Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Quick Wins for Better Website Security by Dan Callahan

PyCon 2014
April 12, 2014
8
590

Quick Wins for Better Website Security by Dan Callahan

Learn quick, easy, and lesser-known techniques to improve your website's security, protect against session hijacking, and defend against XSS and data injection attacks.

Presented at PyCon 2014. More info at https://us.pycon.org/2014/schedule/presentation/225/

PyCon 2014

April 12, 2014
Tweet

More Decks by PyCon 2014

See All by PyCon 2014
Postgres Performance for Humans by Craig Kerstiens
pycon2014
29
3.5k
Technical Onboarding, Training, and Mentoring by Kate Heddleston and Nicole Zuckerman
pycon2014
1
2.1k
"My big gay adventure. Making, releasing and selling an indie game made in python." by Luke Miller
pycon2014
2
1.4k
Farewell and Welcome Home, Python in Two Genders by Naomi_Ceder
pycon2014
1
680
Deliver Your Software in an Envelope by Augie Fackler and Nathaniel Manista
pycon2014
1
510
Hitchhikers Guide to Free and Open Source Participation by Elena Williams
pycon2014
6
1.1k
Localization Revisted (aka. Translations Evolved) by Ruchi Varshney
pycon2014
0
640
Smart Dumpster by Bradley E. Angell
pycon2014
0
450
Software Engineering for Hackers: Bridging the Two Solitudes by Tavish Armstrong
pycon2014
0
680

Featured

See All Featured
Designing for humans not robots
tammielis
248
25k
Large-scale JavaScript Application Architecture
addyosmani
504
110k
Optimizing for Happiness
mojombo
370
69k
Automating Front-end Workflow
addyosmani
1356
200k
Easily Structure & Communicate Ideas using Wireframe
afnizarnur
187
16k
What's in a price? How to price your products and services
michaelherold
237
11k
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
rmw
25
2.3k
Creatively Recalculating Your Daily Design Routine
revolveconf
210
11k
Documentation Writing (for coders)
carmenintech
60
3.9k
Bootstrapping a Software Product
garrettdimon
PRO
302
110k
Fontdeck: Realign not Redesign
paulrobertlloyd
76
4.9k
Unsuck your backbone
ammeep
663
57k

Transcript

  1. QUICK WINS FOR BETTER WEBSITE SECURITY ! Dan Callahan !

    [email protected] dancallahan.info @callahad

  2. THREE PARTS Transmitting Rendering Storing

  3. TRANSMITTING

  4. USE SSL

  5. Apple iOS / OS X TLS, 21 Feb 2014 gotofail.com

    goto fail; goto fail;

  6. OpenSSL “Heartbleed,” 7 April 2014 heartbleed.com

  7. SERIOUSLY, USE SSL

  8. http://... Browser http://... Browser https://... https://...

  9. http://... Browser http://... Browser https://... https://...

  10. http://... Browser http://... Browser https://... https://...

  11. http://... Browser http://... Browser https://... https://...

  12. http://... Browser http://... Browser https://... https://...

  13. http://... Browser http://... Browser https://... https://... Cookies Cookies

  14. http://... Browser http://... Browser https://... https://... Attacker Attacker Cookies Cookies

  15. http://... Browser http://... Browser https://... https://... Attacker Attacker Cookies Cookies

  16. None
  17. None
  18. None

  19. http://... Browser http://... Browser https://... https://... Attacker Attacker Cookies Cookies

  20. USE SECURE COOKIES

  21. Set-Cookie: xs=984ea98f98a6a19c

  22. Set-Cookie: xs=984ea98f98a6a19c; secure

  23. http://... Browser http://... Browser https://... https://... Attacker Attacker Cookies Cookies

  24. http://... Browser http://... Browser https://... https://... Attacker Attacker Cookies

  25. http://... Browser http://... Browser https://... https://... Attacker Attacker Cookies

  26. http://... Browser http://... Browser https://... https://... Attacker Attacker Cookies

  27. None

  28. https://www.bankofamerica.com http://bankofamerica.com http://www.bankofamerica.com

  29. https://www.bankofamerica.com http://bankofamerica.com http://www.bankofamerica.com

  30. https://www.bank0famerica.com bank0famerica.com? http://bankofamerica.com http://www.bankofamerica.com

  31. http://... Browser http://... Browser https://... https://... Attacker Attacker Cookies

  32. http://... Browser http://... Browser https://... https://... Attacker Attacker

  33. None

  34. USE STRICT TRANSPORT SECURITY

  35. None
  36. None
  37. None

  38. Strict-Transport-Security: max-age=2592000

  39. http://... Browser http://... Browser https://... https://... Attacker Attacker Cookies

  40. http://... Browser http://... Browser https://... https://... Attacker Attacker Cookies

  41. TRANSMIT RENDER STORE ! SSL ! Secure Cookies ! Strict

    Transport Security

  42. RENDERING

  43. Set-Cookie: xs=984ea98f98a6a19c; secure

  44. Set-Cookie: xs=984ea98f98a6a19c; secure <script> alert(document.cookie); </script>

  45. Set-Cookie: xs=984ea98f98a6a19c; secure <script> alert(document.cookie); </script> “xs=984ea98f98a6a19c”

  46. USE HTTPONLY COOKIES

  47. Set-Cookie: xs=984ea98f98a6a19c; secure <script> alert(document.cookie); </script> “xs=984ea98f98a6a19c”

  48. Set-Cookie: xs=984ea98f98a6a19c; secure; HttpOnly <script> alert(document.cookie); </script> “xs=984ea98f98a6a19c”

  49. Set-Cookie: xs=984ea98f98a6a19c; secure; HttpOnly <script> alert(document.cookie); </script> “”

  50. USE A CONTENT SECURITY POLICY

  51. Content-Security-Policy: default-src 'self'; img-src 'self' data:; script-src: 'self' https://api.example.com !

    ! ! ! !

  52. Content-Security-Policy: default-src 'self'; img-src 'self' data:; script-src: 'self' https://api.example.com !

    Content-Security-Policy-Report-Only: default-src 'self'; img-src 'self' data:; script-src: 'self' https://api.example.com

  53. TRANSMIT RENDER STORE ! SSL ! Secure Cookies ! Strict

    Transport Security ! HttpOnly Cookies ! Content Security Policy

  54. TRANSMIT RENDER STORE ! SSL ! Secure Cookies ! Strict

    Transport Security ! HttpOnly Cookies ! Content Security Policy

  55. SET FRAME OPTIONS

  56. X-Frame-Options: DENY X-Frame-Options: SAMEORIGIN X-Frame-Options: ALLOW-FROM uri

  57. USE XSS PROTECTION

  58. X-XSS-Protection: 1; mode=block

  59. DISABLE MIME-TYPE SNIFFING

  60. X-Content-Type-Options: nosniff

  61. TRANSMIT RENDER STORE ! SSL ! Secure Cookies ! Strict

    Transport Security ! HttpOnly Cookies ! Content Security Policy ! Frame Options ! XSS Protection ! MIME-Type Sniffing

  62. STORING

  63. ISOLATE USER CONTENT

  64. Not your main domain Not a subdomain github.io googleusercontent.com

  65. DON’T USE PASSWORDS

  66. None

  67. SUMMARY

  68. TRANSMIT RENDER STORE ! SSL ! Secure Cookies ! Strict

    Transport Security ! HttpOnly Cookies ! Content Security Policy ! Frame Options ! XSS Protection ! MIME-Type Sniffing ! User Content Domain ! ! Don’t Store Passwords

  69. FURTHER READING

  70. OWASP Qualys SSL Labs owasp.org ssllabs.com

  71. QUESTIONS? ! Dan Callahan ! [email protected] dancallahan.info @callahad