Upgrade to Pro — share decks privately, control downloads, hide ads and more …

BSides Munich

Avatar for Mike West Mike West
April 03, 2017
Programming
0
340

BSides Munich

Avatar for Mike West

Mike West

April 03, 2017
Tweet

More Decks by Mike West

See All by Mike West
W3C Permissions Workshop - 2022-12-05
Avatar for Mike West mikewest
0
120
Isolation by Default
Avatar for Mike West mikewest
0
1.9k
The Web We Can Ship
Avatar for Mike West mikewest
0
500
Web Platform Security @ CMS Security Summit 2020
Avatar for Mike West mikewest
0
3.3k
Web Platform Security @ TechDays 2019
Avatar for Mike West mikewest
1
180
Cookies are bad @ HTTP Workshop 2019
Avatar for Mike West mikewest
0
460
Web Platform Security @ CMS Security Summit
Avatar for Mike West mikewest
0
130
Web Platform Security PhD Summit @ Google Munich
Avatar for Mike West mikewest
2
990
Hardening the Web Platform - AppSec EU, 2016
Avatar for Mike West mikewest
5
1.5k

Other Decks in Programming

See All in Programming
なんとなくわかった気になるブロックテーマ入門/contents.nagoya 2025 6.28
Avatar for Chiaki Okamoto chiilog
1
280
Rails Frontend Evolution: It Was a Setup All Along
Avatar for Svyatoslav Kryukov skryukov
0
240
たった 1 枚の PHP ファイルで実装する MCP サーバ / MCP Server with Vanilla PHP
Avatar for Shohei Okada okashoi
1
280
AIともっと楽するE2Eテスト
Avatar for Yohei Maeda myohei
8
2.9k
Advanced Micro Frontends: Multi Version/ Framework Scenarios @WAD 2025, Berlin
Avatar for Manfred Steyer manfredsteyer
PRO
0
370
MCPを使ってイベントソーシングのAIコーディングを効率化する / Streamlining Event Sourcing AI Coding with MCP
Avatar for Tomohisa Takaoka tomohisa
0
160
VS Code Update for GitHub Copilot
Avatar for 74th(Atsushi Morimoto) 74th
2
670
PicoRuby on Rails
Avatar for makicamel makicamel
2
140
オンコール⼊⾨〜ページャーが鳴る前に、あなたが備えられること〜 / Before The Pager Rings
Avatar for Yuuki Takahashi yktakaha4
1
770
おやつのお供はお決まりですか?@WWDC25 Recap -Japan-\(region).swift
Avatar for gangan shingangan
0
140
PHPで始める振る舞い駆動開発(Behaviour-Driven Development)
Avatar for uutan1108 ohmori_yusuke
2
420
20250628_非エンジニアがバイブコーディングしてみた
Avatar for ponponmikan ponponmikankan
0
710

Featured

See All Featured
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
Avatar for Michelle Schulp Hunt marktimemedia
31
2.4k
The MySQL Ecosystem @ GitHub 2015
Avatar for Sam Lambert samlambert
251
13k
Git: the NoSQL Database
Avatar for Brandon Keepers bkeepers
PRO
430
65k
XXLCSS - How to scale CSS and keep your sanity
Avatar for Zaharenia Atzitzikaki sugarenia
248
1.3M
Music & Morning Musume
Avatar for Bryan Veloso bryan
46
6.7k
Docker and Python
Avatar for Tania Allard trallard
45
3.5k
Keith and Marios Guide to Fast Websites
Avatar for Keith Pitt keithpitt
411
22k
RailsConf 2023
Avatar for Aaron Patterson tenderlove
30
1.1k
Raft: Consensus for Rubyists
Avatar for Patrick Van Stee vanstee
140
7k
Facilitating Awesome Meetings
Avatar for Lara Hogan lara
54
6.5k
Agile that works and the tools we love
Avatar for Rasmus Luckow-Nielsen rasmusluckow
329
21k
Product Roadmaps are Hard
Avatar for C. Todd Lombardo iamctodd
PRO
54
11k

Transcript

  1. Mike West, @mikewest, [email protected] https://goo.gl/F0o9kR Hardening the Web Platform

  2. Slides: https://goo.gl/F0o9kR

  3. None
  4. None
  5. None

  6. https://goo.gl/MycPb7

  7. "Sharpening", https://flic.kr/p/sbo18H

  8. "Vintage Camillus 1006", https://flic.kr/p/eNbtJ8

  9. "Vintage Camillus 1006", https://flic.kr/p/eNbtJ8

  10. None

  11. https://securethe.news/

  12. https://letsencrypt.org/

  13. https://caddyserver.com/

  14. https://goo.gl/ptS8FO https://goo.gl/nzbqQo

  15. Pro tip: Content-Security-Policy: default-src https:; report-uri /reports-r-us

  16. Content-Security-Policy: upgrade-insecure-requests https://goo.gl/hcin3m

  17. https://goo.gl/51hqZa

  18. https://goo.gl/Kd2eMQ

  19. https://goo.gl/ciyreA

  20. https://goo.gl/rStTGz

  21. AppCache getUserMedia crypto.subtle.* ServiceWorker navigator.credentials navigator.geolocation PaymentRequest EME https://goo.gl/rStTGz Notification

  22. https://goo.gl/Wwpnjw https://goo.gl/fzVgNt

  23. 127.0.0.1 192.168.1.1 192.220.74.179 https://goo.gl/Wwpnjw

  24. "Vintage Camillus 1006", https://flic.kr/p/eNbtJ8

  25. https://goo.gl/Wamh7S

  26. default-src 'none'; base-uri 'self'; block-all-mixed-content; child-src render.githubusercontent.com; connect-src 'self' uploads.github.com

    status.github.com api.github.com www.google-analytics.com github-cloud.s3.amazonaws.com wss://live.github.com; font-src assets-cdn.github.com; form-action 'self' github.com gist.github.com; frame-ancestors 'none'; frame-src render.githubusercontent.com; img-src 'self' data: assets-cdn.github.com identicons.github.com www.google-analytics.com collector.githubapp.com *.gravatar.com *.wp.com *.githubusercontent.com; media-src 'none'; object-src assets-cdn.github.com; plugin-types application/x-shockwave-flash; script-src assets-cdn.github.com; style-src 'unsafe-inline' assets-cdn.github.com

  27. https://goo.gl/lJq6jj https://goo.gl/dqPkYn

  28. script-src https://connect.facebook.net https://cm.g.doubleclick.net https://ssl.google-analytics.com https://graph.facebook.com https://twitter.com 'unsafe-eval' https://*.twimg.com https://api.twitter.com https://analytics.twitter.com

    https://publish.twitter.com https://ton.twitter.com https://syndication.twitter.com https://www.google.com https://t.tellapart.com 'nonce-LrNe0GlzopB0DPFNqwdllg==' https://platform.twitter.com https://www.google-analytics.com 'self'; frame-ancestors 'self'; font-src https://twitter.com https://*.twimg.com data: https://ton.twitter.com https://fonts.gstatic.com https://maxcdn.bootstrapcdn.com https://netdna.bootstrapcdn.com 'self'; media-src https://twitter.com https://*.twimg.com https://ton.twitter.com blob: 'self'; connect-src https://graph.facebook.com https://*.giphy.com https://*.twimg.com https://embed.pscp.tv https://api.twitter.com https://pay.twitter.com https://analytics.twitter.com https://*.twprobe.net https://media.riffsy.com https://embed.periscope.tv https://upload.twitter.com 'self'; style-src https://fonts.googleapis.com https://twitter.com https://*.twimg.com https://translate.googleapis.com https://ton.twitter.com 'unsafe-inline' https://platform.twitter.com https://maxcdn.bootstrapcdn.com https://netdna.bootstrapcdn.com 'self'; object-src https://twitter.com https://pbs.twimg.com; default-src 'self'; frame-src https://staticxx.facebook.com https://twitter.com https://*.twimg.com https://5415703.fls.doubleclick.net https://player.vimeo.com https://pay.twitter.com https://www.facebook.com https://ton.twitter.com https://syndication.twitter.com https://vine.co twitter: https://www.youtube.com https://platform.twitter.com https://upload.twitter.com https://s-static.ak.facebook.com https://4337974.fls.doubleclick.net 'self' https://donate.twitter.com; img-src https://graph.facebook.com https://*.giphy.com https://twitter.com https://*.twimg.com https://ad.doubleclick.net data: https://lumiere-a.akamaihd.net https://fbcdn-profile-a.akamaihd.net https://www.facebook.com https://ton.twitter.com https://*.fbcdn.net https://syndication.twitter.com https://media.riffsy.com https://www.google.com https://stats.g.doubleclick.net https://api.mapbox.com https://www.google-analytics.com blob: 'self'; report-uri https://twitter.com/i/csp_report?a=NVQWGYLXFVZXO2LGOQ%3D%3D%3D%3D%3D%3D&ro=false;

  29. https://goo.gl/wSH6sV

  30. https://srihash.org/

  31. https://goo.gl/yxEJiO https://goo.gl/IrPX7b

  32. Set-Cookie: user_session=...; path=/; secure; HttpOnly; SameSite=Lax

  33. https://goo.gl/QcZIBI

  34. ✘ Set-Cookie: __Host-SID=12345; Secure; Path=/ ✘ Set-Cookie: __Host-SID=12345 ✘ Set-Cookie:

    __Host-SID=12345; Secure ✘ Set-Cookie: __Host-SID=12345; Secure; Path=/subdirectory/ ✘ Set-Cookie: __Host-SID=12345; Domain=example.com ✘ Set-Cookie: __Host-SID=12345; Domain=example.com; Path=/ ✘ Set-Cookie: __Host-SID=12345; Secure; Domain=example.com; Path=/ ✘ Set-Cookie: __Secure-SID=12345; Secure; ✘ Set-Cookie: __Secure-SID=12345

  35. https://goo.gl/gF2clJ

  36. https://goo.gl/FHAeAm

  37. Credential Management API @ I/O: https://goo.gl/FbrO5x navigator.credentials.get({ "password": true, "unmediated":

    true }) .then(c => { if (!c) return; // Hooray, we have a credential! signInToYourApplication(c); });

  38. Credential Management API @ I/O: https://goo.gl/FbrO5x function signInToYourApplication(c) { fetch("/signin",

    { "method": "POST", "credentials": c }) .then(r => { if (r.status == 200) { renderSignedInExperience(r); // or: window.location = "/signedin"; } else { renderUsefulErrorMessage(); } }); }
  39. None

  40. https://goo.gl/Un07eJ

  41. https://goo.gl/ILUP12

  42. https://goo.gl/eZ9SKg

  43. scheme://host:port

  44. scheme://host:port scheme://sub1_host:port scheme://sub2_host:port

  45. https://goo.gl/VhLsq2

  46. None

  47. Thank you! https://goo.gl/F0o9kR @mikewest [email protected]