HTTP Security

HTTP Security A matter of trust rj zaworski, versal inc.
· @rjzaworski · github.com/rjz

Browsers ★ Do what servers tell them to ★ Respect
standards (mostly) ★ Render as much of the server response as they can

Trust is a Big Deal ★ Servers can be compromised,
impersonated, or simply misconfigured ★ How can we tell if content is trustworthy? The short answer is, “we can’t”.

HTTP can help $ curl https://twitter.com -I status: 200 OK
# ... strict-transport-security: max-age=631138519 content-security-policy-report-only: default-src https:; #... x-content-type-options: nosniff x-frame-options: SAMEORIGIN x-xss-protection: 1; mode=block

Transport Security $ curl https://twitter.com -I status: 200 OK #
... strict-transport-security: max-age=631138519 content-security-policy-report-only: default-src https:; #... x-content-type-options: nosniff x-frame-options: SAMEORIGIN x-xss-protection: 1; mode=block (https://tools.ietf.org/html/rfc6797)

Transport Security ★ Ensure the browser never visits the http
version of a website ★ Force transport-layer security (TLS)

Transport Security Why bother? ★ eavesdropping ★ man in the
middle (data tampering, host spoofing, etc)

Transport Security ★ Protects from common wireless attacks (spoofing, sniffing,
e.g. SSLStrip + Firesheep) ★ Protects from mixed-content errors (CSS, SWF)

Content Security Policies $ curl https://twitter.com -I status: 200 OK
# ... strict-transport-security: max-age=631138519 content-security-policy-report-only: default-src https:; #... x-content-type-options: nosniff x-frame-options: SAMEORIGIN x-xss-protection: 1; mode=block (https://w3c.github.io/webappsec/specs/content-security-policy/)

Content Security Policies ★ Helps detect/prevent XSS, mixed-content, and other
classes of attack ★ Whitelist what is or isn't allowed on a page ★ Describe access to specific types of content in terms of directives

Content Security Policies ★ Implemented via HTTP header ★ or
a <META> tag <meta http-equiv="Content-Security-Policy" content="script-src 'self'">

Content Security Policies Some directives: ★ default-src - define base
policy ★ script-src - define valid origins for <script> tags ★ connect-src - XHRs, WebSocket and EventSource ★ form-action - form actions

Content Security Policies ★ Policies may be layered ★ Policies
are restrictive A request must pass all announced policies to be served!

Content Security Policies Report-Only: log without enforcing Content-Security-Policy-Report-Only: \ default-src
'self'; \ report-uri https://test.versal.com/csp-reports Looks familiar...

Content Security Policies Risks: ★ CSS Parsing is still vulnerable
★ Browser support is incomplete

X-Content-Type-Options $ curl https://twitter.com -I status: 200 OK # ...
strict-transport-security: max-age=631138519 content-security-policy-report-only: default-src https:; #... x-content-type-options: nosniff x-frame-options: SAMEORIGIN x-xss-protection: 1; mode=block (http://msdn.microsoft.com/en-us/library/ie/gg622941(v=vs.85).aspx)

X-Content-Type-Options ★ <SCRIPT> and <STYLE> reject responses with incorrect content-types
★ Prevent MIME confusion ★ Implemented in Chrome, IE

X-Frame-Options $ curl https://twitter.com -I status: 200 OK # ...
strict-transport-security: max-age=631138519 content-security-policy-report-only: default-src https:; #... x-content-type-options: nosniff x-frame-options: SAMEORIGIN x-xss-protection: 1; mode=block (http://msdn.microsoft.com/en-us/library/ie/gg622941(v=vs.85).aspx)

X-Frame-Options ★ Prevents content from being framed ★ Protects from
external clickjacking ★ Three choices: DENY , SAMEORIGIN , or ALLOW-FROM

X-XSS-Protection $ curl https://twitter.com -I status: 200 OK # ...
strict-transport-security: max-age=631138519 content-security-policy-report-only: default-src https:; #... x-content-type-options: nosniff x-frame-options: SAMEORIGIN x-xss-protection: 1; mode=block (http://msdn.microsoft.com/en-us/library/dd565647(v=vs.85).aspx)

X-XSS-Protection ★ Browser’s best guess about blocking XSS attempts ★
On by default in Chrome, IE

Further Reading On OWASP: ★ List of Useful Headers ★
HTTP Strict Transport Security ★ Content Security Policy

Thank you! rj zaworski · @rjzaworski · github.com/rjz

HTTP Security

HTTP Security

RJ Zaworski

More Decks by RJ Zaworski

Other Decks in Technology

Featured

Transcript

HTTP Security A matter of trust rj zaworski, versal inc.

Browsers ★ Do what servers tell them to ★ Respect

Trust is a Big Deal ★ Servers can be compromised,

HTTP can help $ curl https://twitter.com -I status: 200 OK

Transport Security $ curl https://twitter.com -I status: 200 OK #

Transport Security ★ Ensure the browser never visits the http

Transport Security Why bother? ★ eavesdropping ★ man in the

Transport Security ★ Protects from common wireless attacks (spoofing, sniffing,

Content Security Policies $ curl https://twitter.com -I status: 200 OK

Content Security Policies ★ Helps detect/prevent XSS, mixed-content, and other

Content Security Policies ★ Implemented via HTTP header ★ or

Content Security Policies Some directives: ★ default-src - define base

Content Security Policies ★ Policies may be layered ★ Policies

Content Security Policies Report-Only: log without enforcing Content-Security-Policy-Report-Only: \ default-src

Content Security Policies Risks: ★ CSS Parsing is still vulnerable

X-Content-Type-Options $ curl https://twitter.com -I status: 200 OK # ...

X-Content-Type-Options ★ <SCRIPT> and <STYLE> reject responses with incorrect content-types

X-Frame-Options $ curl https://twitter.com -I status: 200 OK # ...

X-Frame-Options ★ Prevents content from being framed ★ Protects from

X-XSS-Protection $ curl https://twitter.com -I status: 200 OK # ...

X-XSS-Protection ★ Browser’s best guess about blocking XSS attempts ★

Further Reading On OWASP: ★ List of Useful Headers ★

Thank you! rj zaworski · @rjzaworski · github.com/rjz