HTTP Security Headers

E6d1c11fdcefed14f50848efc0cb2e72?s=47 Kennysan
November 20, 2013

HTTP Security Headers

Build But Don't Break: Lessons in Implementing HTTP Security Headers

E6d1c11fdcefed14f50848efc0cb2e72?s=128

Kennysan

November 20, 2013
Tweet

Transcript

  1. HTTP Security Headers Ken Lee klee@etsy.com Wednesday, November 20, 13

  2. This Talk Was Brought To You By Hosted by OWASP

    & the NYC Chapter The Etsy Security Team Wednesday, November 20, 13
  3. What’s an Etsy? Hosted by OWASP & the NYC Chapter

    Wednesday, November 20, 13
  4. Hosted by OWASP & the NYC Chapter Wednesday, November 20,

    13
  5. Security Headers? Why Security Headers? Hosted by OWASP & the

    NYC Chapter Wednesday, November 20, 13
  6. Security Headers Fundamentally, a user security issue Hosted by OWASP

    & the NYC Chapter Wednesday, November 20, 13
  7. Security Headers Fundamentally, a user security issue Changes are browser-impacting

    Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13
  8. Security Headers Fundamentally, a user security issue Changes are browser-impacting

    Unfortunately, browsers != users Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13
  9. Security Headers Fundamentally, a user security issue Changes are browser-impacting

    Unfortunately, browsers != users Often requires non-trivial changes Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13
  10. Security Headers Strategies for deployment Hosted by OWASP & the

    NYC Chapter Wednesday, November 20, 13
  11. Security Headers Strategies for deployment Lessons learned from our bug

    bounty Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13
  12. Overview HTTP Strict Transport Security (HSTS) Hosted by OWASP &

    the NYC Chapter Wednesday, November 20, 13
  13. Overview HTTP Strict Transport Security (HSTS) Content Security Policy (CSP)

    Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13
  14. Overview HTTP Strict Transport Security (HSTS) Content Security Policy (CSP)

    X-Frame-Options (XFO) Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13
  15. Overview HTTP Strict Transport Security (HSTS) Content Security Policy (CSP)

    X-Frame-Options (XFO) Miscellaneous Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13
  16. HSTS --What is it? A guarantee to visit the url

    using HTTPS Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13
  17. HSTS --What is it? A guarantee to visit the url

    using HTTPS You have to have seen the site before Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13
  18. What’s the Attack? The Classic Man-in-the-Middle Attack Hosted by OWASP

    & the NYC Chapter Wednesday, November 20, 13
  19. What’s the Attack? The Classic Man-in-the-Middle Attack Let’s just turn

    on TLS/SSL for everything Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13
  20. What’s the Attack? The Classic Man-in-the-Middle Attack Let’s just turn

    on TLS/SSL for everything Make HTTPS canonical for your site Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13
  21. HTTP/HTTPS Traffic Hosted by OWASP & the NYC Chapter Wednesday,

    November 20, 13
  22. HTTP/HTTPS Traffic Hosted by OWASP & the NYC Chapter Wednesday,

    November 20, 13
  23. HSTS Background Infrastructure changes needed for SSL Hosted by OWASP

    & the NYC Chapter Wednesday, November 20, 13
  24. HSTS Background Infrastructure changes needed for SSL Bundle HSTS as

    part of an SSL preference for users Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13
  25. The Old Ways Split Architecture Hosted by OWASP & the

    NYC Chapter Wednesday, November 20, 13
  26. The Old Ways Split Architecture Most pages HTTP, “secure” ones

    HTTPS Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13
  27. The Old Ways Split Architecture Most pages HTTP, “secure” ones

    HTTPS Load balancers constrained rollout Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13
  28. On Load Balancers HTTP-> HTTPS logic handled by the LB

    Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13
  29. On Load Balancers HTTP-> HTTPS logic handled by the LB

    Difficult and slow to change Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13
  30. On Load Balancers HTTP-> HTTPS logic handled by the LB

    Difficult and slow to change Broke HTTPS plugins Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13
  31. Refactoring HTTP-> HTTPS logic handled by the app Hosted by

    OWASP & the NYC Chapter Wednesday, November 20, 13
  32. Refactoring HTTP-> HTTPS logic handled by the app Make it

    easy to add new secure pages Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13
  33. Refactoring HTTP-> HTTPS logic handled by the app Make it

    easy to add new secure pages Transparency for developers Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13
  34. How Do I HTTPS Ramp it up! Hosted by OWASP

    & the NYC Chapter Wednesday, November 20, 13
  35. How Do I HTTPS Ramp it up! Enabled HSTS if

    SSL preference “on” Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13
  36. How Do I HTTPS Ramp it up! Enabled HSTS if

    SSL preference “on” Bail-out Mechanism: Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13
  37. The HSTS Header Enabled header when full-site SSL “on” Hosted

    by OWASP & the NYC Chapter Wednesday, November 20, 13
  38. The HSTS Header Enabled header when full-site SSL “on” Strict-Transport-Security:

    max-age=631138520; includeSubDomains Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13
  39. HSTS Part 2 Strict-Transport-Security: max-age=631138520; includeSubDomains All subdomains get HSTS

    that match the host Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13
  40. HSTS Part 3 Note the difference: HSTS on ‘www.etsy.com’ Hosted

    by OWASP & the NYC Chapter Wednesday, November 20, 13
  41. HSTS Part 3 Note the difference: HSTS on ‘www.etsy.com’ Hosted

    by OWASP & the NYC Chapter Wednesday, November 20, 13
  42. HSTS Part 3 Note the difference: HSTS on ‘www.etsy.com’ Hosted

    by OWASP & the NYC Chapter Wednesday, November 20, 13
  43. HSTS Part 2 Check out Chrome’s HSTS settings chrome://net-internals/#hsts Hosted

    by OWASP & the NYC Chapter Wednesday, November 20, 13
  44. HSTS Rollout Implement HTTPS management on app level Hosted by

    OWASP & the NYC Chapter Wednesday, November 20, 13
  45. HSTS Rollout Implement HTTPS management on app level Rolled out

    to admins -> sellers -> buyers Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13
  46. HSTS Rollout Implement HTTPS management on app level Rolled out

    to admins -> sellers -> buyers Code-based “SSL wrangler” in repo Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13
  47. SSL Wranglin’ Controller to handle SSL transition Hosted by OWASP

    & the NYC Chapter Wednesday, November 20, 13
  48. SSL Wranglin’ Controller to handle SSL transition Skipped for users

    with full-site SSL pref on Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13
  49. SSL Wranglin’ Controller to handle SSL transition Skipped for users

    with full-site SSL pref on On sign-out, set HSTS max-age=0 Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13
  50. Wins Fixes on-domain mixed content Hosted by OWASP & the

    NYC Chapter Wednesday, November 20, 13
  51. Wins Fixes on-domain mixed content Browser transparently 302 redirects Hosted

    by OWASP & the NYC Chapter Wednesday, November 20, 13
  52. SSL Concerns Do your CDNs support it? Hosted by OWASP

    & the NYC Chapter Wednesday, November 20, 13
  53. SSL Concerns Do your CDNs support it? What about 3rd

    party content providers? Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13
  54. SSL Concerns Do your CDNs support it? What about 3rd

    party content providers? Can your servers/LBs handle it? Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13
  55. Kill Mixed Content You still need to fix off-domain HTTP

    Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13
  56. Kill Mixed Content You still need to fix off-domain HTTP

    Browser mixed content warnings Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13
  57. Kill Mixed Content You still need to fix off-domain HTTP

    Browser mixed content warnings Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13
  58. Mobile HSTS supported on mobile browsers Hosted by OWASP &

    the NYC Chapter Wednesday, November 20, 13
  59. Mobile HSTS supported on mobile browsers Notably absent from others

    Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13
  60. Mobile HSTS supported on mobile browsers Notably absent from others

    Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13
  61. HSTS: Be Ready Not a crutch for fixing routing problems!

    Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13
  62. HSTS: Be Ready Not a crutch for fixing routing problems!

    There will be outliers Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13
  63. HSTS: Be Ready Not a crutch for fixing routing problems!

    There will be outliers SSL/TLS errors confuse users Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13
  64. HSTS: Be Ready Not a crutch for fixing routing problems!

    There will be outliers SSL/TLS errors confuse users Have a process for managing HSTS Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13
  65. X-Frame-Options Problem: Clickjacking Hosted by OWASP & the NYC Chapter

    Wednesday, November 20, 13
  66. X-Frame-Options Framing sucks, get rid of framing! Hosted by OWASP

    & the NYC Chapter Wednesday, November 20, 13
  67. X-Frame-Options How do you prevent this type of attack? Hosted

    by OWASP & the NYC Chapter Wednesday, November 20, 13
  68. X-Frame-Options How do you prevent this type of attack? <script>

    if (top!=self) top.location.href=self.location.href </script> Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13
  69. X-Frame-Options How do you prevent this type of attack? <script>

    if (top!=self) top.location.href=self.location.href </script> Not really a defense at all Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13
  70. How Do I Use XFO? Figure out when you’re being

    framed Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13
  71. How Do I Use XFO? Figure out when you’re being

    framed Log the framing attempts Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13
  72. How Do I Use XFO? Figure out when you’re being

    framed Log the framing attempts Whitelist specific framing sites (search engines) Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13
  73. How Do I Use XFO? Figure out when you’re being

    framed Log the framing attempts Whitelist specific framing sites (search engines) Only allow whitelisted sites to frame Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13
  74. Be Careful Thoroughly vet your whitelist Hosted by OWASP &

    the NYC Chapter Wednesday, November 20, 13
  75. Be Careful Thoroughly vet your whitelist Read about XFO’s options

    Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13
  76. Be Careful Thoroughly vet your whitelist Read about XFO’s options

    Test thoroughly Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13
  77. Non-Whitelisted sites Hosted by OWASP & the NYC Chapter Wednesday,

    November 20, 13
  78. Non-Whitelisted sites Hosted by OWASP & the NYC Chapter Wednesday,

    November 20, 13
  79. Don’t Forget... If you’re taking away framing, warn your users

    Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13
  80. Don’t Forget... If you’re taking away framing, warn your users

    Whitelisting will break everyone else Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13
  81. Let’s Talk CSP Policies can grow fairly large Hosted by

    OWASP & the NYC Chapter Wednesday, November 20, 13
  82. Let’s Talk CSP Policies can grow fairly large Doesn’t like

    inline javascript by default Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13
  83. Let’s Talk CSP Policies can grow fairly large Doesn’t like

    inline javascript by default Where do I start? Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13
  84. CSP 1.0 Most websites have inline JS Hosted by OWASP

    & the NYC Chapter Wednesday, November 20, 13
  85. CSP 1.0 Most websites have inline JS Removing/refactoring some of

    it just isn’t possible Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13
  86. CSP 1.0 Most websites have inline JS Removing/refactoring some of

    it just isn’t possible FF & Chrome use unprefixed ‘Content-Security-Policy’ Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13
  87. CSP 1.1 Will have browser javascript API support Hosted by

    OWASP & the NYC Chapter Wednesday, November 20, 13
  88. CSP 1.1 Will have browser javascript API support Support for

    inline CSP in a <meta> tag Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13
  89. CSP 1.1 CSP 1.1 will allow for script-nonce and script-hash

    Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13
  90. CSP Lessons CSP introduced the idea of a reporting mechanism

    Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13
  91. CSP Lessons CSP introduced the idea of a reporting mechanism

    Identify pages with inline scripts => smaller policy size Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13
  92. CSP Lessons CSP introduced the idea of a reporting mechanism

    Identify pages with inline scripts => smaller policy size Log, aggregate reports to find mixed content Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13
  93. CSP Lessons CSP introduced the idea of a reporting mechanism

    Identify pages with inline scripts => smaller policy size Log, aggregate reports to find mixed content Some interesting results Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13
  94. Hosted by OWASP & the NYC Chapter Wednesday, November 20,

    13
  95. How Do I Deploy CSP? Organize and assess your existing

    javascript Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13
  96. How Do I Deploy CSP? Organize and assess your existing

    javascript Have specific template logic for handling javascript Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13
  97. How Do I Deploy CSP? Organize and assess your existing

    javascript Have specific template logic for handling javascript Give devs an ‘opt-out’ mechanism for inline js Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13
  98. How Do I Deploy CSP? Organize and assess your existing

    javascript Have specific template logic for handling javascript Give devs an ‘opt-out’ mechanism for inline js Deploy to specific parts/subdomains of your site Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13
  99. CSP Compliance Actively monitor the # of inline scripts you

    have left Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13
  100. Some CSP Tools Some tools for CSP Generation Hosted by

    OWASP & the NYC Chapter Wednesday, November 20, 13
  101. Some CSP Tools Some tools for CSP Generation http://cspisawesome.com/ Hosted

    by OWASP & the NYC Chapter Wednesday, November 20, 13
  102. Some CSP Tools Some tools for CSP Generation http://cspisawesome.com/ https://github.com/Kennysan/CSPTools

    Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13
  103. CSP Tools Browser proxy, automated browser, and csp parser Hosted

    by OWASP & the NYC Chapter Wednesday, November 20, 13
  104. CSP Tools Browser proxy, automated browser, and csp parser Lets

    you create/test a CSP for your prod environment Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13
  105. CSP Tools Browser proxy, automated browser, and csp parser Lets

    you create/test a CSP for your prod environment https://github.com/Kennysan/CSPTools Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13
  106. X-XSS-Protection Originally IE XSS blocking mechanism Hosted by OWASP &

    the NYC Chapter Wednesday, November 20, 13
  107. X-XSS-Protection Originally IE XSS blocking mechanism Looks for parameter arguments

    in response Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13
  108. X-XSS-Protection Originally IE XSS blocking mechanism Looks for parameter arguments

    in response Side effect: Clients can break your javascript Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13
  109. X-XSS-Protection X-XSS-Protection: 1; mode=block Hosted by OWASP & the NYC

    Chapter Wednesday, November 20, 13
  110. X-XSS-Protection X-XSS-Protection: 1; mode=block Reflected XSS protection, but now... Hosted

    by OWASP & the NYC Chapter Wednesday, November 20, 13
  111. X-XSS-Protection X-XSS-Protection: 1; mode=block Reflected XSS protection, but now... Chrome

    lets you specify a report url Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13
  112. X-XSS-Protection X-XSS-Protection: 1; mode=block Reflected XSS protection, but now... Chrome

    lets you specify a report url Clientside protection; serverside reporting Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13
  113. XSS Logging X-XSS-Protection: 1; mode=block; report-uri=/log.php Hosted by OWASP &

    the NYC Chapter Wednesday, November 20, 13
  114. XSS Logging X-XSS-Protection: 1; mode=block; report-uri=/log.php Allows Chrome reflected XSS

    logging, ala CSP-style Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13
  115. XSS Logging X-XSS-Protection: 1; mode=block; report-uri=/log.php Allows Chrome reflected XSS

    logging, ala CSP-style Other browsers: Implement server-side XSS-Auditor Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13
  116. XSS Logging X-XSS-Protection: 1; mode=block; report-uri=/log.php Allows Chrome reflected XSS

    logging, ala CSP-style Other browsers: Implement server-side XSS-Auditor Look for this functionality in CSP 1.1 Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13
  117. X-Content-Type-Options X-Content-Type-Options: nosniff Hosted by OWASP & the NYC Chapter

    Wednesday, November 20, 13
  118. X-Content-Type-Options X-Content-Type-Options: nosniff Older versions of IE will guess response

    content-type Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13
  119. X-Content-Type-Options X-Content-Type-Options: nosniff Older versions of IE will guess response

    content-type Ignores Content-Type specified! Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13
  120. X-Content-Type-Options X-Content-Type-Options: nosniff Older versions of IE will guess response

    content-type Ignores Content-Type specified! Example: query parameter lets you specify .html Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13
  121. X-Content-Type-Options X-Content-Type-Options: nosniff Older versions of IE will guess response

    content-type Ignores Content-Type specified! Example: query parameter lets you specify .html IE will consider the content to be text/html! Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13
  122. Final Thoughts Treat header deployment like any other code Hosted

    by OWASP & the NYC Chapter Wednesday, November 20, 13
  123. Final Thoughts Treat header deployment like any other code Be

    agile with header development Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13
  124. Final Thoughts Treat header deployment like any other code Be

    agile with header development Can’t deploy everywhere? Have a plan--deploy in part Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13
  125. Final Thoughts Treat header deployment like any other code Be

    agile with header development Can’t deploy everywhere? Have a plan--deploy in part Starting with security is easier than baking it in later Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13
  126. Final Thoughts Treat header deployment like any other code Be

    agile with header development Can’t deploy everywhere? Have a plan--deploy in part Starting with security is easier than baking it in later Log early and often--you learn a lot Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13
  127. Thanks for Listening! @kennysan klee@etsy.com github.com/kennysan Hosted by OWASP &

    the NYC Chapter Wednesday, November 20, 13