Matt Raible | @mraible November 17, 2020 Web App Security made Simple Photo by Billy Williams on https://unsplash.com/photos/8wz1Q4Q_XAg

@mraible Who is Matt Raible? Father, Husband, Skier, Mountain Biker, Whitewater Rafter Bus Lover Web Developer and Java Champion Okta Developer Advocate Blogger on raibledesigns.com and developer.okta.com/blog @mraible

No content

No content

No content

developer.okta.com

@mraible Today’s Agenda What is web app security? 7 simple ways to better app security 3 quick demos Spring Boot Angular JHipster

What is web app security?

1. Use HTTPS 2. Scan your dependencies 3. Use the latest releases 4. Secure your secrets 7 Simple Ways to Better Web App Security 5. Use a Content Security Policy 6. Use OAuth 2.0 and OIDC 7. Prevent Cross-site request forgery (CSRF)

@mraible 1. Use HTTPS Everywhere! Let’s Encrypt offers free HTTPS certificates certbot can be used to generate certificates mkcert can be used to create localhost certificates Spring Boot Starter ACME for automating certificates

What is HTTPS? https://howhttps.works

HTTPS is Easy!

Force HTTPS in Spring Boot @Configuration public class SecurityConfiguration extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http.requiresChannel().anyRequest().requiresSecure(); } }

Force HTTPS in the Cloud @Configuration public class SecurityConfiguration extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http.requiresChannel() .requestMatchers(r "-> r.getHeader("X-Forwarded-Proto") "!= null) .requiresSecure(); } }

@mraible “Why do we need HTTPS inside our network?”

@mraible 2. Scan Your Dependencies

@mraible GitHub + Dependabot

@mraible Full-featured Dependency Scanners

3. Use the Latest Releases

How well do you know your dependencies? Dependency Health Indirect Dependencies Regular Releases Regular commits Dependencies

Check for Updates with npm npm i -g npm-check-updates ncu

Check for Updates with Maven mvn versions:display-dependency-updates https://www.mojohaus.org/versions-maven-plugin

Check for Updates with Gradle plugins { id("se.patrikerdes.use-latest-versions") version "0.2.13" id("com.github.ben-manes.versions") version "0.28.0" ""... } $ ./gradlew useLatestVersions https://github.com/patrikerdes/gradle-use-latest-versions-plugin

@mraible 4. Secure Your Secrets

HashiCorp Vault and Azure Key Vault

https://developer.okta.com/blog/2020/05/04/spring-vault Secure Secrets With Spring Cloud Config and Vault

5. Use a Content Security Policy

Default Spring Security Headers Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: 0 X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000; includeSubDomains X-Frame-Options: DENY X-XSS-Protection: 1; mode=block

Add a Content Security Policy with Spring Security @EnableWebSecurity public class SecurityConfiguration extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http.headers() .contentSecurityPolicy("script-src 'self' " + "https:"//trustedscripts.example.com; " + "object-src https:"//trustedplugins.example.com; " + "report-uri /csp-report-endpoint/"); } }

Test Your Security Headers https://securityheaders.com

@mraible 6. Use OAuth 2.0 and OpenID Connect OpenID Connect OAuth 2.0 HTTP OpenID Connect is for authentication OAuth 2.0 is for authorization

@mraible Authorization Code Flow Example https://developer.okta.com/blog/2019/08/28/reactive-microservices-spring-cloud-gateway

@mraible Does OAuth 2.0 feel like a maze of specs? https://aaronparecki.com/2019/12/12/21/its-time-for-oauth-2-dot-1

@mraible OAuth 2.1 to the rescue! https://oauth.net/2.1 PKCE is required for all clients using the authorization code flow Redirect URIs must be compared using exact string matching The Implicit grant is omitted from this specification The Resource Owner Password Credentials grant is omitted from this specification Bearer token usage omits the use of bearer tokens in the query string of URIs Refresh tokens for public clients must either be sender-constrained or one-time use

7. Prevent CSRF Attacks

Configure CSRF Protection with Spring Security @EnableWebSecurity public class SecurityConfiguration extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http .csrf() .csrfTokenRepository( CookieCsrfTokenRepository.withHttpOnlyFalse()); } }

SameSite Cookies

@mraible Demos!

1. Use HTTPS 2. Scan your dependencies 3. Use the latest releases 4. Secure your secrets Recap: 7 Simple Ways to Better Web App Security 5. Use a Content Security Policy 6. Use OAuth 2.0 and OIDC 7. Prevent Cross-site request forgery (CSRF)

developer.okta.com/blog @oktadev

Curious about Microservice Security? https://developer.okta.com/blog/2020/03/23/microservice-security-patterns

Thanks! Keep in Touch raibledesigns.com @mraible Presentations speakerdeck.com/mraible Code github.com/oktadeveloper developer.okta.com

developer.okta.com