Upgrade to Pro — share decks privately, control downloads, hide ads and more …

BSides Munich

3c27881a0d8695811b0fa23bd794e696?s=47 Mike West
PRO
April 03, 2017
Programming
0
250

BSides Munich

3c27881a0d8695811b0fa23bd794e696?s=128

Mike West
PRO

April 03, 2017
Tweet

More Decks by Mike West

See All by Mike West
Isolation by Default
3c27881a0d8695811b0fa23bd794e696?s=48 mikewest
PRO
0
1.1k
The Web We Can Ship
3c27881a0d8695811b0fa23bd794e696?s=48 mikewest
PRO
0
210
Web Platform Security @ CMS Security Summit 2020
3c27881a0d8695811b0fa23bd794e696?s=48 mikewest
PRO
0
1.6k
Web Platform Security @ TechDays 2019
3c27881a0d8695811b0fa23bd794e696?s=48 mikewest
PRO
1
100
Cookies are bad @ HTTP Workshop 2019
3c27881a0d8695811b0fa23bd794e696?s=48 mikewest
PRO
0
350
Web Platform Security @ CMS Security Summit
3c27881a0d8695811b0fa23bd794e696?s=48 mikewest
PRO
0
67
Web Platform Security PhD Summit @ Google Munich
3c27881a0d8695811b0fa23bd794e696?s=48 mikewest
PRO
2
650
Hardening the Web Platform - AppSec EU, 2016
3c27881a0d8695811b0fa23bd794e696?s=48 mikewest
PRO
5
1.3k
Web Platform Security (dotSecurity, April 2016)
3c27881a0d8695811b0fa23bd794e696?s=48 mikewest
PRO
2
1k

Other Decks in Programming

See All in Programming
trocco® の品質を守る、とても普通な取り組み
E7d321bef653bcb8fce8032609321398?s=48 kekekenta
0
350
Vite でお手軽 Vue.js の環境構築
Be33a704f251c77162896ac5ba03e9ac?s=48 azuki
1
170
Git・Git-Flowについて
Df84835609bef29193d6ddb26cbaa316?s=48 nerusan_main
0
400
ANR overview at Uber + Leveraging ApplicationExitInfo API
7b79fefb49d2318393c8174c17e89ae3?s=48 yhartanto
0
320
Dagger + Anvil: Learning to Love Dependency Injection
7cfefc4ecbffbe84b59de233d3fa4645?s=48 vrallev
2
230
Make the most of Django - PyCon Italia 2022
6b8e2101579190ad96e747e01c279898?s=48 pauloxnet
0
110
設計ナイト2022 トランザクションスクリプト
6521324f6ab5266cdcde1dd05945a27b?s=48 shinpeim
11
2k
What's new in Jetpack / I/O Extended Japan 2022
80a3a3857a55f154d23acb705eff72cc?s=48 star_zero
1
170
はてなフォトライフをECSに移行した話 / Hatena Engineer Seminar #20
5e1d0f7877241ad4447c6611d9a51fd7?s=48 cohalz
1
810
Bootiful multi-model applications with Redis Stack
270b71aa52e822fa5920e618fd693d0c?s=48 bsbodden
0
100
Jakarta EE 10 and Beyond
B489790e1a844284d7cd1fa2cd6e021f?s=48 ivargrimstad
0
1.4k
Modern Android Developer ~ 안내서
354271902cd8ba2762d05b251dfa0f84?s=48 pluu
1
560

Featured

See All Featured
Debugging Ruby Performance
D47656e20ff5e42f125fc5ea0fd636c6?s=48 tmm1
65
10k
A designer walks into a library…
15f2b8221f247985a27a627d2ece72f0?s=48 pauljervisheath
196
16k
How to name files
0a4f62e90c976eeb44d33add75cca5af?s=48 jennybc
40
60k
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
E195ae45320d9202eaa01c9f1d31a416?s=48 marktimemedia
15
940
Designing for Performance
245cee81a9c424266e5e401d844ea881?s=48 lara
597
63k
A better future with KSS
5f2da528927a2ec9ba4fec2069cbc958?s=48 kneath
225
15k
Navigating Team Friction
245cee81a9c424266e5e401d844ea881?s=48 lara
175
11k
Streamline your AJAX requests with AmplifyJS and jQuery
9cde37f47e4a800ea081ea42de8d749a?s=48 dougneiner
126
8.5k
Testing 201, or: Great Expectations
A9704266587836f7e784235e5073b93e?s=48 jmmastey
21
5.4k
How GitHub (no longer) Works
78b475797a14c84799063c7cd073962f?s=48 holman
296
140k
The Art of Programming - Codeland 2020
719435d98d452de7ac367c828266cf01?s=48 erikaheidi
32
9.2k
Designing for humans not robots
D36d2c1821af9249b69ff7f5ed60529b?s=48 tammielis
241
23k

Transcript

  1. Mike West, @mikewest, mkwst@google.com https://goo.gl/F0o9kR Hardening the Web Platform

  2. Slides: https://goo.gl/F0o9kR

  3. None
  4. None
  5. None

  6. https://goo.gl/MycPb7

  7. "Sharpening", https://flic.kr/p/sbo18H

  8. "Vintage Camillus 1006", https://flic.kr/p/eNbtJ8

  9. "Vintage Camillus 1006", https://flic.kr/p/eNbtJ8

  10. None

  11. https://securethe.news/

  12. https://letsencrypt.org/

  13. https://caddyserver.com/

  14. https://goo.gl/ptS8FO https://goo.gl/nzbqQo

  15. Pro tip: Content-Security-Policy: default-src https:; report-uri /reports-r-us

  16. Content-Security-Policy: upgrade-insecure-requests https://goo.gl/hcin3m

  17. https://goo.gl/51hqZa

  18. https://goo.gl/Kd2eMQ

  19. https://goo.gl/ciyreA

  20. https://goo.gl/rStTGz

  21. AppCache getUserMedia crypto.subtle.* ServiceWorker navigator.credentials navigator.geolocation PaymentRequest EME https://goo.gl/rStTGz Notification

  22. https://goo.gl/Wwpnjw https://goo.gl/fzVgNt

  23. 127.0.0.1 192.168.1.1 192.220.74.179 https://goo.gl/Wwpnjw

  24. "Vintage Camillus 1006", https://flic.kr/p/eNbtJ8

  25. https://goo.gl/Wamh7S

  26. default-src 'none'; base-uri 'self'; block-all-mixed-content; child-src render.githubusercontent.com; connect-src 'self' uploads.github.com

    status.github.com api.github.com www.google-analytics.com github-cloud.s3.amazonaws.com wss://live.github.com; font-src assets-cdn.github.com; form-action 'self' github.com gist.github.com; frame-ancestors 'none'; frame-src render.githubusercontent.com; img-src 'self' data: assets-cdn.github.com identicons.github.com www.google-analytics.com collector.githubapp.com *.gravatar.com *.wp.com *.githubusercontent.com; media-src 'none'; object-src assets-cdn.github.com; plugin-types application/x-shockwave-flash; script-src assets-cdn.github.com; style-src 'unsafe-inline' assets-cdn.github.com

  27. https://goo.gl/lJq6jj https://goo.gl/dqPkYn

  28. script-src https://connect.facebook.net https://cm.g.doubleclick.net https://ssl.google-analytics.com https://graph.facebook.com https://twitter.com 'unsafe-eval' https://*.twimg.com https://api.twitter.com https://analytics.twitter.com

    https://publish.twitter.com https://ton.twitter.com https://syndication.twitter.com https://www.google.com https://t.tellapart.com 'nonce-LrNe0GlzopB0DPFNqwdllg==' https://platform.twitter.com https://www.google-analytics.com 'self'; frame-ancestors 'self'; font-src https://twitter.com https://*.twimg.com data: https://ton.twitter.com https://fonts.gstatic.com https://maxcdn.bootstrapcdn.com https://netdna.bootstrapcdn.com 'self'; media-src https://twitter.com https://*.twimg.com https://ton.twitter.com blob: 'self'; connect-src https://graph.facebook.com https://*.giphy.com https://*.twimg.com https://embed.pscp.tv https://api.twitter.com https://pay.twitter.com https://analytics.twitter.com https://*.twprobe.net https://media.riffsy.com https://embed.periscope.tv https://upload.twitter.com 'self'; style-src https://fonts.googleapis.com https://twitter.com https://*.twimg.com https://translate.googleapis.com https://ton.twitter.com 'unsafe-inline' https://platform.twitter.com https://maxcdn.bootstrapcdn.com https://netdna.bootstrapcdn.com 'self'; object-src https://twitter.com https://pbs.twimg.com; default-src 'self'; frame-src https://staticxx.facebook.com https://twitter.com https://*.twimg.com https://5415703.fls.doubleclick.net https://player.vimeo.com https://pay.twitter.com https://www.facebook.com https://ton.twitter.com https://syndication.twitter.com https://vine.co twitter: https://www.youtube.com https://platform.twitter.com https://upload.twitter.com https://s-static.ak.facebook.com https://4337974.fls.doubleclick.net 'self' https://donate.twitter.com; img-src https://graph.facebook.com https://*.giphy.com https://twitter.com https://*.twimg.com https://ad.doubleclick.net data: https://lumiere-a.akamaihd.net https://fbcdn-profile-a.akamaihd.net https://www.facebook.com https://ton.twitter.com https://*.fbcdn.net https://syndication.twitter.com https://media.riffsy.com https://www.google.com https://stats.g.doubleclick.net https://api.mapbox.com https://www.google-analytics.com blob: 'self'; report-uri https://twitter.com/i/csp_report?a=NVQWGYLXFVZXO2LGOQ%3D%3D%3D%3D%3D%3D&ro=false;

  29. https://goo.gl/wSH6sV

  30. https://srihash.org/

  31. https://goo.gl/yxEJiO https://goo.gl/IrPX7b

  32. Set-Cookie: user_session=...; path=/; secure; HttpOnly; SameSite=Lax

  33. https://goo.gl/QcZIBI

  34. ✘ Set-Cookie: __Host-SID=12345; Secure; Path=/ ✘ Set-Cookie: __Host-SID=12345 ✘ Set-Cookie:

    __Host-SID=12345; Secure ✘ Set-Cookie: __Host-SID=12345; Secure; Path=/subdirectory/ ✘ Set-Cookie: __Host-SID=12345; Domain=example.com ✘ Set-Cookie: __Host-SID=12345; Domain=example.com; Path=/ ✘ Set-Cookie: __Host-SID=12345; Secure; Domain=example.com; Path=/ ✘ Set-Cookie: __Secure-SID=12345; Secure; ✘ Set-Cookie: __Secure-SID=12345

  35. https://goo.gl/gF2clJ

  36. https://goo.gl/FHAeAm

  37. Credential Management API @ I/O: https://goo.gl/FbrO5x navigator.credentials.get({ "password": true, "unmediated":

    true }) .then(c => { if (!c) return; // Hooray, we have a credential! signInToYourApplication(c); });

  38. Credential Management API @ I/O: https://goo.gl/FbrO5x function signInToYourApplication(c) { fetch("/signin",

    { "method": "POST", "credentials": c }) .then(r => { if (r.status == 200) { renderSignedInExperience(r); // or: window.location = "/signedin"; } else { renderUsefulErrorMessage(); } }); }
  39. None

  40. https://goo.gl/Un07eJ

  41. https://goo.gl/ILUP12

  42. https://goo.gl/eZ9SKg

  43. scheme://host:port

  44. scheme://host:port scheme://sub1_host:port scheme://sub2_host:port

  45. https://goo.gl/VhLsq2

  46. None

  47. Thank you! https://goo.gl/F0o9kR @mikewest mkwst@google.com