The slides here are part of my presentation at the Confraria0day meeting in March 2017. It is an introduction to the various HTTP security headers with some insights about them. It covers HSTS, HPKP, X-Frame-Options, Content Security Policy, X-XSS-Protection, X-Content-Type-Options, Referrer-Policy and Set-Cookie options.
2. Agenda
• Who I am
• HTTP Security Headers Introduction
• HTTP Strict Transport Security (HSTS)
• HTTP Public Key Pins (HPKP)
• X-Frame-Options
• X-XSS-Protection
• Content Security Policy (CSP)
• Set-Cookie Options
• X-Content-Type-Options
• Referrer-Policy
• Conclusion
• References
3. Who I am
• Sr Consultant at F5 Networks
• 10 years of work related to application security (coding, attacking,
defending)
• OWASP Contributor (former Brasília Chapter leader, Top Ten
Cheatsheet, OWASP Testing Guide)
• Practioner of responsible security vulnerability disclosure
• ISC2 volunteer – SME for CISSP exam development
• Independent research
• Blogger at http://sharingsec.blogspot.com (where there is time!)
4. HTTP Security Headers Introduction
• Security model evolution
• Channel communication protection
• Client-side Security
• Security policies enforced by the browser
5. HTTP Request/Response
GET / HTTP/1.1
User-Agent: Mozilla/5.0 (Linux; Android 6.0; Nexus 5 Build/MRA58N) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/57.0.2987.110 Mobile Safari/537.36
Host: www.exemplo.com
Accept: */*
HTTP/1.1 200 OK
Date: Fri, 17 Mar 2017 07:45:30 GMT
Server: Apache/2.2.8 (Ubuntu) DAV/2
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 891
Content-Type: text/html
12. HSTS – Observations
- Suitable for sites supporting entire content in HTTPS
- Implementation might be difficult due L7 routing
- Preload list always require subdomains
- Difficult to remove due browser updates
- Mitigate SSLStrip and potentially, SSLStri2 with preload + subdomains
- Protection against MITM with invalid certificates
15. Public Key Pins Support
http://caniuse.com/#feat=publickeypinning
16. HTTP Public Key Pins - Observations
- It requires a good level of maturity
- report-only (Public-Key-Pins-Report-Only) mode?
- Does it mitigate MITM?
- Internal root CA?
- Chrome/Firefox support
21. X-Frame-Options - Observations
- Does the website needs to be open by another in a frame?
- It does not support more than one URL in allow-from
- CSP 2 frame-ancestor a good replacement
- It mitigates clickjacking
32. Set-Cookie (cookie options)
HttpOnly – Cookie not accessible via Javascript
Secure – Prevents sending cookies in a clear text channel
SameSite – Prevents sending cookies in cross-site request (very useful
against CSRF)
34. Set-Cookie (cookie options) - observations
- Secure and HttpOnly
- Protection against cookie hijacking in HTTP clear text traffic
- Reduces impact on a XSS attack – session hijacking
- SameSite – Only supported by Chrome
- Still in draft
- It supplies good protection against CSRF/XSSI
- Lax – used with HTTP “secure” methods
- Could it affect browsing in general?
36. X-Content-Type-Options - Observations
- Supported by all popular browsers but Safari
- It mitigates MIME Confusion attacks
- Server must return correct MIME type (Content-type)
40. Referrer-Policy - observations
- Still under development
- Still limited support (Firefox and some options for Chrome)
- It treats privacy concerns
Referer: https://github.com/irgoncalves/jwtbf
41. Tools to investigate HTTP headers
https://observatory.mozilla.org/
https://securityheaders.io
https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#t
ab=Technical_Resources
42. Conclusions
- HTTP security headers could improve security and privacy of users
- Part of defense in depth strategy
- Some of them have pitfalls and require maturity
- They still need additional controls
- Different support level per browsers
43. References
- https://tools.ietf.org/html/rfc6797
- https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers
- https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)
- https://www.owasp.org/index.php/Clickjacking
- https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
- https://scotthelme.co.uk/
- https://www.wired.com/2016/03/https-adoption-google-report/
- http://www.html5rocks.com/en/tutorials/security/content-security-policy/
- https://www.bettercap.org/blog/sslstripping-and-hsts-bypass/
- https://static.googleusercontent.com/media/research.google.com/en//pubs/archive/45542.pdf
- https://technet.microsoft.com/library/security/2524375
- https://csp.withgoogle.com/docs/index.html
- The Tagled Web - A Guide to Security Modern Web Applications, Michael Zalewski