HTTP Security: headers as a shield over your application

HTTP Security: headers as a shield over your application

You are all aware of what are XSS vulnerabilities; do you know what's Clickjacking? You have probably heard of Root Certificate compromission; do you know the principle of a protocol downgrade attack? You're coming to SymfonyCon because you are HTTP application developers and I will present you awesome HTTP headers that will help you to mitigate these kind of attacks, just using W3C WebAppSec recommendations.

Ce776a5e957c937a56c721b7d6701960?s=128

Romain Neutron

December 02, 2016
Tweet

Transcript

  1. Browsers HTTP Security

  2. Browsers HTTP Security Romain Neutron https://github.com/romainneutron

  3. Browsers HTTP Security

  4. Browsers HTTP Security

  5. Browsers HTTP Security

  6. Browsers HTTP Security

  7. None
  8. Browsers HTTP Security

  9. $ curl -I https://github.com 
 HTTP/1.1 200 OK
 Server: GitHub.com


    Date: Mon, 04 Apr 2016 20:10:13 GMT
 Content-Type: text/html; charset=utf-8
 Status: 200 OK
 Cache-Control: no-cache
 Vary: X-PJAX
 X-UA-Compatible: IE=Edge,chrome=1
 Set-Cookie: logged_in=no; domain=.github.com; path=/; expires=Fri, 04 Apr 2036 20:10:13 Set-Cookie: _gh_sess=eyJzZXNzaW9uX2lkIjoiYzE1ZjE3NjA4Yjg1MWM3MTk4MjY0ZjdiMzY5ZDJhNzciLC X-Request-Id: 048b988349db27c05f13900c2b8c8dd5
 X-Runtime: 0.011717
 Content-Security-Policy: default-src 'none'; base-uri 'self'; block-all-mixed-content; Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
 Public-Key-Pins: max-age=1209600; pin-sha256="WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB X-Content-Type-Options: nosniff
 X-Frame-Options: deny
 X-XSS-Protection: 1; mode=block
 Vary: Accept-Encoding
 X-Served-By: 7cc969f65c7ec8d9db2fa57dcc51d323
 X-GitHub-Request-Id: 55A8461C:0E34:67919BE:5702CA25 Browsers HTTP Security
  10. $ curl -I https://www.google.fr
 HTTP/1.1 200 OK
 Date: Mon, 04

    Apr 2016 20:09:15 GMT
 Expires: -1
 Cache-Control: private, max-age=0
 Content-Type: text/html; charset=ISO-8859-1
 P3P: CP="This is not a P3P policy! See https://www.google.com/support/accounts/answer/1 Server: gws
 X-XSS-Protection: 1; mode=block
 X-Frame-Options: SAMEORIGIN
 Set-Cookie: NID=78=qz0a3gQjdiDNPGOR3AAVCO72jOeyaj_EoA8nXeDud6dEqZty2mEdqd9j4gkSNYoqLNM9 iHcHNp7pwr9RQTo0A5id943sj; expires=Tue, 04-Oct
 Alternate-Protocol: 443:quic
 Alt-Svc: quic=":443"; ma=2592000; v="32,31,30,29,28,27,26,25"
 Transfer-Encoding: chunked
 Accept-Ranges: none
 Vary: Accept-Encoding Browsers HTTP Security
  11. $ curl -I https://www.dropbox.com
 HTTP/1.1 200 OK
 Server: nginx
 Date:

    Mon, 04 Apr 2016 20:10:37 GMT
 Content-Type: text/html; charset=utf-8
 Connection: keep-alive
 x-xss-protection: 1; mode=block
 content-security-policy: img-src https://* data: blob: ; connect-src https://* ws://127 cf.dropb
 x-content-type-options: nosniff
 set-cookie: locale=en; Domain=dropbox.com; expires=Sat, 03 Apr 2021 20:10:37 GMT; Path= set-cookie: gvc=MTYxMzM2OTE1MjU0MzgyMTA2NDI1MzIxMzUyNzc3MDg1ODIzOTA4; expires=Sat, 03 A set-cookie: __Host-js_csrf=VQ1woPFdbo194pKVi50HJuTa; expires=Thu, 04 Apr 2019 20:10:37 set-cookie: t=VQ1woPFdbo194pKVi50HJuTa; Domain=dropbox.com; expires=Thu, 04 Apr 2019 20 set-cookie: puc=; expires=Mon, 04 Apr 2016 20:10:37 GMT; httponly; Path=/; secure
 x-dropbox-request-id: 7772ee5113bda6243af26076c8e25206
 pragma: no-cache
 cache-control: no-cache
 x-dropbox-http-protocol: None
 x-frame-options: SAMEORIGIN
 X-Server-Response-Time: 190
 Strict-Transport-Security: max-age=15552000; includeSubDomains Browsers HTTP Security
  12. Browsers HTTP Security

  13. https://www.owasp.org/index.php/List_of_useful_HTTP_headers • X-XSS-Protection • X-Content-Type-Options • X-Frame-Options • Strict-Transport-Security •

    Content-Security-Policy • CSP in Real World • End of the world OWASP useful HTTP headers
  14. https://www.owasp.org/index.php/List_of_useful_HTTP_headers • X-XSS-Protection • X-Content-Type-Options • X-Frame-Options • Strict-Transport-Security •

    Content-Security-Policy • CSP in Real World • End of the world OWASP useful HTTP headers
  15. X-Xss-Protection • Prevents XSS reflected attacks • Supported by IE8+

    and Chrome • Enabled / disabled • mode-block to completely turn off rendering X-XSS-Protection: 1; mode=block http://blogs.msdn.com/b/ieinternals/archive/2011/01/31/controlling-the-internet-explorer-xss-filter-with-the-x-xss-protection-http-header.aspx #BOUTIN
  16. https://www.owasp.org/index.php/List_of_useful_HTTP_headers • X-XSS-Protection • X-Content-Type-Options • X-Frame-Options • Strict-Transport-Security •

    Content-Security-Policy • CSP in Real World • End of the world OWASP useful HTTP headers
  17. X-Content-Type-Options • Supported by IE and Chrome • "nosniff" only

    supported value X-Content-Type-Options: nosniff https://blogs.msdn.microsoft.com/ie/2008/09/02/ie8-security-part-vi-beta-2-update/
 https://en.wikipedia.org/wiki/Content_sniffing
  18. https://www.owasp.org/index.php/List_of_useful_HTTP_headers • X-XSS-Protection • X-Content-Type-Options • X-Frame-Options • Strict-Transport-Security •

    Content-Security-Policy • CSP in Real World • End of the world OWASP useful HTTP headers
  19. X-Frame-Options • Supported by Chrome, IE 9, Safari and Firefox

    • Prevents clickjacking X-Frame-Options: DENY X-Frame-Options: SAMEORIGIN X-Frame-Options: ALLOW-FROM https://example.com/
  20. X-Frame-Options

  21. server {
 listen 80;
 
 server_name domain.com;
 add_header x-xss-protection "1;

    mode=block"; add_header x-frame-options "DENY"; add_header x-content-type-options "nosniff"; }
 Browsers HTTP Security
  22. None
  23. https://www.owasp.org/index.php/List_of_useful_HTTP_headers • X-XSS-Protection • X-Content-Type-Options • X-Frame-Options • Strict-Transport-Security •

    Content-Security-Policy • CSP in Real World • End of the world OWASP useful HTTP headers
  24. Strict-Transport-Security • RFC-7697 • Supported by Chrome, IE 11, Safari

    and Firefox • Enforce use of HTTPS on your website / Turns any insecure link to secure link • Protects from Protocol Downgrade • Blocks access if no trusted certificate is provided • Only valid after first connection, but can be preloaded Strict-Transport-Security: max-age=expireTime [; includeSubdomains] [; preload] https://tools.ietf.org/html/rfc6797
  25. Strict-Transport-Security Register on https://hstspreload.appspot.com/ for preload 
 https://tools.ietf.org/html/rfc6797 Strict-Transport-Security: max-age=expireTime

    [; includeSubdomains] [; preload]
  26. Strict-Transport-Security https://tools.ietf.org/html/rfc6797

  27. Strict-Transport-Security server {
 listen 80;
 
 server_name domain.com;
 rewrite ^/(.*)

    https://$host/$1 permanent;
 }
 server {
 listen 443;
 ssl on;
 
 server_name domain.com;
 add_header Strict-Transport-Security “max-age=31536000;"; # ...
 } https://tools.ietf.org/html/rfc6797
  28. None
  29. https://www.owasp.org/index.php/List_of_useful_HTTP_headers • X-XSS-Protection • X-Content-Type-Options • X-Frame-Options • Strict-Transport-Security •

    Content-Security-Policy • CSP in Real World • End of the world OWASP useful HTTP headers
  30. Content-Security-Policy • Supported by Chrome, IE 9, Safari and Firefox

    • Prevents XSS • Declare directives about what can be executed on your website Content-Security-Policy: default ‘self’; script-src ‘self’ https://mycdn.com; style-src ‘self’ https://mycdn.com https://www.w3.org/TR/2012/CR-CSP-20121115/
  31. All these directives accept a source list • default-src -

    fallback for any non-declared directive • script-src - <scripts> • style-src - <link rel=“stylesheet"> / @import CSS rule • object-src - <object> / <embed> / <applet> • img-src - <img> sources • media-src - <video> / <audio> / <source> / <track> sources • frame-src - <iframe> / <frame> sources • font-src - @font-face CSS rule • connect-src - XHR open / WebSocket or EventSource constructor https://www.w3.org/TR/2012/CR-CSP-20121115/ Content-Security-Policy Level 1 - Directives
  32. Source list structure: <directive> source1 source2 … sourceN; Special sources:

    • 'self' : the same origin as the current page (all directives) • 'unsafe-inline' : inline script (script-src and style-src directives) • 'unsafe-eval' : eval / new Function() are disabled / setTimeout and setInterval with non-callable do not work (script-src directive) default-src: 'self'; script-src 'self' https://cdn.domain.com 'unsafe-eval'; https://www.w3.org/TR/2012/CR-CSP-20121115/ Content-Security-Policy Level 1 - Directives
  33. Content-Security-Policy: 
 default-src 'self'; 
 script-src 'self' https://cdn.domain.com; 
 style-src

    'self' https://cdn.domain.com; https://www.w3.org/TR/2012/CR-CSP-20121115/ Content-Security-Policy Level 1 - Directives
  34. 'unsafe-eval' Warning: jQuery uses eval when inserting <script> DOM node:

    # does not work
 document
 .getElementsByTagName('body')[0]
 .innerHTML = '<script>console.log("Hello roro")</script>'
 
 # works
 jQuery('body').html('<script>console.log("Hello roro")</script>') https://www.w3.org/TR/2012/CR-CSP-20121115/ Content-Security-Policy Level 1 - Directives
  35. 'unsafe-inline' What about my inline scripts?
 
 <script>
 window.api_key =

    '{{ api_key }}';
 </script>
 
 <style>
 body {
 background-color: red;
 }
 </style>
 https://www.w3.org/TR/2012/CR-CSP-20121115/ Content-Security-Policy Level 1 - Directives
  36. Content-Security-Policy: 
 default-src 'self'; 
 script-src 'self' https://cdn.domain.com; 
 style-src

    'self' https://cdn.domain.com; Content-Security-Policy: 
 default-src 'self'; 
 script-src 'self' 'unsafe-eval' 'unsafe-inline' https://cdn.domain.com; 
 style-src 'self' 'unsafe-inline' https://cdn.domain.com; https://www.w3.org/TR/2012/CR-CSP-20121115/ Content-Security-Policy Level 1 - Directives
  37. https://www.w3.org/TR/CSP2/ W3C Recommendation 2014-2015 • New directives • Hashes and

    nonces for inline scripting Content-Security-Policy Level 2
  38. All these directives accept a source list 
 
 •

    base-uri - available document base-urls, no fallback on default-src • child-src - workers and frames. Deprecates frame-src • form-action - <form> actions URLs, no fallback on default-src • frame-ancestors - Is the document embeddable in <frame>, <iframe>, <object>, <applet> or <embed> - related to X-Frame-Options - 'none' is the 'DENY' • plugin-type - mime-types list. <object>, <embed> or <applet> should match the with their type attribute Content-Security-Policy Level 2 - Directives https://www.w3.org/TR/CSP2/
  39. Introduces nonces (random value per request) for inline scripting: #

    HTML
 <script nonce="c89143d4b599538c81058b80a6f975a6">
 window.config.apiKey = 'api-key';
 </script>
 <style nonce="5c5260e3c82f1724a903612c0fc11a0f">
 body { background-color: red; }
 </style> # HTTP header
 Content-Security-Policy: 
 script-src 'self' 'nonce-c89143d4b599538c81058b80a6f975a6';
 style-src 'self' 'nonce-5c5260e3c82f1724a903612c0fc11a0f'; Con: an attacker that can gain access to the nonce can execute whatever script. Content-Security-Policy Level 2 - Nonce https://www.w3.org/TR/CSP2/
  40. Introduces hashes (sha256, sha384 and sha512) for inline scripting: #

    HTML
 <script>
 window.config.apiKey = 'api-key';
 </script> # HTTP header
 Content-Security-Policy: 
 script-src 'self' 'sha256- voRt1IK8+FVdRFaTgn8K6ET46mYOZvT7kYG6Wo3eJNU=' # PHP
 $hash = base64_encode(openssl_digest($scriptContent, 'sha256', true)) Content-Security-Policy Level 2 - Hashes https://www.w3.org/TR/CSP2/
  41. Introduces hashes (sha256, sha384 and sha512) for inline scripting: #

    HTML
 <style>
 body { background-color: red; }
 </style> # HTTP header
 Content-Security-Policy: 
 script-src 'self' 'sha256-xWFKpNfjw6Di/Op4dyVBe876d12Yggw8WSB6ojNM/ bM=' # PHP
 base64_encode(openssl_digest($scriptContent, 'sha256', true)) Content-Security-Policy Level 2 - Hashes https://www.w3.org/TR/CSP2/
  42. Content-Security-Policy Level 2 - Support https://www.w3.org/TR/CSP2/
 http://caniuse.com/#search=csp

  43. In CSP level 2 'unsafe-inline' is not interpreted if the

    a nonce or a hash is contained in the same source list Content-Security-Policy: script-src 'unsafe-inline' 'nonce- c89143d4b599538c81058b80a6f975a6' Is interpreted in CSP level 1 context as: Content-Security-Policy: script-src 'unsafe-inline' Is interpreted in CSP level 2 context as: Content-Security-Policy: script-src 'nonce-c89143d4b599538c81058b80a6f975a6' Content-Security-Policy Level 2 - Support https://www.w3.org/TR/CSP2/
  44. So you can use CSP level 2
 with hashes and

    nonces
 as long as you still include 
 the 'unsafe-inline' directive Chrome, Safari, IE 11, Safari and Firefox https://www.w3.org/TR/CSP2/ Content-Security-Policy Level 2
  45. None
  46. • X-XSS-Protection • X-Content-Type-Options • X-Frame-Options • Strict-Transport-Security • Content-Security-Policy

    • CSP in Real World • End of the world https://www.owasp.org/index.php/List_of_useful_HTTP_headers OWASP useful HTTP headers
  47. Content-Security-Policy
 might be difficult to implement
 in a legacy project

    :( https://www.w3.org/TR/CSP2/ Content-Security-Policy - Project Setup
  48. PHP: composer require nelmio/security-bundle
 Ruby: Twitter Secure Headers csp: enforce:


    default-src:
 - 'self'
 - 'https://%assets_domain%'
 script-src:
 - 'self'
 - 'unsafe-inline'
 - 'https://%assets_domain%'
 style-src:
 - 'self'
 - 'unsafe-inline'
 - 'https://%assets_domain%' report-uri: [ '/csp/report' ]
 https://github.com/nelmio/NelmioSecurityBundle Content-Security-Policy - Project Setup
  49. PHP: composer require nelmio/security-bundle
 Ruby: Twitter Secure Headers 
 {%

    cspscript %}
 <script>
 window.api_key = '{{ api_key }}';
 </script>
 {% endcspscript %}
 
 {% cspstyle %}
 <style>
 body {
 background-color: red;
 }
 </style>
 {% endcspstyle %} https://github.com/nelmio/NelmioSecurityBundle Content-Security-Policy - Project Setup
  50. PHP: composer require nelmio/security-bundle
 Ruby: Twitter Secure Headers csp: enforce:


    default-src:
 - 'self'
 - 'https://%assets_domain%'
 script-src:
 - 'self'
 - 'unsafe-inline'
 - 'https://%assets_domain%'
 style-src:
 - 'self'
 - 'unsafe-inline'
 - 'https://%assets_domain%' report-uri: [ '/csp/report' ]
 https://github.com/nelmio/NelmioSecurityBundle Content-Security-Policy - Project Setup
  51. PHP: composer require nelmio/security-bundle
 Ruby: Twitter Secure Headers csp: enforce:


    default-src:
 - 'self'
 - 'https://%assets_domain%'
 script-src:
 - 'self'
 - 'unsafe-inline'
 - 'https://%assets_domain%'
 style-src:
 - 'self'
 - 'unsafe-inline'
 - 'https://%assets_domain%' report-uri: [ '/csp/report' ]
 https://github.com/nelmio/NelmioSecurityBundle Content-Security-Policy - Project Setup
  52. Content-Security-Policy-Report-Only • Disable apply directives rules, just collect directives violations

    • Can be used alongside Content-Security-Policy header
 to test a new version Content-Security-Policy-Report-Only: 
 default-src 'self'; report-uri /csp-report-endpoint/ https://www.w3.org/TR/CSP2/ Content-Security-Policy - Project Setup
  53. Content-Security-Policy report-uri • Reports Content Security Policy violations Content-Security-Policy: 


    default-src 'self'; report-uri /csp-report-endpoint/ https://www.w3.org/TR/CSP2/ Content-Security-Policy - Project Setup
  54. {
 'blocked-uri': 'https://m74.dnsqa2016.com',
 'column-number': 290,
 'document-uri': 'https://blackfire.io/',
 'effective-directive': 'script-src',
 'line-number':

    45,
 'original-policy': 'default-src \'self\' https://d2vqbs7xgyce6n.clou 'referrer': 'https://www.google.pl/',
 'source-file': 'https://www.google-analytics.com',
 'status-code': 0,
 'violated-directive': 'script-src \'self\' \'unsafe-inline\' https:/ } https://www.w3.org/TR/CSP2/ Content-Security-Policy report-uri Content-Security-Policy - Project Setup
  55. AngularJS Compatibility • Angular detects CSP usage, but it triggers

    a CSP security exception. • Force angular to behaves in CSP with ng-csp directive (provided natively within angular.js) <body ng-csp>
 <body ng-csp="no-unsafe-eval">
 <body ng-csp="no-inline-style"> https://www.w3.org/TR/CSP2/ Content-Security-Policy - Project Setup
  56. Is my website secured with Content-Security-Policy? Browsers HTTP Security

  57. Is my website secured with Content-Security-Policy? • Browser extensions have

    incredible access, you can not do anything about it Browsers HTTP Security
  58. Is my website secured with Content-Security-Policy? • Browser extensions have

    incredible access, you can not do anything about it • You still use trackers (GA) => disable them on sensitive pages Browsers HTTP Security
  59. Is my website secured with Content-Security-Policy? • Browser extensions have

    incredible access, you can not do anything about it • You still use trackers (GA) => disable them on sensitive pages • Your CDN can be compromised Browsers HTTP Security
  60. Is my website secured with Content-Security-Policy? • Browser extensions have

    incredible access, you can not do anything about it • You still use trackers (GA) => disable them on sensitive pages • Your CDN can be compromised Browsers HTTP Security
  61. Remember the Great Cannon? Browsers HTTP Security

  62. http://www.securityweek.com/great-cannon-attack-tool-used-china-censorship-enforcement Remember the Great Cannon? Browsers HTTP Security

  63. • X-XSS-Protection • X-Content-Type-Options • X-Frame-Options • Strict-Transport-Security • Content-Security-Policy

    • CSP in Real World • End of the world https://www.owasp.org/index.php/List_of_useful_HTTP_headers OWASP useful HTTP headers
  64. None
  65. https://www.w3.org/TR/SRI/ http://githubengineering.com/subresource-integrity/ • W3C recommendation from late 2015 • For

    <script> and <link> tags • Support sha256, sha-384 and sha512 message digests • Adds a hash to a resource to check integrity • Server should use CORS as defined by spec (to mitigate brute force attack) <script 
 crossorigin=“anonymous” 
 src="/assets/application.js" 
 integrity="sha256-TvVUHzSfftWg1rcfL6TIJ0XKEGrgLyEq6lEpcmrG9qs="
 ></script> HTTP Security: Subresource Integrity
  66. http://caniuse.com/#feat=subresource-integrity HTTP Security: Subresource Integrity

  67. • X-XSS-Protection • X-Content-Type-Options • X-Frame-Options • Strict-Transport-Security • Content-Security-Policy

    • CSP in Real World • End of the world Subresource Integrity https://www.owasp.org/index.php/List_of_useful_HTTP_headers OWASP useful HTTP headers
  68. • X-XSS-Protection • X-Content-Type-Options • X-Frame-Options • Strict-Transport-Security • Content-Security-Policy

    • CSP in Real World • End of the world Subresource Integrity • Public Key Pinning https://www.owasp.org/index.php/List_of_useful_HTTP_headers
 https://blog.qualys.com/ssllabs/2016/09/06/is-http-public-key-pinning-dead OWASP useful HTTP headers
  69. None
  70. Resources • https://blogs.dropbox.com/tech/2015/09/on-csp-reporting-and-filtering/ • https://blogs.dropbox.com/tech/2015/09/unsafe-inline-and-nonce-deployment/ • https://blogs.dropbox.com/tech/2015/09/csp-the-unexpected-eval/ • https://blogs.dropbox.com/tech/2015/09/csp-third-party-integrations-and-privilege-separation/ •

    http://githubengineering.com/subresource-integrity/ • https://blog.cloudflare.com/an-introduction-to-javascript-based-ddos/ • http://www.securityweek.com/great-cannon-attack-tool-used-china-censorship-enforcement • https://www.blackhat.com/presentations/bh-dc-09/Marlinspike/BlackHat-DC-09-Marlinspike-Defeating-SSL.pdf • https://github.com/nelmio/NelmioSecurityBundle • https://www.owasp.org/index.php/List_of_useful_HTTP_headers • https://www.w3.org/TR/SRI/ • https://www.w3.org/TR/CSP2/ • https://www.w3.org/TR/2012/CR-CSP-20121115/ • https://tools.ietf.org/html/rfc6797 • http://caniuse.com/#feat=subresource-integrity • http://caniuse.com/#search=csp • https://blogs.msdn.microsoft.com/ie/2008/09/02/ie8-security-part-vi-beta-2-update/ • https://en.wikipedia.org/wiki/Content_sniffing • https://blogs.msdn.com/b/ieinternals/archive/2011/01/31/controlling-the-internet-explorer-xss-filter-with-the-x- xss-protection-http-header.aspx • https://blog.qualys.com/ssllabs/2016/09/06/is-http-public-key-pinning-dead
  71. Bonus: securityheaders.io https://securityheaders.io

  72. Bonus: report-uri.io https://report-uri.io

  73. Bonus: Mozilla Observatory https://observatory.mozilla.org

  74. THANK YOU !!

  75. THANK YOU !! Questions?