HTTP Security
A matter of trust
rj zaworski, versal inc. · @rjzaworski · github.com/rjz
Slide 2
Slide 2 text
Browsers
★ Do what servers tell them to
★ Respect standards (mostly)
★ Render as much of the server response as
they can
Slide 3
Slide 3 text
Trust is a Big Deal
★ Servers can be compromised,
impersonated, or simply misconfigured
★ How can we tell if content is trustworthy?
The short answer is, “we can’t”.
Slide 4
Slide 4 text
HTTP can help
$ curl https://twitter.com -I
status: 200 OK
# ...
strict-transport-security: max-age=631138519
content-security-policy-report-only: default-src https:; #...
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
x-xss-protection: 1; mode=block
Transport Security
★ Ensure the browser never visits the http
version of a website
★ Force transport-layer security (TLS)
Slide 7
Slide 7 text
Transport Security
Why bother?
★ eavesdropping
★ man in the middle (data tampering, host
spoofing, etc)
Slide 8
Slide 8 text
Transport Security
★ Protects from common wireless attacks
(spoofing, sniffing, e.g. SSLStrip + Firesheep)
★ Protects from mixed-content errors (CSS,
SWF)
Content Security Policies
★ Helps detect/prevent XSS, mixed-content,
and other classes of attack
★ Whitelist what is or isn't allowed on a page
★ Describe access to specific types of content
in terms of directives
Slide 11
Slide 11 text
Content Security Policies
★ Implemented via HTTP header
★ or a
tag
Slide 12
Slide 12 text
Content Security Policies
Some directives:
★ default-src
- define base policy
★ script-src
- define valid origins for
tags
★ connect-src
- XHRs, WebSocket
and EventSource
★ form-action
- form actions
Slide 13
Slide 13 text
Content Security Policies
★ Policies may be layered
★ Policies are restrictive
A request must pass all announced policies to
be served!