Tweet
Tweet

Slide 1

Slide 1 text

Matt Raible | @mraible December 7, 2021 Web App Security for Java Developers Photo by Michiel Leunens on https://unsplash.com/photos/fBB7FeS4Xas

Slide 2

Slide 2 text

@mraible Who is Matt Raible? Father, Husband, Skier, Mountain Biker, Whitewater Rafter Bus Lover Web Developer and Java Champion Okta Developer Advocate Blogger on raibledesigns.com and developer.okta.com/blog @mraible

Slide 3

Slide 3 text

No content

Slide 4

Slide 4 text

No content

Slide 5

Slide 5 text

No content

Slide 6

Slide 6 text

developer.okta.com

Slide 7

Slide 7 text

@mraible Today’s Agenda What is web app security? 7 simple ways to better app security 3 quick demos 🍃 Spring Boot 🅰 Angular 🤓 JHipster

Slide 8

Slide 8 text

What is web app security?

Slide 9

Slide 9 text

1. Use HTTPS 2. Scan your dependencies 3. Use the latest releases 4. Secure your secrets 7 Simple Ways to Better Web App Security 5. Use a Content Security Policy 6. Use OAuth 2.0 and OIDC 7. Prevent Cross-site request forgery (CSRF)

Slide 10

Slide 10 text

@mraible 1. Use HTTPS Everywhere! Let’s Encrypt offers free HTTPS certificates certbot can be used to generate certificates mkcert can be used to create localhost certificates Spring Boot Starter ACME for automating certificates

Slide 11

Slide 11 text

What is HTTPS? https://howhttps.works

Slide 12

Slide 12 text

How HTTPS Works https://howhttps.works

Slide 13

Slide 13 text

HTTPS for Static Sites too! https://www.troyhunt.com/heres-why-your-static-website-needs-https

Slide 14

Slide 14 text

HTTPS is Easy!

Slide 15

Slide 15 text

Force HTTPS in Spring Boot @Configuration public class SecurityConfiguration extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http.requiresChannel().anyRequest().requiresSecure(); } }

Slide 16

Slide 16 text

Force HTTPS in the Cloud @Configuration public class SecurityConfiguration extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http.requiresChannel() .requestMatchers(r -> r.getHeader("X-Forwarded-Proto") != null) .requiresSecure(); } }

Slide 17

Slide 17 text

Force HTTPS in Spring WebFlux @EnableWebFluxSecurity public class SecurityConfiguration { @Bean SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { http.redirectToHttps(withDefaults()); return http.build(); } }

Slide 18

Slide 18 text

Force HTTPS in Spring WebFlux + Cloud @EnableWebFluxSecurity public class SecurityConfiguration { @Bean SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { http.redirectToHttps(redirect -> redirect .httpsRedirectWhen(e -> e.getRequest().getHeaders().containsKey("X-Forwarded-Proto")) ); return http.build(); } }

Slide 19

Slide 19 text

@mraible “Why do we need HTTPS inside our network?”

Slide 20

Slide 20 text

@mraible 2. Scan Your Dependencies

Slide 21

Slide 21 text

@mraible GitHub + Dependabot

Slide 22

Slide 22 text

@mraible Full-featured Dependency Scanners

Slide 23

Slide 23 text

3. Use the Latest Releases

Slide 24

Slide 24 text

How well do you know your dependencies? Dependency Health Indirect Dependencies Regular Releases Regular commits Dependencies

Slide 25

Slide 25 text

Check for Updates with npm npm i -g npm-check-updates ncu

Slide 26

Slide 26 text

Check for Updates with Maven mvn versions:display-dependency-updates https://www.mojohaus.org/versions-maven-plugin

Slide 27

Slide 27 text

Check for Updates with Gradle plugins { id("se.patrikerdes.use-latest-versions") version "0.2.17" id("com.github.ben-manes.versions") version "0.39.0" ... } $ ./gradlew useLatestVersions https://github.com/patrikerdes/gradle-use-latest-versions-plugin

Slide 28

Slide 28 text

@mraible 4. Secure Your Secrets

Slide 29

Slide 29 text

HashiCorp Vault and Azure Key Vault

Slide 30

Slide 30 text

https://developer.okta.com/blog/2020/05/04/spring-vault Secure Secrets With Spring Cloud Config and Vault

Slide 31

Slide 31 text

5. Use a Content Security Policy

Slide 32

Slide 32 text

Default Spring Security Headers Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: 0 X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000; includeSubDomains X-Frame-Options: DENY X-XSS-Protection: 1; mode=block

Slide 33

Slide 33 text

Add a Content Security Policy with Spring Security @EnableWebSecurity public class SecurityConfiguration extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http.headers() .contentSecurityPolicy("script-src 'self' " + "https: // trustedscripts.example.com; " + "object-src https: // trustedplugins.example.com; " + "report-uri /csp-report-endpoint/"); } }

Slide 34

Slide 34 text

Test Your Security Headers https://securityheaders.com

Slide 35

Slide 35 text

@mraible 6. Use OAuth 2.0 and OpenID Connect OpenID Connect OAuth 2.0 HTTP OpenID Connect is for authentication 
 OAuth 2.0 is for authorization

Slide 36

Slide 36 text

@mraible Authorization Code Flow Example https://developer.okta.com/blog/2019/08/28/reactive-microservices-spring-cloud-gateway

Slide 37

Slide 37 text

@mraible Does OAuth 2.0 feel like a maze of specs? https://aaronparecki.com/2019/12/12/21/its-time-for-oauth-2-dot-1

Slide 38

Slide 38 text

@mraible OAuth 2.1 to the rescue! https://oauth.net/2.1 PKCE is required for all clients using the authorization code flow Redirect URIs must be compared using exact string matching The Implicit grant is omitted from this specification The Resource Owner Password Credentials grant is omitted from this specification Bearer token usage omits the use of bearer tokens in the query string of URIs Refresh tokens for public clients must either be sender-constrained or one-time use

Slide 39

Slide 39 text

7. Prevent CSRF Attacks

Slide 40

Slide 40 text

Configure CSRF Protection with Spring Security @EnableWebSecurity public class SecurityConfiguration extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http .csrf() .csrfTokenRepository( CookieCsrfTokenRepository.withHttpOnlyFalse()); } }

Slide 41

Slide 41 text

SameSite Cookies

Slide 42

Slide 42 text

@mraible Demos! 🍃 🅰 🤓

Slide 43

Slide 43 text

1. Use HTTPS 2. Scan your dependencies 3. Use the latest releases 4. Secure your secrets Recap: 7 Simple Ways to Better Web App Security 5. Use a Content Security Policy 6. Use OAuth 2.0 and OIDC 7. Prevent Cross-site request forgery (CSRF)

Slide 44

Slide 44 text

developer.okta.com/blog @oktadev

Slide 45

Slide 45 text

Curious About Microservice Security? https://developer.okta.com/blog/2020/03/23/microservice-security-patterns

Slide 46

Slide 46 text

Or Auth Security Patterns? https://bit.ly/mraible-springone-2021 https://youtu.be/CebTJ7Nq1Hs

Slide 47

Slide 47 text

Thanks! Keep in Touch raibledesigns.com @mraible Presentations speakerdeck.com/mraible Code github.com/oktadev developer.okta.com

Slide 48

Slide 48 text

developer.okta.com