No content

No content

Increasing web apps security with the power of http headers 

Agenda HTTP Strict Transport Security (HSTS) HTTP Public Key Pinning (HPKP) Content Security Policy (CSP) 

HSTS ● The browser strictly upgrades the connection to HTTPS protocol ● Avoid MITM attacks that try intercept the initial HTTP request ● SSLStripping attacks 

SSLStrip 

HSTS 

HSTS server { listen 443 ssl; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; # This 'location' block inherits the STS header location / { root /usr/share/nginx/html; } } 

HSTS Directives ● max-age tells user-agent how long to cache the STS setting in seconds ● includeSubDomains tells user-agent to include any subdomains 

chrome://net-internals/#hsts 

http://caniuse.com/#feat=stricttransportsecurity 

HTTPS Everywhere plugin ● Redirects users to HTTPS version of the site ● https://www.eff.org/https-everywhere ● Available for Chrome,Firefox,Opera 

HPKP ● Certificate Pinning is a security mechanism which allows HTTPS websites to resist impersonation by attackers using mis-issued or otherwise fraudulent certificates ● The HTTPS web server serves a list of public key hashes, and on subsequent connections clients expect that server to use one or more of those public keys in its certificate chain. 

HPKP ● Minimize MITM attacks by pinning certificate ● The pin is saved by the browser in the first request and in next requests this pin is used to verify the public key ● In this way we can check that the certificate has not been altered 

HPKP add_header Public-Key-Pins: 'pin-sha256="vDGd5BIsPtpEDVrOzMypcp9CjSQ8QIiIQq6i Rg59UOg="; pin-sha256="Mfyz5Zy4hGa1yrs93hMGGPo57r42fM+mttvE mHuXIdI="; max-age=60; includeSubdomains; 

HPKP ● Decide which certificate's public keys you will pin ● Create SHA-256 hashes for the public keys ● Set your site to send a header with the pins ● Visit your site multiple times to verify that you are not blocked ● Check chrome://net-internals/#hsts and query your domain to verify that the pins are stored ● Verify dynamic_pkp_observed and dynamic_spki_hashes 

HPKP 

No content

HPKP ● PinPatrol firefox plugin ● Check HSTS and HPKP headers 

No content

CSP ● Helps to detect and mitigate data injection attacks such as XSS ● Prevent XSS, clickjacking, code injection attacks 

CSP ● Load everything from the same origin ● 'self' --> Content of this type can only be loaded from the same origin ● add_header Content-Security-Policy "default-src 'self';"; 

CSP Source expressions 

https://csp-evaluator.withgoogle.com/ 

http://cspisawesome.com/ 

Conclusions ● HSTS assures that the browser won’t open unencrypted HTTP requests to your domain ● HPKP assures that nobody can exchange your certificate as a man-in-the-middle. 

More headers ● X-XSS-Protection:Enables Web Browser’s self XSS (Cross-site-scripting) attack protection mechanism ● X-Frame-Options:Provides protection against Clickjacking / UI Redress attacks. ● X-Content-Type-Options:Used to prevent MIME content-sniffing attacks. 

• curl --head 

● Helmet module 

References ● https://securityheaders.io ● https://www.ssllabs.com/ssltest ● https://www.chromium.org/hsts ● https://hstspreload.org ● https://www.owasp.org/index.php/HTTP_St rict_Transport_Security_Cheat_Sheet 

PinPatrol firefox plugin 

• https://observatory.mozilla.org/ 

• https://report-uri.io 

Thank you! @jmortegac jmortega.github.io about.me/jmortegac