160

HTTP Security Headers

Build But Don't Break: Lessons in Implementing HTTP Security Headers

Kennysan

November 20, 2013
Tweet

More Decks by Kennysan

See All by Kennysan
Building Effective Security Alerting
kennysan
5
8k
Using Content Security Policy to Stop XSS
kennysan
3
270

Other Decks in Technology

See All in Technology
【Pycon mini 東海 2024】Google Colaboratoryで試すVLM
kazuhitotakahashi
2
500
IBC 2024 動画技術関連レポート / IBC 2024 Report
cyberagentdevelopers
PRO
0
110
Introduction to Works of ML Engineer in LY Corporation
lycorp_recruit_jp
0
110
Application Development WG Intro at AppDeveloperCon
salaboy
0
190
スクラム成熟度セルフチェックツールを作って得た学びとその活用法
coincheck_recruit
1
140
インフラとバックエンドとフロントエンドをくまなく調べて遅いアプリを早くした件
tubone24
1
430
Python(PYNQ)がテーマのAMD主催のFPGAコンテストに参加してきた
iotengineer22
0
470
TypeScriptの次なる大進化なるか!? 条件型を返り値とする関数の型推論
uhyo
2
1.6k
AWS Lambdaと歩んだ“サーバーレス”と今後 #lambda_10years
yoshidashingo
1
170
AWS Media Services 最新サービスアップデート 2024
eijikominami
0
200
開発生産性を上げながらビジネスも30倍成長させてきたチームの姿
kamina_zzz
2
1.7k
スクラムチームを立ち上げる〜チーム開発で得られたもの・得られなかったもの〜
ohnoeight
2
350

Featured

See All Featured
The Web Performance Landscape in 2024 [PerfNow 2024]
tammyeverts
0
89
Agile that works and the tools we love
rasmusluckow
327
21k
VelocityConf: Rendering Performance Case Studies
addyosmani
325
24k
Rails Girls Zürich Keynote
gr2m
94
13k
GraphQLとの向き合い方2022年版
quramy
43
13k
Fontdeck: Realign not Redesign
paulrobertlloyd
82
5.2k
ReactJS: Keep Simple. Everything can be a component!
pedronauck
665
120k
Building Better People: How to give real-time feedback that sticks.
wjessup
364
19k
jQuery: Nuts, Bolts and Bling
dougneiner
61
7.5k
GitHub's CSS Performance
jonrohan
1030
460k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
159
15k
Art, The Web, and Tiny UX
lynnandtonic
297
20k

Transcript

  1. HTTP Security Headers Ken Lee [email protected] Wednesday, November 20, 13

  2. This Talk Was Brought To You By Hosted by OWASP

    & the NYC Chapter The Etsy Security Team Wednesday, November 20, 13

  3. What’s an Etsy? Hosted by OWASP & the NYC Chapter

    Wednesday, November 20, 13

  4. Hosted by OWASP & the NYC Chapter Wednesday, November 20,

    13

  5. Security Headers? Why Security Headers? Hosted by OWASP & the

    NYC Chapter Wednesday, November 20, 13

  6. Security Headers Fundamentally, a user security issue Hosted by OWASP

    & the NYC Chapter Wednesday, November 20, 13

  7. Security Headers Fundamentally, a user security issue Changes are browser-impacting

    Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

  8. Security Headers Fundamentally, a user security issue Changes are browser-impacting

    Unfortunately, browsers != users Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

  9. Security Headers Fundamentally, a user security issue Changes are browser-impacting

    Unfortunately, browsers != users Often requires non-trivial changes Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

  10. Security Headers Strategies for deployment Hosted by OWASP & the

    NYC Chapter Wednesday, November 20, 13

  11. Security Headers Strategies for deployment Lessons learned from our bug

    bounty Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

  12. Overview HTTP Strict Transport Security (HSTS) Hosted by OWASP &

    the NYC Chapter Wednesday, November 20, 13

  13. Overview HTTP Strict Transport Security (HSTS) Content Security Policy (CSP)

    Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

  14. Overview HTTP Strict Transport Security (HSTS) Content Security Policy (CSP)

    X-Frame-Options (XFO) Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

  15. Overview HTTP Strict Transport Security (HSTS) Content Security Policy (CSP)

    X-Frame-Options (XFO) Miscellaneous Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

  16. HSTS --What is it? A guarantee to visit the url

    using HTTPS Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

  17. HSTS --What is it? A guarantee to visit the url

    using HTTPS You have to have seen the site before Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

  18. What’s the Attack? The Classic Man-in-the-Middle Attack Hosted by OWASP

    & the NYC Chapter Wednesday, November 20, 13

  19. What’s the Attack? The Classic Man-in-the-Middle Attack Let’s just turn

    on TLS/SSL for everything Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

  20. What’s the Attack? The Classic Man-in-the-Middle Attack Let’s just turn

    on TLS/SSL for everything Make HTTPS canonical for your site Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

  21. HTTP/HTTPS Traffic Hosted by OWASP & the NYC Chapter Wednesday,

    November 20, 13

  22. HTTP/HTTPS Traffic Hosted by OWASP & the NYC Chapter Wednesday,

    November 20, 13

  23. HSTS Background Infrastructure changes needed for SSL Hosted by OWASP

    & the NYC Chapter Wednesday, November 20, 13

  24. HSTS Background Infrastructure changes needed for SSL Bundle HSTS as

    part of an SSL preference for users Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

  25. The Old Ways Split Architecture Hosted by OWASP & the

    NYC Chapter Wednesday, November 20, 13

  26. The Old Ways Split Architecture Most pages HTTP, “secure” ones

    HTTPS Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

  27. The Old Ways Split Architecture Most pages HTTP, “secure” ones

    HTTPS Load balancers constrained rollout Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

  28. On Load Balancers HTTP-> HTTPS logic handled by the LB

    Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

  29. On Load Balancers HTTP-> HTTPS logic handled by the LB

    Difficult and slow to change Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

  30. On Load Balancers HTTP-> HTTPS logic handled by the LB

    Difficult and slow to change Broke HTTPS plugins Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

  31. Refactoring HTTP-> HTTPS logic handled by the app Hosted by

    OWASP & the NYC Chapter Wednesday, November 20, 13

  32. Refactoring HTTP-> HTTPS logic handled by the app Make it

    easy to add new secure pages Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

  33. Refactoring HTTP-> HTTPS logic handled by the app Make it

    easy to add new secure pages Transparency for developers Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

  34. How Do I HTTPS Ramp it up! Hosted by OWASP

    & the NYC Chapter Wednesday, November 20, 13

  35. How Do I HTTPS Ramp it up! Enabled HSTS if

    SSL preference “on” Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

  36. How Do I HTTPS Ramp it up! Enabled HSTS if

    SSL preference “on” Bail-out Mechanism: Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

  37. The HSTS Header Enabled header when full-site SSL “on” Hosted

    by OWASP & the NYC Chapter Wednesday, November 20, 13

  38. The HSTS Header Enabled header when full-site SSL “on” Strict-Transport-Security:

    max-age=631138520; includeSubDomains Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

  39. HSTS Part 2 Strict-Transport-Security: max-age=631138520; includeSubDomains All subdomains get HSTS

    that match the host Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

  40. HSTS Part 3 Note the difference: HSTS on ‘www.etsy.com’ Hosted

    by OWASP & the NYC Chapter Wednesday, November 20, 13

  41. HSTS Part 3 Note the difference: HSTS on ‘www.etsy.com’ Hosted

    by OWASP & the NYC Chapter Wednesday, November 20, 13

  42. HSTS Part 3 Note the difference: HSTS on ‘www.etsy.com’ Hosted

    by OWASP & the NYC Chapter Wednesday, November 20, 13

  43. HSTS Part 2 Check out Chrome’s HSTS settings chrome://net-internals/#hsts Hosted

    by OWASP & the NYC Chapter Wednesday, November 20, 13

  44. HSTS Rollout Implement HTTPS management on app level Hosted by

    OWASP & the NYC Chapter Wednesday, November 20, 13

  45. HSTS Rollout Implement HTTPS management on app level Rolled out

    to admins -> sellers -> buyers Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

  46. HSTS Rollout Implement HTTPS management on app level Rolled out

    to admins -> sellers -> buyers Code-based “SSL wrangler” in repo Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

  47. SSL Wranglin’ Controller to handle SSL transition Hosted by OWASP

    & the NYC Chapter Wednesday, November 20, 13

  48. SSL Wranglin’ Controller to handle SSL transition Skipped for users

    with full-site SSL pref on Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

  49. SSL Wranglin’ Controller to handle SSL transition Skipped for users

    with full-site SSL pref on On sign-out, set HSTS max-age=0 Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

  50. Wins Fixes on-domain mixed content Hosted by OWASP & the

    NYC Chapter Wednesday, November 20, 13

  51. Wins Fixes on-domain mixed content Browser transparently 302 redirects Hosted

    by OWASP & the NYC Chapter Wednesday, November 20, 13

  52. SSL Concerns Do your CDNs support it? Hosted by OWASP

    & the NYC Chapter Wednesday, November 20, 13

  53. SSL Concerns Do your CDNs support it? What about 3rd

    party content providers? Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

  54. SSL Concerns Do your CDNs support it? What about 3rd

    party content providers? Can your servers/LBs handle it? Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

  55. Kill Mixed Content You still need to fix off-domain HTTP

    Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

  56. Kill Mixed Content You still need to fix off-domain HTTP

    Browser mixed content warnings Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

  57. Kill Mixed Content You still need to fix off-domain HTTP

    Browser mixed content warnings Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

  58. Mobile HSTS supported on mobile browsers Hosted by OWASP &

    the NYC Chapter Wednesday, November 20, 13

  59. Mobile HSTS supported on mobile browsers Notably absent from others

    Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

  60. Mobile HSTS supported on mobile browsers Notably absent from others

    Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

  61. HSTS: Be Ready Not a crutch for fixing routing problems!

    Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

  62. HSTS: Be Ready Not a crutch for fixing routing problems!

    There will be outliers Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

  63. HSTS: Be Ready Not a crutch for fixing routing problems!

    There will be outliers SSL/TLS errors confuse users Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

  64. HSTS: Be Ready Not a crutch for fixing routing problems!

    There will be outliers SSL/TLS errors confuse users Have a process for managing HSTS Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

  65. X-Frame-Options Problem: Clickjacking Hosted by OWASP & the NYC Chapter

    Wednesday, November 20, 13

  66. X-Frame-Options Framing sucks, get rid of framing! Hosted by OWASP

    & the NYC Chapter Wednesday, November 20, 13

  67. X-Frame-Options How do you prevent this type of attack? Hosted

    by OWASP & the NYC Chapter Wednesday, November 20, 13

  68. X-Frame-Options How do you prevent this type of attack? <script>

    if (top!=self) top.location.href=self.location.href </script> Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

  69. X-Frame-Options How do you prevent this type of attack? <script>

    if (top!=self) top.location.href=self.location.href </script> Not really a defense at all Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

  70. How Do I Use XFO? Figure out when you’re being

    framed Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

  71. How Do I Use XFO? Figure out when you’re being

    framed Log the framing attempts Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

  72. How Do I Use XFO? Figure out when you’re being

    framed Log the framing attempts Whitelist specific framing sites (search engines) Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

  73. How Do I Use XFO? Figure out when you’re being

    framed Log the framing attempts Whitelist specific framing sites (search engines) Only allow whitelisted sites to frame Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

  74. Be Careful Thoroughly vet your whitelist Hosted by OWASP &

    the NYC Chapter Wednesday, November 20, 13

  75. Be Careful Thoroughly vet your whitelist Read about XFO’s options

    Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

  76. Be Careful Thoroughly vet your whitelist Read about XFO’s options

    Test thoroughly Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

  77. Non-Whitelisted sites Hosted by OWASP & the NYC Chapter Wednesday,

    November 20, 13

  78. Non-Whitelisted sites Hosted by OWASP & the NYC Chapter Wednesday,

    November 20, 13

  79. Don’t Forget... If you’re taking away framing, warn your users

    Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

  80. Don’t Forget... If you’re taking away framing, warn your users

    Whitelisting will break everyone else Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

  81. Let’s Talk CSP Policies can grow fairly large Hosted by

    OWASP & the NYC Chapter Wednesday, November 20, 13

  82. Let’s Talk CSP Policies can grow fairly large Doesn’t like

    inline javascript by default Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

  83. Let’s Talk CSP Policies can grow fairly large Doesn’t like

    inline javascript by default Where do I start? Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

  84. CSP 1.0 Most websites have inline JS Hosted by OWASP

    & the NYC Chapter Wednesday, November 20, 13

  85. CSP 1.0 Most websites have inline JS Removing/refactoring some of

    it just isn’t possible Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

  86. CSP 1.0 Most websites have inline JS Removing/refactoring some of

    it just isn’t possible FF & Chrome use unprefixed ‘Content-Security-Policy’ Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

  87. CSP 1.1 Will have browser javascript API support Hosted by

    OWASP & the NYC Chapter Wednesday, November 20, 13

  88. CSP 1.1 Will have browser javascript API support Support for

    inline CSP in a <meta> tag Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

  89. CSP 1.1 CSP 1.1 will allow for script-nonce and script-hash

    Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

  90. CSP Lessons CSP introduced the idea of a reporting mechanism

    Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

  91. CSP Lessons CSP introduced the idea of a reporting mechanism

    Identify pages with inline scripts => smaller policy size Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

  92. CSP Lessons CSP introduced the idea of a reporting mechanism

    Identify pages with inline scripts => smaller policy size Log, aggregate reports to find mixed content Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

  93. CSP Lessons CSP introduced the idea of a reporting mechanism

    Identify pages with inline scripts => smaller policy size Log, aggregate reports to find mixed content Some interesting results Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

  94. Hosted by OWASP & the NYC Chapter Wednesday, November 20,

    13

  95. How Do I Deploy CSP? Organize and assess your existing

    javascript Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

  96. How Do I Deploy CSP? Organize and assess your existing

    javascript Have specific template logic for handling javascript Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

  97. How Do I Deploy CSP? Organize and assess your existing

    javascript Have specific template logic for handling javascript Give devs an ‘opt-out’ mechanism for inline js Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

  98. How Do I Deploy CSP? Organize and assess your existing

    javascript Have specific template logic for handling javascript Give devs an ‘opt-out’ mechanism for inline js Deploy to specific parts/subdomains of your site Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

  99. CSP Compliance Actively monitor the # of inline scripts you

    have left Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

  100. Some CSP Tools Some tools for CSP Generation Hosted by

    OWASP & the NYC Chapter Wednesday, November 20, 13

  101. Some CSP Tools Some tools for CSP Generation http://cspisawesome.com/ Hosted

    by OWASP & the NYC Chapter Wednesday, November 20, 13

  102. Some CSP Tools Some tools for CSP Generation http://cspisawesome.com/ https://github.com/Kennysan/CSPTools

    Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

  103. CSP Tools Browser proxy, automated browser, and csp parser Hosted

    by OWASP & the NYC Chapter Wednesday, November 20, 13

  104. CSP Tools Browser proxy, automated browser, and csp parser Lets

    you create/test a CSP for your prod environment Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

  105. CSP Tools Browser proxy, automated browser, and csp parser Lets

    you create/test a CSP for your prod environment https://github.com/Kennysan/CSPTools Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

  106. X-XSS-Protection Originally IE XSS blocking mechanism Hosted by OWASP &

    the NYC Chapter Wednesday, November 20, 13

  107. X-XSS-Protection Originally IE XSS blocking mechanism Looks for parameter arguments

    in response Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

  108. X-XSS-Protection Originally IE XSS blocking mechanism Looks for parameter arguments

    in response Side effect: Clients can break your javascript Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

  109. X-XSS-Protection X-XSS-Protection: 1; mode=block Hosted by OWASP & the NYC

    Chapter Wednesday, November 20, 13

  110. X-XSS-Protection X-XSS-Protection: 1; mode=block Reflected XSS protection, but now... Hosted

    by OWASP & the NYC Chapter Wednesday, November 20, 13

  111. X-XSS-Protection X-XSS-Protection: 1; mode=block Reflected XSS protection, but now... Chrome

    lets you specify a report url Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

  112. X-XSS-Protection X-XSS-Protection: 1; mode=block Reflected XSS protection, but now... Chrome

    lets you specify a report url Clientside protection; serverside reporting Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

  113. XSS Logging X-XSS-Protection: 1; mode=block; report-uri=/log.php Hosted by OWASP &

    the NYC Chapter Wednesday, November 20, 13

  114. XSS Logging X-XSS-Protection: 1; mode=block; report-uri=/log.php Allows Chrome reflected XSS

    logging, ala CSP-style Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

  115. XSS Logging X-XSS-Protection: 1; mode=block; report-uri=/log.php Allows Chrome reflected XSS

    logging, ala CSP-style Other browsers: Implement server-side XSS-Auditor Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

  116. XSS Logging X-XSS-Protection: 1; mode=block; report-uri=/log.php Allows Chrome reflected XSS

    logging, ala CSP-style Other browsers: Implement server-side XSS-Auditor Look for this functionality in CSP 1.1 Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

  117. X-Content-Type-Options X-Content-Type-Options: nosniff Hosted by OWASP & the NYC Chapter

    Wednesday, November 20, 13

  118. X-Content-Type-Options X-Content-Type-Options: nosniff Older versions of IE will guess response

    content-type Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

  119. X-Content-Type-Options X-Content-Type-Options: nosniff Older versions of IE will guess response

    content-type Ignores Content-Type specified! Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

  120. X-Content-Type-Options X-Content-Type-Options: nosniff Older versions of IE will guess response

    content-type Ignores Content-Type specified! Example: query parameter lets you specify .html Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

  121. X-Content-Type-Options X-Content-Type-Options: nosniff Older versions of IE will guess response

    content-type Ignores Content-Type specified! Example: query parameter lets you specify .html IE will consider the content to be text/html! Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

  122. Final Thoughts Treat header deployment like any other code Hosted

    by OWASP & the NYC Chapter Wednesday, November 20, 13

  123. Final Thoughts Treat header deployment like any other code Be

    agile with header development Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

  124. Final Thoughts Treat header deployment like any other code Be

    agile with header development Can’t deploy everywhere? Have a plan--deploy in part Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

  125. Final Thoughts Treat header deployment like any other code Be

    agile with header development Can’t deploy everywhere? Have a plan--deploy in part Starting with security is easier than baking it in later Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

  126. Final Thoughts Treat header deployment like any other code Be

    agile with header development Can’t deploy everywhere? Have a plan--deploy in part Starting with security is easier than baking it in later Log early and often--you learn a lot Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13

  127. Thanks for Listening! @kennysan [email protected] github.com/kennysan Hosted by OWASP &

    the NYC Chapter Wednesday, November 20, 13