Slide 1

Slide 1 text

Security headers Why should we care? Artur Hil

Slide 2

Slide 2 text

No content

Slide 3

Slide 3 text

Why to use the Security headers ● It’s a good place to start when you want to secure your web app ● Easy to implement and only require a slight web server configuration change ● Provide yet another layer of security by helping to mitigate attacks and security vulnerabilities ● Ensures your clients you are keeping up with best practices ● Discourages most of hackers to play with your app

Slide 4

Slide 4 text

No content

Slide 5

Slide 5 text

Today we will focus on: ● HTTP Strict Transport Security ● X-Frame-Options ● X-Content-Type-Options ● Referrer-Policy ● Content-Security-Policy

Slide 6

Slide 6 text

Today we will not focus on: Rarely used ● X-Permitted-Cross-Domain-Policies ● Clear-Site-Data ● Cross-Origin-Embedder-Policy ● Cross-Origin-Opener-Policy ● Cross-Origin-Resource-Policy Almost Deprecated ● Feature-Policy ● Expect-CT Deprecated: ● Public-Key-Pins ● X-XSS-Protection

Slide 7

Slide 7 text

If you want more please visit: OWASP Secure Headers Project

Slide 8

Slide 8 text

HTTP Strict Transport Security (HSTS) HTTP Strict Transport Security X-Frame-Options X-Content-Type-Options Referrer-Policy Content-Security-Policy

Slide 9

Slide 9 text

HTTP Strict Transport Security X-Frame-Options X-Content-Type-Options Referrer-Policy Content-Security-Policy http User_1 User_2 Web Server https

Slide 10

Slide 10 text

HTTP Strict Transport Security (HSTS) Strict-Transport-Security: max-age=; includeSubDomains Strict-Transport-Security: max-age=31536000 ; includeSubDomains Strict-Transport-Security: max-age=; includeSubDomains; preload Strict-Transport-Security: max-age=31536000 ; includeSubDomains; preload Strict-Transport-Security: max-age= Strict-Transport-Security: max-age=300 The best HTTP Strict Transport Security X-Frame-Options X-Content-Type-Options Referrer-Policy Content-Security-Policy

Slide 11

Slide 11 text

X-Frame-Options HTTP Strict Transport Security X-Frame-Options X-Content-Type-Options Referrer-Policy Content-Security-Policy

Slide 12

Slide 12 text

Clickjacking HTTP Strict Transport Security X-Frame-Options X-Content-Type-Options Referrer-Policy Content-Security-Policy

Slide 13

Slide 13 text

X-Frame-Options Syntax: Do: X-Frame-Options: DENY No one will be able to Frame your application Dont: X-Frame-Options: SAMEORIGIN X-Frame-Options: ALLOW-FROM https://example.com/ Small protection against Clickjacking, but better than none HTTP Strict Transport Security X-Frame-Options X-Content-Type-Options Referrer-Policy Content-Security-Policy

Slide 14

Slide 14 text

X-Content-Type-Options HTTP Strict Transport Security X-Frame-Options X-Content-Type-Options Referrer-Policy Content-Security-Policy

Slide 15

Slide 15 text

HTTP Strict Transport Security X-Frame-Options X-Content-Type-Options Referrer-Policy Content-Security-Policy

Slide 16

Slide 16 text

MIME sniffing text/plain is not a valid JavaScript MIME type HTTP Strict Transport Security X-Frame-Options X-Content-Type-Options Referrer-Policy Content-Security-Policy

Slide 17

Slide 17 text

X-Content-Type-Options ● Always make sure that all resources served by a web application has a correct Content-Type header in response ● X-Content-Type-Options: nosniff should be deployed for all application responses HTTP Strict Transport Security X-Frame-Options X-Content-Type-Options Referrer-Policy Content-Security-Policy

Slide 18

Slide 18 text

Referrer policy HTTP Strict Transport Security X-Frame-Options X-Content-Type-Options Referrer-Policy Content-Security-Policy

Slide 19

Slide 19 text

Information leakage via referer header Private information: https://news.example/search?q=covid-19&sort=newest Private and Sensitive: https://healthcare.example/patient/history/injuries/arm Private and Identity information: https://mybook.example.com/profile/[email protected] Critical information: https://mail.example/password_reset?token=b08476ff4b8c961375c89e6671b56111 HTTP Strict Transport Security X-Frame-Options X-Content-Type-Options Referrer-Policy Content-Security-Policy

Slide 20

Slide 20 text

Referrer-Policy Referrer-Policy: no-referrer No Referer information in any case Referrer-Policy: no-referrer-when-downgrade Origin, path, query in Referer when HTTP→HTTP, HTTP→HTTPS, HTTPS→HTTPS No Referer information when HTTPS→HTTP, HTTPS→file Referrer-Policy: origin Only Origin https://example.com/page.html >> https://example.com/ Referrer-Policy: origin-when-cross-origin Origin, path, query in Referer when a same-origin request to the same protocol Send origin (only) for cross origin requests and requests to less secure destinations. HTTP Strict Transport Security X-Frame-Options X-Content-Type-Options Referrer-Policy Content-Security-Policy

Slide 21

Slide 21 text

Referrer-Policy Referrer-Policy: same-origin Origin, path, query in Referer when same-origin requests No Referer information when cross-origin requests Referrer-Policy: strict-origin Only Origin when protocol security level stays the same (HTTPS→HTTPS) No Referer information when less secure destinations (HTTPS→HTTP) Referrer-Policy: strict-origin-when-cross-origin Default if no policy is specified Origin, path, query in Referer when same-origin requests Only Origin when protocol security level stays the same (HTTPS→HTTPS) No Referer information when less secure destinations (HTTPS→HTTP) Referrer-Policy: unsafe-url Origin, path, query in Referer in any case HTTP Strict Transport Security X-Frame-Options X-Content-Type-Options Referrer-Policy Content-Security-Policy

Slide 22

Slide 22 text

Let’s recap

Slide 23

Slide 23 text

No content

Slide 24

Slide 24 text

The most secure approach for security headers X-Frame-Options: deny Referrer-Policy: no-referrer X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000 ; includeSubDomains

Slide 25

Slide 25 text

The most secure approach for security headers X-Frame-Options: deny Referrer-Policy: strict-origin-when-cross-origin X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000 ; includeSubDomains

Slide 26

Slide 26 text

Content-Security-Policy HTTP Strict Transport Security X-Frame-Options X-Content-Type-Options Referrer-Policy Content-Security-Policy

Slide 27

Slide 27 text

HTTP Strict Transport Security X-Frame-Options X-Content-Type-Options Referrer-Policy Content-Security-Policy

Slide 28

Slide 28 text

Alexa top 1 million security headers analysis HTTP Strict Transport Security X-Frame-Options X-Content-Type-Options Referrer-Policy Content-Security-Policy

Slide 29

Slide 29 text

Why so hard to implement? ● More than 30 directives ● More than half of them are experimental ● Some of the directives interference each other ● Sometimes you need to rebuild your entire app to use CSP properly ● Improper implementation of CSP could help hackers to break into your app HTTP Strict Transport Security X-Frame-Options X-Content-Type-Options Referrer-Policy Content-Security-Policy

Slide 30

Slide 30 text

So you have decide to implement CSP Do not start with Content-Security-Policy Start with Content-Security-Policy-Report-Only HTTP Strict Transport Security X-Frame-Options X-Content-Type-Options Referrer-Policy Content-Security-Policy

Slide 31

Slide 31 text

Content-Security-Policy-Report-Only: default-src 'none'; form-action 'none'; frame-ancestors 'none'; Strictest policy HTTP Strict Transport Security X-Frame-Options X-Content-Type-Options Referrer-Policy Content-Security-Policy

Slide 32

Slide 32 text

Possible Errors that will appear [Report Only] Refused to load the stylesheet 'https://example.com/style.css' because it violates the following Content Security Policy directive: "default-src 'none'". Note that 'style-src' was not explicitly set, so 'default-src' is used as a fallback. To be fixed with: Content-Security-Policy-Report-Only: default-src 'none'; form-action 'none'; frame-ancestors 'none'; style-src 'self'; image-src 'self'; script-src 'self'; HTTP Strict Transport Security X-Frame-Options X-Content-Type-Options Referrer-Policy Content-Security-Policy

Slide 33

Slide 33 text

Possible Errors that will appear [Report Only] Refused to load the stylesheet 'https://example.com/style.css' because it violates the following Content Security Policy directive: "default-src 'none'". Note that 'style-src' was not explicitly set, so 'default-src' is used as a fallback. To be fixed with: Content-Security-Policy-Report-Only: default-src 'self'; form-action 'none'; frame-ancestors 'none'; HTTP Strict Transport Security X-Frame-Options X-Content-Type-Options Referrer-Policy Content-Security-Policy

Slide 34

Slide 34 text

Inline scripts Content-Security-Policy-Report-Only: default-src 'none'; form-action 'none'; frame-ancestors 'none'; style-src 'self'; script-src 'unsafe-inline'; img-src 'self'; Content-Security-Policy-Report-Only: default-src 'none'; form-action 'none'; frame-ancestors 'none'; style-src 'self'; script-src 'unsafe-inline'; img-src 'self'; Content-Security-Policy-Report-Only: default-src 'none'; form-action 'none'; frame-ancestors 'none'; style-src 'self'; script-src 'self' cdnjs.com sha256-c2u0cNUv1GcIb92+ybgJ4yMPatX/k+xxHHbugKVGUU8=; img-src 'self'; Content-Security-Policy-Report-Only: default-src 'none'; form-action 'none'; frame-ancestors 'none'; style-src 'self'; script-src 'nonce-2726c7f26c'; img-src 'self'; HTTP Strict Transport Security X-Frame-Options X-Content-Type-Options Referrer-Policy Content-Security-Policy

Slide 35

Slide 35 text

Where to locate CSP errors Content-Security-Policy-Report-Only: default-src 'none'; form-action 'none'; frame-ancestors 'none'; report-uri /csp-violation-report-endpoint/ Content-Security-Policy-Report-Only: default-src 'none'; form-action 'none'; frame-ancestors 'none'; report-uri https://provider.report-uri.com/r/d/csp/reportOnly HTTP Strict Transport Security X-Frame-Options X-Content-Type-Options Referrer-Policy Content-Security-Policy

Slide 36

Slide 36 text

Content-Security-Policy-Report-Only to Content-Security-Policy HTTP Strict Transport Security X-Frame-Options X-Content-Type-Options Referrer-Policy Content-Security-Policy

Slide 37

Slide 37 text

Having a CSP with a few unsafe rules is still better than not having a CSP at all. HTTP Strict Transport Security X-Frame-Options X-Content-Type-Options Referrer-Policy Content-Security-Policy

Slide 38

Slide 38 text

The most secure approach for CSP default-src 'self'; object-src 'none'; child-src 'self'; frame-ancestors 'none'; upgrade-insecure-requests; HTTP Strict Transport Security X-Frame-Options X-Content-Type-Options Referrer-Policy Content-Security-Policy

Slide 39

Slide 39 text

Check the current state of your app https://securityheaders.com/

Slide 40

Slide 40 text

Validate your CSP according to the best practice https://csp-evaluator.withgoogle.com/

Slide 41

Slide 41 text

Q&A