Matt Raible | @mraible
November 17, 2020
Web App Security made Simple
Photo by Billy Williams on https://unsplash.com/photos/8wz1Q4Q_XAg
Slide 2
Slide 2 text
@mraible
Who is Matt Raible?
Father, Husband, Skier, Mountain
Biker, Whitewater Rafter
Bus Lover
Web Developer and Java Champion
Okta Developer Advocate
Blogger on raibledesigns.com and
developer.okta.com/blog
@mraible
Slide 3
Slide 3 text
No content
Slide 4
Slide 4 text
No content
Slide 5
Slide 5 text
No content
Slide 6
Slide 6 text
developer.okta.com
Slide 7
Slide 7 text
@mraible
Today’s Agenda
What is web app security?
7 simple ways to better app security
3 quick demos
Spring Boot
Angular
JHipster
Slide 8
Slide 8 text
What is web app security?
Slide 9
Slide 9 text
1. Use HTTPS
2. Scan your dependencies
3. Use the latest releases
4. Secure your secrets
7 Simple Ways to Better Web App Security
5. Use a Content Security Policy
6. Use OAuth 2.0 and OIDC
7. Prevent Cross-site request
forgery (CSRF)
Slide 10
Slide 10 text
@mraible
1. Use HTTPS Everywhere!
Let’s Encrypt offers free HTTPS certificates
certbot can be used to generate certificates
mkcert can be used to create localhost certificates
Spring Boot Starter ACME for automating certificates
Slide 11
Slide 11 text
What is HTTPS?
https://howhttps.works
Slide 12
Slide 12 text
HTTPS is Easy!
Slide 13
Slide 13 text
Force HTTPS in Spring Boot
@Configuration
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.requiresChannel().anyRequest().requiresSecure();
}
}
Slide 14
Slide 14 text
Force HTTPS in the Cloud
@Configuration
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.requiresChannel()
.requestMatchers(r "-> r.getHeader("X-Forwarded-Proto") "!= null)
.requiresSecure();
}
}
Slide 15
Slide 15 text
@mraible
“Why do we need HTTPS
inside our network?”
Slide 16
Slide 16 text
@mraible
2. Scan Your Dependencies
Slide 17
Slide 17 text
@mraible
GitHub + Dependabot
Slide 18
Slide 18 text
@mraible
Full-featured Dependency Scanners
Slide 19
Slide 19 text
3. Use the Latest Releases
Slide 20
Slide 20 text
How well do you know your dependencies?
Dependency
Health
Indirect
Dependencies
Regular
Releases
Regular
commits
Dependencies
Slide 21
Slide 21 text
Check for Updates with npm
npm i -g npm-check-updates
ncu
Slide 22
Slide 22 text
Check for Updates with Maven
mvn versions:display-dependency-updates
https://www.mojohaus.org/versions-maven-plugin
Slide 23
Slide 23 text
Check for Updates with Gradle
plugins {
id("se.patrikerdes.use-latest-versions") version "0.2.13"
id("com.github.ben-manes.versions") version "0.28.0"
""...
}
$ ./gradlew useLatestVersions
https://github.com/patrikerdes/gradle-use-latest-versions-plugin
Slide 24
Slide 24 text
@mraible
4. Secure Your Secrets
Slide 25
Slide 25 text
HashiCorp Vault and Azure Key Vault
Slide 26
Slide 26 text
https://developer.okta.com/blog/2020/05/04/spring-vault
Secure Secrets With Spring Cloud Config and Vault
Add a Content Security Policy with Spring Security
@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.headers()
.contentSecurityPolicy("script-src 'self' " +
"https:"//trustedscripts.example.com; " +
"object-src https:"//trustedplugins.example.com; " +
"report-uri /csp-report-endpoint/");
}
}
Slide 30
Slide 30 text
Test Your Security Headers
https://securityheaders.com
Slide 31
Slide 31 text
@mraible
6. Use OAuth 2.0 and OpenID Connect
OpenID Connect
OAuth 2.0
HTTP
OpenID Connect is for
authentication
OAuth 2.0 is for authorization
Slide 32
Slide 32 text
@mraible
Authorization Code Flow Example
https://developer.okta.com/blog/2019/08/28/reactive-microservices-spring-cloud-gateway
Slide 33
Slide 33 text
@mraible
Does OAuth 2.0 feel like a maze of specs?
https://aaronparecki.com/2019/12/12/21/its-time-for-oauth-2-dot-1
Slide 34
Slide 34 text
@mraible
OAuth 2.1 to the rescue!
https://oauth.net/2.1
PKCE is required for all clients using the authorization code flow
Redirect URIs must be compared using exact string matching
The Implicit grant is omitted from this specification
The Resource Owner Password Credentials grant is omitted from this specification
Bearer token usage omits the use of bearer tokens in the query string of URIs
Refresh tokens for public clients must either be sender-constrained or one-time use
Slide 35
Slide 35 text
7. Prevent CSRF Attacks
Slide 36
Slide 36 text
Configure CSRF Protection with Spring Security
@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf()
.csrfTokenRepository(
CookieCsrfTokenRepository.withHttpOnlyFalse());
}
}
Slide 37
Slide 37 text
SameSite Cookies
Slide 38
Slide 38 text
@mraible
Demos!
Slide 39
Slide 39 text
1. Use HTTPS
2. Scan your dependencies
3. Use the latest releases
4. Secure your secrets
Recap: 7 Simple Ways to Better Web App Security
5. Use a Content Security Policy
6. Use OAuth 2.0 and OIDC
7. Prevent Cross-site request
forgery (CSRF)
Slide 40
Slide 40 text
developer.okta.com/blog
@oktadev
Slide 41
Slide 41 text
Curious about Microservice Security?
https://developer.okta.com/blog/2020/03/23/microservice-security-patterns