Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Quick Wins for Better Website Security by Dan C...

PyCon 2014
April 12, 2014
8
590

Quick Wins for Better Website Security by Dan Callahan

Learn quick, easy, and lesser-known techniques to improve your website's security, protect against session hijacking, and defend against XSS and data injection attacks.

Presented at PyCon 2014. More info at https://us.pycon.org/2014/schedule/presentation/225/

PyCon 2014

April 12, 2014
Tweet

More Decks by PyCon 2014

See All by PyCon 2014
Postgres Performance for Humans by Craig Kerstiens
pycon2014
29
3.6k
Technical Onboarding, Training, and Mentoring by Kate Heddleston and Nicole Zuckerman
pycon2014
1
2.2k
"My big gay adventure. Making, releasing and selling an indie game made in python." by Luke Miller
pycon2014
2
1.5k
Farewell and Welcome Home, Python in Two Genders by Naomi_Ceder
pycon2014
1
700
Deliver Your Software in an Envelope by Augie Fackler and Nathaniel Manista
pycon2014
1
520
Hitchhikers Guide to Free and Open Source Participation by Elena Williams
pycon2014
6
1.2k
Localization Revisted (aka. Translations Evolved) by Ruchi Varshney
pycon2014
0
680
Smart Dumpster by Bradley E. Angell
pycon2014
0
490
Software Engineering for Hackers: Bridging the Two Solitudes by Tavish Armstrong
pycon2014
0
710

Featured

See All Featured
Producing Creativity
orderedlist
PRO
341
39k
Performance Is Good for Brains [We Love Speed 2024]
tammyeverts
6
410
How STYLIGHT went responsive
nonsquared
95
5.2k
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
329
21k
Code Reviewing Like a Champion
maltzj
520
39k
KATA
mclloyd
29
14k
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
rmw
31
2.7k
Happy Clients
brianwarren
98
6.7k
What's new in Ruby 2.0
geeforr
343
31k
Art, The Web, and Tiny UX
lynnandtonic
297
20k
Designing Experiences People Love
moore
138
23k
Practical Orchestrator
shlominoach
186
10k

Transcript

  1. QUICK WINS FOR BETTER WEBSITE SECURITY ! Dan Callahan !

    [email protected] dancallahan.info @callahad

  2. THREE PARTS Transmitting Rendering Storing

  3. TRANSMITTING

  4. USE SSL

  5. Apple iOS / OS X TLS, 21 Feb 2014 gotofail.com

    goto fail; goto fail;

  6. OpenSSL “Heartbleed,” 7 April 2014 heartbleed.com

  7. SERIOUSLY, USE SSL

  8. http://... Browser http://... Browser https://... https://...

  9. http://... Browser http://... Browser https://... https://...

  10. http://... Browser http://... Browser https://... https://...

  11. http://... Browser http://... Browser https://... https://...

  12. http://... Browser http://... Browser https://... https://...

  13. http://... Browser http://... Browser https://... https://... Cookies Cookies

  14. http://... Browser http://... Browser https://... https://... Attacker Attacker Cookies Cookies

  15. http://... Browser http://... Browser https://... https://... Attacker Attacker Cookies Cookies

  16. None
  17. None
  18. None

  19. http://... Browser http://... Browser https://... https://... Attacker Attacker Cookies Cookies

  20. USE SECURE COOKIES

  21. Set-Cookie: xs=984ea98f98a6a19c

  22. Set-Cookie: xs=984ea98f98a6a19c; secure

  23. http://... Browser http://... Browser https://... https://... Attacker Attacker Cookies Cookies

  24. http://... Browser http://... Browser https://... https://... Attacker Attacker Cookies

  25. http://... Browser http://... Browser https://... https://... Attacker Attacker Cookies

  26. http://... Browser http://... Browser https://... https://... Attacker Attacker Cookies

  27. None

  28. https://www.bankofamerica.com http://bankofamerica.com http://www.bankofamerica.com

  29. https://www.bankofamerica.com http://bankofamerica.com http://www.bankofamerica.com

  30. https://www.bank0famerica.com bank0famerica.com? http://bankofamerica.com http://www.bankofamerica.com

  31. http://... Browser http://... Browser https://... https://... Attacker Attacker Cookies

  32. http://... Browser http://... Browser https://... https://... Attacker Attacker

  33. None

  34. USE STRICT TRANSPORT SECURITY

  35. None
  36. None
  37. None

  38. Strict-Transport-Security: max-age=2592000

  39. http://... Browser http://... Browser https://... https://... Attacker Attacker Cookies

  40. http://... Browser http://... Browser https://... https://... Attacker Attacker Cookies

  41. TRANSMIT RENDER STORE ! SSL ! Secure Cookies ! Strict

    Transport Security

  42. RENDERING

  43. Set-Cookie: xs=984ea98f98a6a19c; secure

  44. Set-Cookie: xs=984ea98f98a6a19c; secure <script> alert(document.cookie); </script>

  45. Set-Cookie: xs=984ea98f98a6a19c; secure <script> alert(document.cookie); </script> “xs=984ea98f98a6a19c”

  46. USE HTTPONLY COOKIES

  47. Set-Cookie: xs=984ea98f98a6a19c; secure <script> alert(document.cookie); </script> “xs=984ea98f98a6a19c”

  48. Set-Cookie: xs=984ea98f98a6a19c; secure; HttpOnly <script> alert(document.cookie); </script> “xs=984ea98f98a6a19c”

  49. Set-Cookie: xs=984ea98f98a6a19c; secure; HttpOnly <script> alert(document.cookie); </script> “”

  50. USE A CONTENT SECURITY POLICY

  51. Content-Security-Policy: default-src 'self'; img-src 'self' data:; script-src: 'self' https://api.example.com !

    ! ! ! !

  52. Content-Security-Policy: default-src 'self'; img-src 'self' data:; script-src: 'self' https://api.example.com !

    Content-Security-Policy-Report-Only: default-src 'self'; img-src 'self' data:; script-src: 'self' https://api.example.com

  53. TRANSMIT RENDER STORE ! SSL ! Secure Cookies ! Strict

    Transport Security ! HttpOnly Cookies ! Content Security Policy

  54. TRANSMIT RENDER STORE ! SSL ! Secure Cookies ! Strict

    Transport Security ! HttpOnly Cookies ! Content Security Policy

  55. SET FRAME OPTIONS

  56. X-Frame-Options: DENY X-Frame-Options: SAMEORIGIN X-Frame-Options: ALLOW-FROM uri

  57. USE XSS PROTECTION

  58. X-XSS-Protection: 1; mode=block

  59. DISABLE MIME-TYPE SNIFFING

  60. X-Content-Type-Options: nosniff

  61. TRANSMIT RENDER STORE ! SSL ! Secure Cookies ! Strict

    Transport Security ! HttpOnly Cookies ! Content Security Policy ! Frame Options ! XSS Protection ! MIME-Type Sniffing

  62. STORING

  63. ISOLATE USER CONTENT

  64. Not your main domain Not a subdomain github.io googleusercontent.com

  65. DON’T USE PASSWORDS

  66. None

  67. SUMMARY

  68. TRANSMIT RENDER STORE ! SSL ! Secure Cookies ! Strict

    Transport Security ! HttpOnly Cookies ! Content Security Policy ! Frame Options ! XSS Protection ! MIME-Type Sniffing ! User Content Domain ! ! Don’t Store Passwords

  69. FURTHER READING

  70. OWASP Qualys SSL Labs owasp.org ssllabs.com

  71. QUESTIONS? ! Dan Callahan ! [email protected] dancallahan.info @callahad