Security headers Why should we care? Artur Hil

No content

Why to use the Security headers ● It’s a good place to start when you want to secure your web app ● Easy to implement and only require a slight web server configuration change ● Provide yet another layer of security by helping to mitigate attacks and security vulnerabilities ● Ensures your clients you are keeping up with best practices ● Discourages most of hackers to play with your app

No content

Today we will focus on: ● HTTP Strict Transport Security ● X-Frame-Options ● X-Content-Type-Options ● Referrer-Policy ● Content-Security-Policy

Today we will not focus on: Rarely used ● X-Permitted-Cross-Domain-Policies ● Clear-Site-Data ● Cross-Origin-Embedder-Policy ● Cross-Origin-Opener-Policy ● Cross-Origin-Resource-Policy Almost Deprecated ● Feature-Policy ● Expect-CT Deprecated: ● Public-Key-Pins ● X-XSS-Protection

If you want more please visit: OWASP Secure Headers Project

HTTP Strict Transport Security (HSTS) HTTP Strict Transport Security X-Frame-Options X-Content-Type-Options Referrer-Policy Content-Security-Policy

HTTP Strict Transport Security X-Frame-Options X-Content-Type-Options Referrer-Policy Content-Security-Policy http User_1 User_2 Web Server https

HTTP Strict Transport Security (HSTS) Strict-Transport-Security: max-age=; includeSubDomains Strict-Transport-Security: max-age=31536000 ; includeSubDomains Strict-Transport-Security: max-age=; includeSubDomains; preload Strict-Transport-Security: max-age=31536000 ; includeSubDomains; preload Strict-Transport-Security: max-age= Strict-Transport-Security: max-age=300 The best HTTP Strict Transport Security X-Frame-Options X-Content-Type-Options Referrer-Policy Content-Security-Policy

X-Frame-Options HTTP Strict Transport Security X-Frame-Options X-Content-Type-Options Referrer-Policy Content-Security-Policy

Clickjacking HTTP Strict Transport Security X-Frame-Options X-Content-Type-Options Referrer-Policy Content-Security-Policy

X-Frame-Options Syntax: Do: X-Frame-Options: DENY No one will be able to Frame your application Dont: X-Frame-Options: SAMEORIGIN X-Frame-Options: ALLOW-FROM https://example.com/ Small protection against Clickjacking, but better than none HTTP Strict Transport Security X-Frame-Options X-Content-Type-Options Referrer-Policy Content-Security-Policy

X-Content-Type-Options HTTP Strict Transport Security X-Frame-Options X-Content-Type-Options Referrer-Policy Content-Security-Policy

HTTP Strict Transport Security X-Frame-Options X-Content-Type-Options Referrer-Policy Content-Security-Policy

MIME sniffing text/plain is not a valid JavaScript MIME type HTTP Strict Transport Security X-Frame-Options X-Content-Type-Options Referrer-Policy Content-Security-Policy

X-Content-Type-Options ● Always make sure that all resources served by a web application has a correct Content-Type header in response ● X-Content-Type-Options: nosniff should be deployed for all application responses HTTP Strict Transport Security X-Frame-Options X-Content-Type-Options Referrer-Policy Content-Security-Policy

Referrer policy HTTP Strict Transport Security X-Frame-Options X-Content-Type-Options Referrer-Policy Content-Security-Policy

Information leakage via referer header Private information: https://news.example/search?q=covid-19&sort=newest Private and Sensitive: https://healthcare.example/patient/history/injuries/arm Private and Identity information: https://mybook.example.com/profile/[email protected] Critical information: https://mail.example/password_reset?token=b08476ff4b8c961375c89e6671b56111 HTTP Strict Transport Security X-Frame-Options X-Content-Type-Options Referrer-Policy Content-Security-Policy

Referrer-Policy Referrer-Policy: no-referrer No Referer information in any case Referrer-Policy: no-referrer-when-downgrade Origin, path, query in Referer when HTTP→HTTP, HTTP→HTTPS, HTTPS→HTTPS No Referer information when HTTPS→HTTP, HTTPS→file Referrer-Policy: origin Only Origin https://example.com/page.html >> https://example.com/ Referrer-Policy: origin-when-cross-origin Origin, path, query in Referer when a same-origin request to the same protocol Send origin (only) for cross origin requests and requests to less secure destinations. HTTP Strict Transport Security X-Frame-Options X-Content-Type-Options Referrer-Policy Content-Security-Policy

Referrer-Policy Referrer-Policy: same-origin Origin, path, query in Referer when same-origin requests No Referer information when cross-origin requests Referrer-Policy: strict-origin Only Origin when protocol security level stays the same (HTTPS→HTTPS) No Referer information when less secure destinations (HTTPS→HTTP) Referrer-Policy: strict-origin-when-cross-origin Default if no policy is specified Origin, path, query in Referer when same-origin requests Only Origin when protocol security level stays the same (HTTPS→HTTPS) No Referer information when less secure destinations (HTTPS→HTTP) Referrer-Policy: unsafe-url Origin, path, query in Referer in any case HTTP Strict Transport Security X-Frame-Options X-Content-Type-Options Referrer-Policy Content-Security-Policy

Let’s recap

No content

The most secure approach for security headers X-Frame-Options: deny Referrer-Policy: no-referrer X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000 ; includeSubDomains

The most secure approach for security headers X-Frame-Options: deny Referrer-Policy: strict-origin-when-cross-origin X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000 ; includeSubDomains

Content-Security-Policy HTTP Strict Transport Security X-Frame-Options X-Content-Type-Options Referrer-Policy Content-Security-Policy

HTTP Strict Transport Security X-Frame-Options X-Content-Type-Options Referrer-Policy Content-Security-Policy

Alexa top 1 million security headers analysis HTTP Strict Transport Security X-Frame-Options X-Content-Type-Options Referrer-Policy Content-Security-Policy

Why so hard to implement? ● More than 30 directives ● More than half of them are experimental ● Some of the directives interference each other ● Sometimes you need to rebuild your entire app to use CSP properly ● Improper implementation of CSP could help hackers to break into your app HTTP Strict Transport Security X-Frame-Options X-Content-Type-Options Referrer-Policy Content-Security-Policy

So you have decide to implement CSP Do not start with Content-Security-Policy Start with Content-Security-Policy-Report-Only HTTP Strict Transport Security X-Frame-Options X-Content-Type-Options Referrer-Policy Content-Security-Policy

Content-Security-Policy-Report-Only: default-src 'none'; form-action 'none'; frame-ancestors 'none'; Strictest policy HTTP Strict Transport Security X-Frame-Options X-Content-Type-Options Referrer-Policy Content-Security-Policy

Possible Errors that will appear [Report Only] Refused to load the stylesheet 'https://example.com/style.css' because it violates the following Content Security Policy directive: "default-src 'none'". Note that 'style-src' was not explicitly set, so 'default-src' is used as a fallback. To be fixed with: Content-Security-Policy-Report-Only: default-src 'none'; form-action 'none'; frame-ancestors 'none'; style-src 'self'; image-src 'self'; script-src 'self'; HTTP Strict Transport Security X-Frame-Options X-Content-Type-Options Referrer-Policy Content-Security-Policy

Possible Errors that will appear [Report Only] Refused to load the stylesheet 'https://example.com/style.css' because it violates the following Content Security Policy directive: "default-src 'none'". Note that 'style-src' was not explicitly set, so 'default-src' is used as a fallback. To be fixed with: Content-Security-Policy-Report-Only: default-src 'self'; form-action 'none'; frame-ancestors 'none'; HTTP Strict Transport Security X-Frame-Options X-Content-Type-Options Referrer-Policy Content-Security-Policy

Inline scripts Content-Security-Policy-Report-Only: default-src 'none'; form-action 'none'; frame-ancestors 'none'; style-src 'self'; script-src 'unsafe-inline'; img-src 'self'; Content-Security-Policy-Report-Only: default-src 'none'; form-action 'none'; frame-ancestors 'none'; style-src 'self'; script-src 'unsafe-inline'; img-src 'self'; Content-Security-Policy-Report-Only: default-src 'none'; form-action 'none'; frame-ancestors 'none'; style-src 'self'; script-src 'self' cdnjs.com sha256-c2u0cNUv1GcIb92+ybgJ4yMPatX/k+xxHHbugKVGUU8=; img-src 'self'; Content-Security-Policy-Report-Only: default-src 'none'; form-action 'none'; frame-ancestors 'none'; style-src 'self'; script-src 'nonce-2726c7f26c'; img-src 'self'; HTTP Strict Transport Security X-Frame-Options X-Content-Type-Options Referrer-Policy Content-Security-Policy

Where to locate CSP errors Content-Security-Policy-Report-Only: default-src 'none'; form-action 'none'; frame-ancestors 'none'; report-uri /csp-violation-report-endpoint/ Content-Security-Policy-Report-Only: default-src 'none'; form-action 'none'; frame-ancestors 'none'; report-uri https://provider.report-uri.com/r/d/csp/reportOnly HTTP Strict Transport Security X-Frame-Options X-Content-Type-Options Referrer-Policy Content-Security-Policy

Content-Security-Policy-Report-Only to Content-Security-Policy HTTP Strict Transport Security X-Frame-Options X-Content-Type-Options Referrer-Policy Content-Security-Policy

Having a CSP with a few unsafe rules is still better than not having a CSP at all. HTTP Strict Transport Security X-Frame-Options X-Content-Type-Options Referrer-Policy Content-Security-Policy

The most secure approach for CSP default-src 'self'; object-src 'none'; child-src 'self'; frame-ancestors 'none'; upgrade-insecure-requests; HTTP Strict Transport Security X-Frame-Options X-Content-Type-Options Referrer-Policy Content-Security-Policy

Check the current state of your app https://securityheaders.com/

Validate your CSP according to the best practice https://csp-evaluator.withgoogle.com/

Q&A