Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Quick Wins for Better Website Security by Dan C...

Avatar for PyCon 2014 PyCon 2014
April 12, 2014
8
600

Quick Wins for Better Website Security by Dan Callahan

Learn quick, easy, and lesser-known techniques to improve your website's security, protect against session hijacking, and defend against XSS and data injection attacks.

Presented at PyCon 2014. More info at https://us.pycon.org/2014/schedule/presentation/225/
Avatar for PyCon 2014

PyCon 2014

April 12, 2014
Tweet

More Decks by PyCon 2014

See All by PyCon 2014
Postgres Performance for Humans by Craig Kerstiens
Avatar for PyCon 2014 pycon2014
29
3.6k
Technical Onboarding, Training, and Mentoring by Kate Heddleston and Nicole Zuckerman
Avatar for PyCon 2014 pycon2014
1
2.3k
"My big gay adventure. Making, releasing and selling an indie game made in python." by Luke Miller
Avatar for PyCon 2014 pycon2014
2
1.6k
Farewell and Welcome Home, Python in Two Genders by Naomi_Ceder
Avatar for PyCon 2014 pycon2014
1
740
Deliver Your Software in an Envelope by Augie Fackler and Nathaniel Manista
Avatar for PyCon 2014 pycon2014
1
550
Hitchhikers Guide to Free and Open Source Participation by Elena Williams
Avatar for PyCon 2014 pycon2014
6
1.2k
Localization Revisted (aka. Translations Evolved) by Ruchi Varshney
Avatar for PyCon 2014 pycon2014
0
700
Smart Dumpster by Bradley E. Angell
Avatar for PyCon 2014 pycon2014
0
530
Software Engineering for Hackers: Bridging the Two Solitudes by Tavish Armstrong
Avatar for PyCon 2014 pycon2014
0
740

Featured

See All Featured
How to train your dragon (web standard)
Avatar for Monica Dinculescu notwaldorf
92
6.1k
Site-Speed That Sticks
Avatar for Harry Roberts csswizardry
10
640
Automating Front-end Workflow
Avatar for Addy Osmani addyosmani
1370
200k
Intergalactic Javascript Robots from Outer Space
Avatar for Vicent Martí tanoku
271
27k
Understanding Cognitive Biases in Performance Measurement
Avatar for Philip Tellis bluesmoon
29
1.8k
Become a Pro
Avatar for Speaker Deck speakerdeck
PRO
28
5.4k
[RailsConf 2023] Rails as a piece of cake
Avatar for Vladimir Dementyev palkan
55
5.6k
[RailsConf 2023 Opening Keynote] The Magic of Rails
Avatar for Eileen M. Uchitelle eileencodes
29
9.5k
RailsConf 2023
Avatar for Aaron Patterson tenderlove
30
1.1k
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
Avatar for Joe Casabona jcasabona
32
2.3k
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
Avatar for Kevin Liebholz kevinliebholz
32
5.9k
Sharpening the Axe: The Primacy of Toolmaking
Avatar for Bryan Cantrill bcantrill
43
2.4k

Transcript

  1. QUICK WINS FOR BETTER WEBSITE SECURITY ! Dan Callahan !

    [email protected] dancallahan.info @callahad

  2. THREE PARTS Transmitting Rendering Storing

  3. TRANSMITTING

  4. USE SSL

  5. Apple iOS / OS X TLS, 21 Feb 2014 gotofail.com

    goto fail; goto fail;

  6. OpenSSL “Heartbleed,” 7 April 2014 heartbleed.com

  7. SERIOUSLY, USE SSL

  8. http://... Browser http://... Browser https://... https://...

  9. http://... Browser http://... Browser https://... https://...

  10. http://... Browser http://... Browser https://... https://...

  11. http://... Browser http://... Browser https://... https://...

  12. http://... Browser http://... Browser https://... https://...

  13. http://... Browser http://... Browser https://... https://... Cookies Cookies

  14. http://... Browser http://... Browser https://... https://... Attacker Attacker Cookies Cookies

  15. http://... Browser http://... Browser https://... https://... Attacker Attacker Cookies Cookies

  16. None
  17. None
  18. None

  19. http://... Browser http://... Browser https://... https://... Attacker Attacker Cookies Cookies

  20. USE SECURE COOKIES

  21. Set-Cookie: xs=984ea98f98a6a19c

  22. Set-Cookie: xs=984ea98f98a6a19c; secure

  23. http://... Browser http://... Browser https://... https://... Attacker Attacker Cookies Cookies

  24. http://... Browser http://... Browser https://... https://... Attacker Attacker Cookies

  25. http://... Browser http://... Browser https://... https://... Attacker Attacker Cookies

  26. http://... Browser http://... Browser https://... https://... Attacker Attacker Cookies

  27. None

  28. https://www.bankofamerica.com http://bankofamerica.com http://www.bankofamerica.com

  29. https://www.bankofamerica.com http://bankofamerica.com http://www.bankofamerica.com

  30. https://www.bank0famerica.com bank0famerica.com? http://bankofamerica.com http://www.bankofamerica.com

  31. http://... Browser http://... Browser https://... https://... Attacker Attacker Cookies

  32. http://... Browser http://... Browser https://... https://... Attacker Attacker

  33. None

  34. USE STRICT TRANSPORT SECURITY

  35. None
  36. None
  37. None

  38. Strict-Transport-Security: max-age=2592000

  39. http://... Browser http://... Browser https://... https://... Attacker Attacker Cookies

  40. http://... Browser http://... Browser https://... https://... Attacker Attacker Cookies

  41. TRANSMIT RENDER STORE ! SSL ! Secure Cookies ! Strict

    Transport Security

  42. RENDERING

  43. Set-Cookie: xs=984ea98f98a6a19c; secure

  44. Set-Cookie: xs=984ea98f98a6a19c; secure <script> alert(document.cookie); </script>

  45. Set-Cookie: xs=984ea98f98a6a19c; secure <script> alert(document.cookie); </script> “xs=984ea98f98a6a19c”

  46. USE HTTPONLY COOKIES

  47. Set-Cookie: xs=984ea98f98a6a19c; secure <script> alert(document.cookie); </script> “xs=984ea98f98a6a19c”

  48. Set-Cookie: xs=984ea98f98a6a19c; secure; HttpOnly <script> alert(document.cookie); </script> “xs=984ea98f98a6a19c”

  49. Set-Cookie: xs=984ea98f98a6a19c; secure; HttpOnly <script> alert(document.cookie); </script> “”

  50. USE A CONTENT SECURITY POLICY

  51. Content-Security-Policy: default-src 'self'; img-src 'self' data:; script-src: 'self' https://api.example.com !

    ! ! ! !

  52. Content-Security-Policy: default-src 'self'; img-src 'self' data:; script-src: 'self' https://api.example.com !

    Content-Security-Policy-Report-Only: default-src 'self'; img-src 'self' data:; script-src: 'self' https://api.example.com

  53. TRANSMIT RENDER STORE ! SSL ! Secure Cookies ! Strict

    Transport Security ! HttpOnly Cookies ! Content Security Policy

  54. TRANSMIT RENDER STORE ! SSL ! Secure Cookies ! Strict

    Transport Security ! HttpOnly Cookies ! Content Security Policy

  55. SET FRAME OPTIONS

  56. X-Frame-Options: DENY X-Frame-Options: SAMEORIGIN X-Frame-Options: ALLOW-FROM uri

  57. USE XSS PROTECTION

  58. X-XSS-Protection: 1; mode=block

  59. DISABLE MIME-TYPE SNIFFING

  60. X-Content-Type-Options: nosniff

  61. TRANSMIT RENDER STORE ! SSL ! Secure Cookies ! Strict

    Transport Security ! HttpOnly Cookies ! Content Security Policy ! Frame Options ! XSS Protection ! MIME-Type Sniffing

  62. STORING

  63. ISOLATE USER CONTENT

  64. Not your main domain Not a subdomain github.io googleusercontent.com

  65. DON’T USE PASSWORDS

  66. None

  67. SUMMARY

  68. TRANSMIT RENDER STORE ! SSL ! Secure Cookies ! Strict

    Transport Security ! HttpOnly Cookies ! Content Security Policy ! Frame Options ! XSS Protection ! MIME-Type Sniffing ! User Content Domain ! ! Don’t Store Passwords

  69. FURTHER READING

  70. OWASP Qualys SSL Labs owasp.org ssllabs.com

  71. QUESTIONS? ! Dan Callahan ! [email protected] dancallahan.info @callahad