HTTP Security: headers as a shield over your application

Browsers HTTP Security

View Slide

Romain Neutron
https://github.com/romainneutron

View Slide


View Slide

$ curl -I https://github.com
 
HTTP/1.1 200 OK 
Server: GitHub.com 
Date: Mon, 04 Apr 2016 20:10:13 GMT 
Content-Type: text/html; charset=utf-8 
Status: 200 OK 
Cache-Control: no-cache 
Vary: X-PJAX 
X-UA-Compatible: IE=Edge,chrome=1 
Set-Cookie: logged_in=no; domain=.github.com; path=/; expires=Fri, 04 Apr 2036 20:10:13
Set-Cookie: _gh_sess=eyJzZXNzaW9uX2lkIjoiYzE1ZjE3NjA4Yjg1MWM3MTk4MjY0ZjdiMzY5ZDJhNzciLC
X-Request-Id: 048b988349db27c05f13900c2b8c8dd5 
X-Runtime: 0.011717 
Content-Security-Policy: default-src 'none'; base-uri 'self'; block-all-mixed-content;
Strict-Transport-Security: max-age=31536000; includeSubdomains; preload 
Public-Key-Pins: max-age=1209600; pin-sha256="WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB
X-Content-Type-Options: nosniff 
X-Frame-Options: deny 
X-XSS-Protection: 1; mode=block 
Vary: Accept-Encoding 
X-Served-By: 7cc969f65c7ec8d9db2fa57dcc51d323 
X-GitHub-Request-Id: 55A8461C:0E34:67919BE:5702CA25

View Slide

$ curl -I https://www.google.fr 
HTTP/1.1 200 OK 
Date: Mon, 04 Apr 2016 20:09:15 GMT 
Expires: -1 
Cache-Control: private, max-age=0 
Content-Type: text/html; charset=ISO-8859-1 
P3P: CP="This is not a P3P policy! See https://www.google.com/support/accounts/answer/1
Server: gws 
X-XSS-Protection: 1; mode=block 
X-Frame-Options: SAMEORIGIN 
Set-Cookie: NID=78=qz0a3gQjdiDNPGOR3AAVCO72jOeyaj_EoA8nXeDud6dEqZty2mEdqd9j4gkSNYoqLNM9
iHcHNp7pwr9RQTo0A5id943sj; expires=Tue, 04-Oct 
Alternate-Protocol: 443:quic 
Alt-Svc: quic=":443"; ma=2592000; v="32,31,30,29,28,27,26,25" 
Transfer-Encoding: chunked 
Accept-Ranges: none 
Vary: Accept-Encoding

View Slide

$ curl -I https://www.dropbox.com 
HTTP/1.1 200 OK 
Server: nginx 
Date: Mon, 04 Apr 2016 20:10:37 GMT 
Content-Type: text/html; charset=utf-8 
Connection: keep-alive 
x-xss-protection: 1; mode=block 
content-security-policy: img-src https://* data: blob: ; connect-src https://* ws://127
cf.dropb 
x-content-type-options: nosniff 
set-cookie: locale=en; Domain=dropbox.com; expires=Sat, 03 Apr 2021 20:10:37 GMT; Path=
set-cookie: gvc=MTYxMzM2OTE1MjU0MzgyMTA2NDI1MzIxMzUyNzc3MDg1ODIzOTA4; expires=Sat, 03 A
set-cookie: __Host-js_csrf=VQ1woPFdbo194pKVi50HJuTa; expires=Thu, 04 Apr 2019 20:10:37
set-cookie: t=VQ1woPFdbo194pKVi50HJuTa; Domain=dropbox.com; expires=Thu, 04 Apr 2019 20
set-cookie: puc=; expires=Mon, 04 Apr 2016 20:10:37 GMT; httponly; Path=/; secure 
x-dropbox-request-id: 7772ee5113bda6243af26076c8e25206 
pragma: no-cache 
cache-control: no-cache 
x-dropbox-http-protocol: None 
x-frame-options: SAMEORIGIN 
X-Server-Response-Time: 190 
Strict-Transport-Security: max-age=15552000; includeSubDomains

View Slide


View Slide

https://www.owasp.org/index.php/List_of_useful_HTTP_headers
• X-XSS-Protection
• X-Content-Type-Options
• X-Frame-Options
• Strict-Transport-Security
• Content-Security-Policy
• CSP in Real World
• End of the world
OWASP useful HTTP headers

View Slide

X-Xss-Protection
• Prevents XSS reﬂected attacks
• Supported by IE8+ and Chrome
• Enabled / disabled
• mode-block to completely turn off rendering
X-XSS-Protection: 1; mode=block
http://blogs.msdn.com/b/ieinternals/archive/2011/01/31/controlling-the-internet-explorer-xss-ﬁlter-with-the-x-xss-protection-http-header.aspx
#BOUTIN

View Slide

• X-Frame-Options

View Slide

X-Content-Type-Options
• Supported by IE and Chrome
• "nosniff" only supported value
X-Content-Type-Options: nosniff
https://blogs.msdn.microsoft.com/ie/2008/09/02/ie8-security-part-vi-beta-2-update/ 
https://en.wikipedia.org/wiki/Content_snifﬁng

View Slide

• X-Frame-Options

View Slide

X-Frame-Options
• Supported by Chrome, IE 9, Safari
and Firefox
• Prevents clickjacking
X-Frame-Options: DENY
X-Frame-Options: SAMEORIGIN
X-Frame-Options: ALLOW-FROM https://example.com/

View Slide

X-Frame-Options

View Slide

server { 
listen 80; 
 
server_name domain.com; 
add_header x-xss-protection "1; mode=block";
add_header x-frame-options "DENY";
add_header x-content-type-options "nosniff";
} 

View Slide

View Slide

• X-Frame-Options

View Slide

Strict-Transport-Security
• RFC-7697
• Supported by Chrome, IE 11, Safari and Firefox
• Enforce use of HTTPS on your website / Turns any insecure link to secure link
• Protects from Protocol Downgrade
• Blocks access if no trusted certiﬁcate is provided
• Only valid after ﬁrst connection, but can be preloaded
Strict-Transport-Security: max-age=expireTime [; includeSubdomains] [; preload]
https://tools.ietf.org/html/rfc6797

View Slide

Register on https://hstspreload.appspot.com/ for
preload  
Strict-Transport-Security: max-age=expireTime [; includeSubdomains] [; preload]

View Slide


View Slide

server { 
listen 80; 
 
rewrite ^/(.*) https://$host/$1 permanent; 
} 
server { 
listen 443; 
ssl on; 
 
add_header Strict-Transport-Security “max-age=31536000;";
# ... 
}

View Slide

View Slide

• X-Frame-Options

View Slide

Content-Security-Policy
• Supported by Chrome, IE 9, Safari and Firefox
• Prevents XSS
• Declare directives about what can be executed on your website
Content-Security-Policy: default ‘self’; script-src ‘self’ https://mycdn.com; style-src
‘self’ https://mycdn.com
https://www.w3.org/TR/2012/CR-CSP-20121115/

View Slide

All these directives accept a source list
• default-src - fallback for any non-declared directive
• script-src -
• style-src - / @import CSS rule
• object-src - / /
• img-src - sources
• media-src - / / / sources
• frame-src - / sources
• font-src - @font-face CSS rule
• connect-src - XHR open / WebSocket or EventSource constructor
Content-Security-Policy Level 1 - Directives

View Slide

Source list structure:
source1 source2 … sourceN;
Special sources:
• 'self' : the same origin as the current page (all directives)
• 'unsafe-inline' : inline script (script-src and style-src directives)
• 'unsafe-eval' : eval / new Function() are disabled / setTimeout and
setInterval with non-callable do not work (script-src directive)
default-src: 'self'; script-src 'self' https://cdn.domain.com 'unsafe-eval';

View Slide

Content-Security-Policy:  
default-src 'self';  
script-src 'self' https://cdn.domain.com;  
style-src 'self' https://cdn.domain.com;

View Slide

'unsafe-eval'
Warning: jQuery uses eval when inserting DOM node: # does not work  document  .getElementsByTagName('body')[0]  .innerHTML = '<script>console.log("Hello roro")' 
 
# works 
jQuery('body').html('console.log("Hello roro")')

View Slide

'unsafe-inline'
What about my inline scripts? 
 
  window.api_key = '{{ api_key }}';   
 
  body {  background-color: red;  }   

View Slide

script-src 'self' https://cdn.domain.com;  
style-src 'self' https://cdn.domain.com;
script-src 'self' 'unsafe-eval' 'unsafe-inline' https://cdn.domain.com;  
style-src 'self' 'unsafe-inline' https://cdn.domain.com;

View Slide

https://www.w3.org/TR/CSP2/
W3C Recommendation 2014-2015
• New directives
• Hashes and nonces for inline scripting
Content-Security-Policy Level 2

View Slide

All these directives accept a source list  
 
• base-uri - available document base-urls, no fallback on default-src
• child-src - workers and frames. Deprecates frame-src
• form-action - actions URLs, no fallback on default-src
• frame-ancestors - Is the document embeddable in , , ,
or - related to X-Frame-Options - 'none' is the 'DENY'
• plugin-type - mime-types list. , or should match the with
their type attribute

View Slide

Introduces nonces (random value per request) for inline scripting:
# HTML 
  window.config.apiKey = 'api-key';   
  body { background-color: red; }  
# HTTP header 
script-src 'self' 'nonce-c89143d4b599538c81058b80a6f975a6'; 
style-src 'self' 'nonce-5c5260e3c82f1724a903612c0fc11a0f';
Con: an attacker that can gain access to the nonce can execute whatever script.
Content-Security-Policy Level 2 - Nonce

View Slide

Introduces hashes (sha256, sha384 and sha512) for inline scripting:
# HTML 
  window.config.apiKey = 'api-key';  
# HTTP header 
script-src 'self' 'sha256-
voRt1IK8+FVdRFaTgn8K6ET46mYOZvT7kYG6Wo3eJNU='
# PHP 
$hash = base64_encode(openssl_digest($scriptContent, 'sha256', true))
Content-Security-Policy Level 2 - Hashes

View Slide

Introduces hashes (sha256, sha384 and sha512) for inline scripting:
# HTML 
  body { background-color: red; }  
# HTTP header 
script-src 'self' 'sha256-xWFKpNfjw6Di/Op4dyVBe876d12Yggw8WSB6ojNM/
bM='
# PHP 
base64_encode(openssl_digest($scriptContent, 'sha256', true))
Content-Security-Policy Level 2 - Hashes

View Slide

Content-Security-Policy Level 2 - Support
https://www.w3.org/TR/CSP2/ 
http://caniuse.com/#search=csp

View Slide

In CSP level 2 'unsafe-inline' is not interpreted if the a nonce or a hash is
contained in the same source list
Content-Security-Policy: script-src 'unsafe-inline' 'nonce-
c89143d4b599538c81058b80a6f975a6'
Is interpreted in CSP level 1 context as:
Content-Security-Policy: script-src 'unsafe-inline'
Is interpreted in CSP level 2 context as:
Content-Security-Policy: script-src 'nonce-c89143d4b599538c81058b80a6f975a6'
Content-Security-Policy Level 2 - Support

View Slide

So you can use CSP level 2 
with hashes and nonces 
as long as you still include  
the 'unsafe-inline' directive
Chrome, Safari, IE 11, Safari and Firefox
Content-Security-Policy Level 2

View Slide

View Slide

• X-Frame-Options

View Slide

Content-Security-Policy 
might be difﬁcult to implement 
in a legacy project :(
Content-Security-Policy - Project Setup

View Slide

PHP: composer require nelmio/security-bundle 
Ruby: Twitter Secure Headers
csp:
enforce: 
default-src: 
- 'self' 
- 'https://%assets_domain%' 
script-src: 
- 'self' 
- 'unsafe-inline' 
style-src: 
- 'self' 
- 'https://%assets_domain%'
report-uri: [ '/csp/report' ] 
https://github.com/nelmio/NelmioSecurityBundle

View Slide

{% cspscript %} 
  window.api_key = '{{ api_key }}';   
{% endcspscript %} 
 
{% cspstyle %} 
  body {  background-color: red;  }   
{% endcspstyle %}

View Slide

csp:
enforce: 
default-src: 
- 'self' 
script-src: 
- 'self' 
style-src: 
- 'self' 
- 'https://%assets_domain%'
report-uri: [ '/csp/report' ] 

View Slide

Content-Security-Policy-Report-Only
• Disable apply directives rules, just collect directives
violations
• Can be used alongside Content-Security-Policy header 
to test a new version
Content-Security-Policy-Report-Only:  
default-src 'self'; report-uri /csp-report-endpoint/

View Slide

Content-Security-Policy report-uri
• Reports Content Security Policy violations
default-src 'self'; report-uri /csp-report-endpoint/

View Slide

{ 
'blocked-uri': 'https://m74.dnsqa2016.com', 
'column-number': 290, 
'document-uri': 'https://blackfire.io/', 
'effective-directive': 'script-src', 
'line-number': 45, 
'original-policy': 'default-src \'self\' https://d2vqbs7xgyce6n.clou
'referrer': 'https://www.google.pl/', 
'source-file': 'https://www.google-analytics.com', 
'status-code': 0, 
'violated-directive': 'script-src \'self\' \'unsafe-inline\' https:/
}
Content-Security-Policy report-uri

View Slide

AngularJS Compatibility
• Angular detects CSP usage, but it triggers a CSP security
exception.
• Force angular to behaves in CSP with ng-csp directive (provided
natively within angular.js)
 
 


View Slide

Is my website secured with Content-Security-Policy?

View Slide

• Browser extensions have incredible access, you can not do anything
about it

View Slide

about it
• You still use trackers (GA) => disable them on sensitive pages

View Slide

about it
• You still use trackers (GA) => disable them on sensitive pages
• Your CDN can be compromised

View Slide

Remember the Great Cannon?

View Slide

http://www.securityweek.com/great-cannon-attack-tool-used-china-censorship-enforcement
Remember the Great Cannon?

View Slide

• X-Frame-Options

View Slide

View Slide

https://www.w3.org/TR/SRI/
http://githubengineering.com/subresource-integrity/
• W3C recommendation from late 2015
• For and <link> tags • Support sha256, sha-384 and sha512 message digests • Adds a hash to a resource to check integrity • Server should use CORS as deﬁned by spec (to mitigate brute force attack) <script   crossorigin=“anonymous”   src="/assets/application.js"   integrity="sha256-TvVUHzSfftWg1rcfL6TIJ0XKEGrgLyEq6lEpcmrG9qs="  >
HTTP Security: Subresource Integrity

View Slide

http://caniuse.com/#feat=subresource-integrity
HTTP Security: Subresource Integrity

View Slide

• X-Frame-Options
• End of the world Subresource Integrity

View Slide

• X-Frame-Options
• End of the world Subresource Integrity
• Public Key Pinning
https://www.owasp.org/index.php/List_of_useful_HTTP_headers 
https://blog.qualys.com/ssllabs/2016/09/06/is-http-public-key-pinning-dead

View Slide

View Slide

Resources
• https://blogs.dropbox.com/tech/2015/09/on-csp-reporting-and-filtering/
• https://blogs.dropbox.com/tech/2015/09/unsafe-inline-and-nonce-deployment/
• https://blogs.dropbox.com/tech/2015/09/csp-the-unexpected-eval/
• https://blogs.dropbox.com/tech/2015/09/csp-third-party-integrations-and-privilege-separation/
• http://githubengineering.com/subresource-integrity/
• https://blog.cloudflare.com/an-introduction-to-javascript-based-ddos/
• http://www.securityweek.com/great-cannon-attack-tool-used-china-censorship-enforcement
• https://www.blackhat.com/presentations/bh-dc-09/Marlinspike/BlackHat-DC-09-Marlinspike-Defeating-SSL.pdf
• https://github.com/nelmio/NelmioSecurityBundle
• https://www.owasp.org/index.php/List_of_useful_HTTP_headers
• https://www.w3.org/TR/SRI/
• https://www.w3.org/TR/CSP2/
• https://www.w3.org/TR/2012/CR-CSP-20121115/
• https://tools.ietf.org/html/rfc6797
• http://caniuse.com/#feat=subresource-integrity
• http://caniuse.com/#search=csp
• https://blogs.msdn.microsoft.com/ie/2008/09/02/ie8-security-part-vi-beta-2-update/
• https://en.wikipedia.org/wiki/Content_sniffing
• https://blogs.msdn.com/b/ieinternals/archive/2011/01/31/controlling-the-internet-explorer-xss-filter-with-the-x-
xss-protection-http-header.aspx
• https://blog.qualys.com/ssllabs/2016/09/06/is-http-public-key-pinning-dead

View Slide

HTTP Security: headers as a shield over your application

HTTP Security: headers as a shield over your application

Romain Neutron

More Decks by Romain Neutron

Other Decks in Programming

Featured

Transcript