Upgrade to Pro — share decks privately, control downloads, hide ads and more …

HTTP Security

Avatar for RJ Zaworski RJ Zaworski
September 05, 2014
Technology
200
2

HTTP Security

Avatar for RJ Zaworski

RJ Zaworski

September 05, 2014

More Decks by RJ Zaworski

See All by RJ Zaworski
Computing Lessons from the Atomic Age: Complexity, Safety, and Ethics
Avatar for RJ Zaworski rjz
0
110
Beyond the Single-Page App: React and the Servers that Serve it
Avatar for RJ Zaworski rjz
0
99
Typesafe(ish) React
Avatar for RJ Zaworski rjz
1
700
Front-end optimization
Avatar for RJ Zaworski rjz
1
480
Technical Interviewing
Avatar for RJ Zaworski rjz
0
270
Interop! Building a better Backbone.View
Avatar for RJ Zaworski rjz
0
110
Front-end optimization
Avatar for RJ Zaworski rjz
4
290

Other Decks in Technology

See All in Technology
NAB Show 2026 動画技術関連レポート / NAB Show 2026 Report
Avatar for CyberAgent cyberagentdevelopers
PRO
0
170
エラーバジェットのアラートのタイミングを考える.pdf
Avatar for KairiM kairim0
0
120
Socrates × Looker 〜セマンティックレイヤーで進化するデータ分析エージェント〜
Avatar for Uchide Hiroki(ucchi-) hanon52_
3
2.1k
AWSシリコン最前線 〜AI時代のチップ選択を読み解く〜
Avatar for Hiroshi Tokoyo htokoyo
2
470
EventBridge Connection
Avatar for kensh _kensh
5
690
Claude Code の Sandbox 機能を Anthropic Sandbox Runtime(srt) で試そう!/lets-play-anthropic-sandbox-runtime
Avatar for tomoki10 tomoki10
1
540
現地で盛り上がった WWDC26 Keynote
Avatar for ZOZO Developers zozotech
PRO
1
200
RAG を使わないという選択肢
Avatar for tatsutaka tatsutaka
1
190
Agentic Web
Avatar for dynamis dynamis
1
200
2026TECHFRESH畢業分享會 - Lightning Talk - E起 See See : 電商推薦讀心術? 數據說了算
Avatar for LINE Developers Taiwan line_developers_tw
PRO
0
800
AIの性能が向上しても未解決な組織の重大問題は何か?/An Unsolved Organizational Problem in the Age of AI
Avatar for moriyuya moriyuya
4
610
RSA暗号を手計算したくなること、ありますよね?? (20260615_orestudy6_rsa)
Avatar for Koki Senda thousanda
0
240

Featured

See All Featured
Bioeconomy Workshop: Dr. Julius Ecuru, Opportunities for a Bioeconomy in West Africa
Avatar for AKADEMIYA2063 akademiya2063
PRO
1
140
From Legacy to Launchpad: Building Startup-Ready Communities
Avatar for Dug Song dugsong
0
230
SEO for Brand Visibility & Recognition
Avatar for Aleyda Solis aleyda
0
4.6k
Bash Introduction
Avatar for André Augusto Costa Santos 62gerente
615
220k
The Hidden Cost of Media on the Web [PixelPalooza 2025]
Avatar for Tammy Everts tammyeverts
2
330
Everyday Curiosity
Avatar for Cassini Nazir cassininazir
0
230
Agile Actions for Facilitating Distributed Teams - ADO2019
Avatar for Mark Kilby mkilby
0
200
How to optimise 3,500 product descriptions for ecommerce in one day using ChatGPT
Avatar for Katarina Dahlin katarinadahlin
PRO
1
3.6k
Skip the Path - Find Your Career Trail
Avatar for Mark Kilby mkilby
1
140
Building a Modern Day 
E-commerce SEO Strategy
Avatar for Aleyda Solis aleyda
45
9.1k
DBのスキルで生き残る技術 - AI時代におけるテーブル設計の勘所
Avatar for soudai sone soudai
PRO
65
55k
Jess Joyce - The Pitfalls of Following Frameworks
Avatar for Tech SEO Connect techseoconnect
PRO
1
160

Transcript

  1. HTTP Security A matter of trust rj zaworski, versal inc.

    · @rjzaworski · github.com/rjz

  2. Browsers ★ Do what servers tell them to ★ Respect

    standards (mostly) ★ Render as much of the server response as they can

  3. Trust is a Big Deal ★ Servers can be compromised,

    impersonated, or simply misconfigured ★ How can we tell if content is trustworthy? The short answer is, “we can’t”.

  4. HTTP can help $ curl https://twitter.com -I status: 200 OK

    # ... strict-transport-security: max-age=631138519 content-security-policy-report-only: default-src https:; #... x-content-type-options: nosniff x-frame-options: SAMEORIGIN x-xss-protection: 1; mode=block

  5. Transport Security $ curl https://twitter.com -I status: 200 OK #

    ... strict-transport-security: max-age=631138519 content-security-policy-report-only: default-src https:; #... x-content-type-options: nosniff x-frame-options: SAMEORIGIN x-xss-protection: 1; mode=block (https://tools.ietf.org/html/rfc6797)

  6. Transport Security ★ Ensure the browser never visits the http

    version of a website ★ Force transport-layer security (TLS)

  7. Transport Security Why bother? ★ eavesdropping ★ man in the

    middle (data tampering, host spoofing, etc)

  8. Transport Security ★ Protects from common wireless attacks (spoofing, sniffing,

    e.g. SSLStrip + Firesheep) ★ Protects from mixed-content errors (CSS, SWF)

  9. Content Security Policies $ curl https://twitter.com -I status: 200 OK

    # ... strict-transport-security: max-age=631138519 content-security-policy-report-only: default-src https:; #... x-content-type-options: nosniff x-frame-options: SAMEORIGIN x-xss-protection: 1; mode=block (https://w3c.github.io/webappsec/specs/content-security-policy/)

  10. Content Security Policies ★ Helps detect/prevent XSS, mixed-content, and other

    classes of attack ★ Whitelist what is or isn't allowed on a page ★ Describe access to specific types of content in terms of directives

  11. Content Security Policies ★ Implemented via HTTP header ★ or

    a <META> tag <meta http-equiv="Content-Security-Policy" content="script-src 'self'">

  12. Content Security Policies Some directives: ★ default-src - define base

    policy ★ script-src - define valid origins for <script> tags ★ connect-src - XHRs, WebSocket and EventSource ★ form-action - form actions

  13. Content Security Policies ★ Policies may be layered ★ Policies

    are restrictive A request must pass all announced policies to be served!

  14. Content Security Policies Report-Only: log without enforcing Content-Security-Policy-Report-Only: \ default-src

    'self'; \ report-uri https://test.versal.com/csp-reports Looks familiar...

  15. Content Security Policies Risks: ★ CSS Parsing is still vulnerable

    ★ Browser support is incomplete

  16. X-Content-Type-Options $ curl https://twitter.com -I status: 200 OK # ...

    strict-transport-security: max-age=631138519 content-security-policy-report-only: default-src https:; #... x-content-type-options: nosniff x-frame-options: SAMEORIGIN x-xss-protection: 1; mode=block (http://msdn.microsoft.com/en-us/library/ie/gg622941(v=vs.85).aspx)

  17. X-Content-Type-Options ★ <SCRIPT> and <STYLE> reject responses with incorrect content-types

    ★ Prevent MIME confusion ★ Implemented in Chrome, IE

  18. X-Frame-Options $ curl https://twitter.com -I status: 200 OK # ...

    strict-transport-security: max-age=631138519 content-security-policy-report-only: default-src https:; #... x-content-type-options: nosniff x-frame-options: SAMEORIGIN x-xss-protection: 1; mode=block (http://msdn.microsoft.com/en-us/library/ie/gg622941(v=vs.85).aspx)

  19. X-Frame-Options ★ Prevents content from being framed ★ Protects from

    external clickjacking ★ Three choices: DENY , SAMEORIGIN , or ALLOW-FROM

  20. X-XSS-Protection $ curl https://twitter.com -I status: 200 OK # ...

    strict-transport-security: max-age=631138519 content-security-policy-report-only: default-src https:; #... x-content-type-options: nosniff x-frame-options: SAMEORIGIN x-xss-protection: 1; mode=block (http://msdn.microsoft.com/en-us/library/dd565647(v=vs.85).aspx)

  21. X-XSS-Protection ★ Browser’s best guess about blocking XSS attempts ★

    On by default in Chrome, IE

  22. Further Reading On OWASP: ★ List of Useful Headers ★

    HTTP Strict Transport Security ★ Content Security Policy

  23. Thank you! rj zaworski · @rjzaworski · github.com/rjz