Security Headers, why should we care

Security headers Why should we care? Artur Hil

Why to use the Security headers • It’s a good
place to start when you want to secure your web app • Easy to implement and only require a slight web server conﬁguration change • Provide yet another layer of security by helping to mitigate attacks and security vulnerabilities • Ensures your clients you are keeping up with best practices • Discourages most of hackers to play with your app

Today we will focus on: • HTTP Strict Transport Security
• X-Frame-Options • X-Content-Type-Options • Referrer-Policy • Content-Security-Policy

Today we will not focus on: Rarely used • X-Permitted-Cross-Domain-Policies
• Clear-Site-Data • Cross-Origin-Embedder-Policy • Cross-Origin-Opener-Policy • Cross-Origin-Resource-Policy Almost Deprecated • Feature-Policy • Expect-CT Deprecated: • Public-Key-Pins • X-XSS-Protection

If you want more please visit: OWASP Secure Headers Project

HTTP Strict Transport Security (HSTS) HTTP Strict Transport Security X-Frame-Options
X-Content-Type-Options Referrer-Policy Content-Security-Policy

HTTP Strict Transport Security X-Frame-Options X-Content-Type-Options Referrer-Policy Content-Security-Policy http User_1
User_2 Web Server https

HTTP Strict Transport Security (HSTS) Strict-Transport-Security: max-age=<expire-time>; includeSubDomains Strict-Transport-Security: max-age=31536000
; includeSubDomains Strict-Transport-Security: max-age=<expire-time>; includeSubDomains; preload Strict-Transport-Security: max-age=31536000 ; includeSubDomains; preload Strict-Transport-Security: max-age=<expire-time> Strict-Transport-Security: max-age=300 The best HTTP Strict Transport Security X-Frame-Options X-Content-Type-Options Referrer-Policy Content-Security-Policy

X-Frame-Options HTTP Strict Transport Security X-Frame-Options X-Content-Type-Options Referrer-Policy Content-Security-Policy

Clickjacking HTTP Strict Transport Security X-Frame-Options X-Content-Type-Options Referrer-Policy Content-Security-Policy

X-Frame-Options Syntax: Do: X-Frame-Options: DENY No one will be able
to Frame your application Dont: X-Frame-Options: SAMEORIGIN X-Frame-Options: ALLOW-FROM https://example.com/ Small protection against Clickjacking, but better than none HTTP Strict Transport Security X-Frame-Options X-Content-Type-Options Referrer-Policy Content-Security-Policy

X-Content-Type-Options HTTP Strict Transport Security X-Frame-Options X-Content-Type-Options Referrer-Policy Content-Security-Policy

HTTP Strict Transport Security X-Frame-Options X-Content-Type-Options Referrer-Policy Content-Security-Policy

MIME sniffing text/plain is not a valid JavaScript MIME type

X-Content-Type-Options • Always make sure that all resources served by
a web application has a correct Content-Type header in response • X-Content-Type-Options: nosniff should be deployed for all application responses HTTP Strict Transport Security X-Frame-Options X-Content-Type-Options Referrer-Policy Content-Security-Policy

Referrer policy HTTP Strict Transport Security X-Frame-Options X-Content-Type-Options Referrer-Policy Content-Security-Policy

Information leakage via referer header Private information: https://news.example/search?q=covid-19&sort=newest Private and
Sensitive: https://healthcare.example/patient/history/injuries/arm Private and Identity information: https://mybook.example.com/proﬁle/[email protected] Critical information: https://mail.example/password_reset?token=b08476ﬀ4b8c961375c89e6671b56111 HTTP Strict Transport Security X-Frame-Options X-Content-Type-Options Referrer-Policy Content-Security-Policy

Referrer-Policy Referrer-Policy: no-referrer No Referer information in any case Referrer-Policy:
no-referrer-when-downgrade Origin, path, query in Referer when HTTP→HTTP, HTTP→HTTPS, HTTPS→HTTPS No Referer information when HTTPS→HTTP, HTTPS→file Referrer-Policy: origin Only Origin https://example.com/page.html >> https://example.com/ Referrer-Policy: origin-when-cross-origin Origin, path, query in Referer when a same-origin request to the same protocol Send origin (only) for cross origin requests and requests to less secure destinations. HTTP Strict Transport Security X-Frame-Options X-Content-Type-Options Referrer-Policy Content-Security-Policy

Referrer-Policy Referrer-Policy: same-origin Origin, path, query in Referer when same-origin
requests No Referer information when cross-origin requests Referrer-Policy: strict-origin Only Origin when protocol security level stays the same (HTTPS→HTTPS) No Referer information when less secure destinations (HTTPS→HTTP) Referrer-Policy: strict-origin-when-cross-origin Default if no policy is specified Origin, path, query in Referer when same-origin requests Only Origin when protocol security level stays the same (HTTPS→HTTPS) No Referer information when less secure destinations (HTTPS→HTTP) Referrer-Policy: unsafe-url Origin, path, query in Referer in any case HTTP Strict Transport Security X-Frame-Options X-Content-Type-Options Referrer-Policy Content-Security-Policy

Let’s recap

The most secure approach for security headers X-Frame-Options: deny Referrer-Policy:
no-referrer X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000 ; includeSubDomains

The most secure approach for security headers X-Frame-Options: deny Referrer-Policy:
strict-origin-when-cross-origin X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000 ; includeSubDomains

Content-Security-Policy HTTP Strict Transport Security X-Frame-Options X-Content-Type-Options Referrer-Policy Content-Security-Policy

Alexa top 1 million security headers analysis HTTP Strict Transport
Security X-Frame-Options X-Content-Type-Options Referrer-Policy Content-Security-Policy

Why so hard to implement? • More than 30 directives
• More than half of them are experimental • Some of the directives interference each other • Sometimes you need to rebuild your entire app to use CSP properly • Improper implementation of CSP could help hackers to break into your app HTTP Strict Transport Security X-Frame-Options X-Content-Type-Options Referrer-Policy Content-Security-Policy

So you have decide to implement CSP Do not start
with Content-Security-Policy Start with Content-Security-Policy-Report-Only HTTP Strict Transport Security X-Frame-Options X-Content-Type-Options Referrer-Policy Content-Security-Policy

Content-Security-Policy-Report-Only: default-src 'none'; form-action 'none'; frame-ancestors 'none'; Strictest policy HTTP
Strict Transport Security X-Frame-Options X-Content-Type-Options Referrer-Policy Content-Security-Policy

Possible Errors that will appear [Report Only] Refused to load
the stylesheet 'https://example.com/style.css' because it violates the following Content Security Policy directive: "default-src 'none'". Note that 'style-src' was not explicitly set, so 'default-src' is used as a fallback. To be fixed with: Content-Security-Policy-Report-Only: default-src 'none'; form-action 'none'; frame-ancestors 'none'; style-src 'self'; image-src 'self'; script-src 'self'; HTTP Strict Transport Security X-Frame-Options X-Content-Type-Options Referrer-Policy Content-Security-Policy

Possible Errors that will appear [Report Only] Refused to load
the stylesheet 'https://example.com/style.css' because it violates the following Content Security Policy directive: "default-src 'none'". Note that 'style-src' was not explicitly set, so 'default-src' is used as a fallback. To be fixed with: Content-Security-Policy-Report-Only: default-src 'self'; form-action 'none'; frame-ancestors 'none'; HTTP Strict Transport Security X-Frame-Options X-Content-Type-Options Referrer-Policy Content-Security-Policy

Inline scripts Content-Security-Policy-Report-Only: default-src 'none'; form-action 'none'; frame-ancestors 'none'; style-src
'self'; script-src 'unsafe-inline'; img-src 'self'; Content-Security-Policy-Report-Only: default-src 'none'; form-action 'none'; frame-ancestors 'none'; style-src 'self'; script-src 'unsafe-inline'; img-src 'self'; Content-Security-Policy-Report-Only: default-src 'none'; form-action 'none'; frame-ancestors 'none'; style-src 'self'; script-src 'self' cdnjs.com sha256-c2u0cNUv1GcIb92+ybgJ4yMPatX/k+xxHHbugKVGUU8=; img-src 'self'; Content-Security-Policy-Report-Only: default-src 'none'; form-action 'none'; frame-ancestors 'none'; style-src 'self'; script-src 'nonce-2726c7f26c'; img-src 'self'; HTTP Strict Transport Security X-Frame-Options X-Content-Type-Options Referrer-Policy Content-Security-Policy

Where to locate CSP errors Content-Security-Policy-Report-Only: default-src 'none'; form-action 'none';
frame-ancestors 'none'; report-uri /csp-violation-report-endpoint/ Content-Security-Policy-Report-Only: default-src 'none'; form-action 'none'; frame-ancestors 'none'; report-uri https://provider.report-uri.com/r/d/csp/reportOnly HTTP Strict Transport Security X-Frame-Options X-Content-Type-Options Referrer-Policy Content-Security-Policy

Content-Security-Policy-Report-Only to Content-Security-Policy HTTP Strict Transport Security X-Frame-Options X-Content-Type-Options Referrer-Policy
Content-Security-Policy

Having a CSP with a few unsafe rules is still
better than not having a CSP at all. HTTP Strict Transport Security X-Frame-Options X-Content-Type-Options Referrer-Policy Content-Security-Policy

The most secure approach for CSP default-src 'self'; object-src 'none';
child-src 'self'; frame-ancestors 'none'; upgrade-insecure-requests; HTTP Strict Transport Security X-Frame-Options X-Content-Type-Options Referrer-Policy Content-Security-Policy

Check the current state of your app https://securityheaders.com/

Validate your CSP according to the best practice https://csp-evaluator.withgoogle.com/

Security Headers, why should we care

Security Headers, why should we care

More Decks by Artur Hil

Other Decks in Education

Featured

Transcript