SlideShare une entreprise Scribd logo

HTTP Security Headers

I
Ismael Goncalves

The slides here are part of my presentation at the Confraria0day meeting in March 2017. It is an introduction to the various HTTP security headers with some insights about them. It covers HSTS, HPKP, X-Frame-Options, Content Security Policy, X-XSS-Protection, X-Content-Type-Options, Referrer-Policy and Set-Cookie options.

Logiciels
1  sur  43
HTTP Security Headers Ismael Gonçalves Mar/2017 https://sharingsec.blogspot.com
Agenda • Who I am • HTTP Security Headers Introduction • HTTP Strict Transport Security (HSTS) • HTTP Public Key Pins (HPKP) • X-Frame-Options • X-XSS-Protection • Content Security Policy (CSP) • Set-Cookie Options • X-Content-Type-Options • Referrer-Policy • Conclusion • References
Who I am • Sr Consultant at F5 Networks • 10 years of work related to application security (coding, attacking, defending) • OWASP Contributor (former Brasília Chapter leader, Top Ten Cheatsheet, OWASP Testing Guide) • Practioner of responsible security vulnerability disclosure • ISC2 volunteer – SME for CISSP exam development • Independent research • Blogger at http://sharingsec.blogspot.com (where there is time!)
HTTP Security Headers Introduction • Security model evolution • Channel communication protection • Client-side Security • Security policies enforced by the browser
HTTP Request/Response GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Linux; Android 6.0; Nexus 5 Build/MRA58N) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.110 Mobile Safari/537.36 Host: www.exemplo.com Accept: */* HTTP/1.1 200 OK Date: Fri, 17 Mar 2017 07:45:30 GMT Server: Apache/2.2.8 (Ubuntu) DAV/2 X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 891 Content-Type: text/html
HTTP Request/Response GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Linux; Android 6.0; Nexus 5 Build/MRA58N) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.110 Mobile Safari/537.36 Host: www.exemplo.com Accept: */* HTTP/1.1 200 OK Date: Fri, 17 Mar 2017 07:45:30 GMT Server: Apache/2.2.8 (Ubuntu) DAV/2 X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 891 Content-Type: text/html X-Frame-Options: DENY Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
HTTP Strict Transport Security (HSTS) Strict-Transport-Security: max-age=<expire-time> Strict-Transport-Security: max-age=<expire-time>; includeSubDomains Strict-Transport-Security: max-age=<expire-time>; preload
Tipical HTTP to HTTPS transition http://www.exemplo.com GET / HTTP/1.0 Host: www.exemplo.com 301 Moved Permantenly Content-Length: 0 Location: https://www.exemplo.com https://www.exemplo.com GET / HTTP/1.0 Host: www.exemplo.com
SSLStrip GET https://www.exemplo.comGET http://www.exemplo.com HTML ResponseModified HTLM response and in clear text
HSTS Support http://caniuse.com/#feat=stricttransportsecurity
HSTS – under the hood
HSTS – Observations - Suitable for sites supporting entire content in HTTPS - Implementation might be difficult due L7 routing - Preload list always require subdomains - Difficult to remove due browser updates - Mitigate SSLStrip and potentially, SSLStri2 with preload + subdomains - Protection against MITM with invalid certificates
HTTP Public Key Pins (HPKP) Public-Key-Pins: pin-sha256=<base64==>; max-age=<expireTime>; Public-Key-Pins: pin-sha256=<base64==>; max-age=<expireTime>; includeSubDomains Public-Key-Pins: pin-sha256=<base64==>; max-age=<expireTime>; report-uri=<reportURI>
Valid response with HPKP headers HTTP/1.1 200 OK Server: GitHub.com Status: 200 OK Strict-Transport-Security: max-age=31536000; includeSubdomains; preload Public-Key-Pins: max-age=5184000; pin- sha256="WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18="; pin- sha256="RRM1dGqnDFsCJXBTHky16vi1obOlCgFFn/yOhI/y+ho="; pin- sha256="k2v657xBsOVe1PQRwOsHsw3bsGT2VzIqz5K+59sNQws="; pin- sha256="K87oWBWM9UZfyddvDfoxL+8lpNyoUB2ptGtn0fv6G2Q="; pin- sha256="IQBnNBEiFuhj+8x6X8XLgh01V9Ic5/V3IRQLNFFc7v4="; pin- sha256="iie1VXtL7HzAMF+/PVPR9xzT80kQxdZeJ+zduCB3uj0="; pin- sha256="LvRiGEjRqfzurezaWuj8Wie2gyHMrW5Q06LspMnox7A="; includeSubDomains Vary: Accept-Encoding X-Served-By: d41662224d8c44f09604b862e979767a X-GitHub-Request-Id: B36F2320:987D:E88A2AC:5741D913
Public Key Pins Support http://caniuse.com/#feat=publickeypinning
HTTP Public Key Pins - Observations - It requires a good level of maturity - report-only (Public-Key-Pins-Report-Only) mode? - Does it mitigate MITM? - Internal root CA? - Chrome/Firefox support
Curiosities (HSTS, HPKP, Static Pinning) - Static pinning (Chromium.org) - https://cs.chromium.org/chromium/src/net/http/transport_security_state_st atic.json - Google, Facebook, Twitter, Dropbox, Yahoo, Tor - +23k domains using HSTS pre-load
X-Frame-Options X-Frame-Options: DENY X-Frame-Options: SAMEORIGIN X-Frame-Options: ALLOW-FROM https://example.com/
Clickjacking Attack https://www.owasp.org/index.php/Testing_for_Clickjacking_(OTG-CLIENT-009)
X-Frame-Options Support http://caniuse.com/#feat=publickeypinning
X-Frame-Options - Observations - Does the website needs to be open by another in a frame? - It does not support more than one URL in allow-from - CSP 2 frame-ancestor a good replacement - It mitigates clickjacking
X-XSS-Protection X-XSS-Protection: 0 X-XSS-Protection: 1 X-XSS-Protection: 1; mode=block
Cross-Site-Scritping (XSS) Attack
X-XSS-Protection Support https://developer.mozilla.org/pt-BR/docs/Web/HTTP/Headers/X-XSS-Protection
X-XSS-Protection - Observations - It offers protection against reflected XSS - It is not supported by Firefox - Issues with XSS filter
Content Security Policy (CSP) Content-Security-Policy: <policy>; <policy>
Content Security Policy (CSP) https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
CSP header example Resposta https://twitter.com/ Content-Security-Policy: script-src 'nonce-7tS2MKRWrGdmy1/R72jiDQ==' https://connect.facebook.net https://cm.g.doubleclick.net https://ssl.google-analytics.com https://graph.facebook.com https://twitter.com 'unsafe-eval' https://*.twimg.com https://api.twitter.com https://analytics.twitter.com https://publish.twitter.com https://ton.twitter.com https://syndication.twitter.com https://www.google.com https://t.tellapart.com https://platform.twitter.com https://www.google- analytics.com 'self'; frame-ancestors 'self'; font-src https://twitter.com https://*.twimg.com data: https://ton.twitter.com https://fonts.gstatic.com https://maxcdn.bootstrapcdn.com https://netdna.bootstrapcdn.com 'self'; media-src https://twitter.com https://*.twimg.com https://ton.twitter.com blob: 'self'; connect-src https://graph.facebook.com https://*.giphy.com https://*.twimg.com https://api.twitter.com https://pay.twitter.com https://analytics.twitter.com https://*.twprobe.net https://media.riffsy.com https://embed.periscope.tv https://upload.twitter.com 'self'; style-src https://fonts.googleapis.com https://twitter.com https://*.twimg.com https://translate.googleapis.com https://ton.twitter.com 'unsafe-inline' https://platform.twitter.com https://maxcdn.bootstrapcdn.com https://netdna.bootstrapcdn.com 'self'; object-src https://twitter.com https://pbs.twimg.com; default-src 'self'; frame-src https://staticxx.facebook.com https://twitter.com https://*.twimg.com https://5415703.fls.doubleclick.net https://player.vimeo.com https://pay.twitter.com https://www.facebook.com https://ton.twitter.com https://syndication.twitter.com https://vine.co twitter: https://www.youtube.com https://platform.twitter.com https://upload.twitter.com https://s-static.ak.facebook.com https://4337974.fls.doubleclick.net 'self' https://donate.twitter.com; img-src https://graph.facebook.com https://*.giphy.com https://twitter.com https://*.twimg.com https://ad.doubleclick.net data: https://lumiere-a.akamaihd.net https://fbcdn-profile-a.akamaihd.net https://www.facebook.com https://ton.twitter.com https://*.fbcdn.net https://syndication.twitter.com https://media.riffsy.com https://www.google.com https://stats.g.doubleclick.net https://api.mapbox.com https://www.google-analytics.com blob: 'self'; report-uri https://twitter.com/i/csp_report?a=NVQWGYLXFVZXO2LGOQ%3D%3D%3D%3D%3D%3D&ro=false; Set-Cookie: fm=0; Expires=Tue, 28 Mar 2017 11:35:01 UTC; Path=/; Domain=.twitter.com; Secure; HTTPOnly Strict-Transport-Security: max-age=631138519 X-Frame-Options: SAMEORIGIN X-XSS-Protection: 1; mode=block
Content Security Policy (CSP) support http://caniuse.com/#feat=contentsecuritypolicy2
Content Security Policy (CSP) - considerations - Difficult to implement, removal of inline javascripts <html> <head> <script>var msg = ‘javascript inline’; alert(msg);</script> </head> <body>Ola!</body></html> - Unsafe-inline, Unsafe-eval could mine efforts - Protection against XSS (Reflected/Stored), but definitive? - Protection against clickjacking - Not supported by all browsers
Set-Cookie (cookie options) Set-Cookie: <key>=<value>; Expires=<expiryDate>; Secure; HttpOnly; SameSite=<strict/lax>
Set-Cookie (cookie options) HttpOnly – Cookie not accessible via Javascript Secure – Prevents sending cookies in a clear text channel SameSite – Prevents sending cookies in cross-site request (very useful against CSRF)
CSRF
Set-Cookie (cookie options) - observations - Secure and HttpOnly - Protection against cookie hijacking in HTTP clear text traffic - Reduces impact on a XSS attack – session hijacking - SameSite – Only supported by Chrome - Still in draft - It supplies good protection against CSRF/XSSI - Lax – used with HTTP “secure” methods - Could it affect browsing in general?
X-Content-Type-Options X-Content-Type-Options: nosniff;
X-Content-Type-Options - Observations - Supported by all popular browsers but Safari - It mitigates MIME Confusion attacks - Server must return correct MIME type (Content-type)
Referrer-Policy Referrer-Policy: <option> Referrer-Policy: no-referrer Referrer-Policy: no-referrer-when-downgrade Referrer-Policy: origin Referrer-Policy: origin-when-cross-origin Referrer-Policy: same-origin Referrer-Policy: strict-origin Referrer-Policy: strict-origin-when-cross-origin Referrer-Policy: unsafe-url
Referrer-Policy Policy Document Navigation to Referrer no-referrer https://example.com/page.html any domain or path no referrer no-referrer-when-downgrade https://example.com/page.html https://example.com/otherpage.html https://example.com/page.html no-referrer-when-downgrade https://example.com/page.html https://mozilla.org https://example.com/page.html no-referrer-when-downgrade https://example.com/page.html http://example.org no referrer origin https://example.com/page.html any domain or path https://example.com/ origin-when-cross-origin https://example.com/page.html https://example.com/otherpage.html https://example.com/page.html origin-when-cross-origin https://example.com/page.html https://mozilla.org https://example.com/ origin-when-cross-origin https://example.com/page.html http://example.com/page.html https://example.com/ same-origin https://example.com/page.html https://example.com/otherpage.html https://example.com/page.html same-origin https://example.com/page.html https://mozilla.org no referrer strict-origin https://example.com/page.html https://mozilla.org https://example.com/ strict-origin https://example.com/page.html http://example.org no referrer strict-origin http://example.com/page.html any domain or path http://example.com/ strict-origin-when-cross-origin https://example.com/page.html https://example.com/otherpage.html https://example.com/page.html strict-origin-when-cross-origin https://example.com/page.html https://mozilla.org https://example.com/ strict-origin-when-cross-origin https://example.com/page.html http://example.org no referrer unsafe-url https://example.com/page.html any domain or path https://example.com/page.html https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
Referrer-Policy Support https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
Referrer-Policy - observations - Still under development - Still limited support (Firefox and some options for Chrome) - It treats privacy concerns Referer: https://github.com/irgoncalves/jwtbf
Tools to investigate HTTP headers https://observatory.mozilla.org/ https://securityheaders.io https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#t ab=Technical_Resources
Conclusions - HTTP security headers could improve security and privacy of users - Part of defense in depth strategy - Some of them have pitfalls and require maturity - They still need additional controls - Different support level per browsers
References - https://tools.ietf.org/html/rfc6797 - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers - https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF) - https://www.owasp.org/index.php/Clickjacking - https://www.owasp.org/index.php/Cross-site_Scripting_(XSS) - https://scotthelme.co.uk/ - https://www.wired.com/2016/03/https-adoption-google-report/ - http://www.html5rocks.com/en/tutorials/security/content-security-policy/ - https://www.bettercap.org/blog/sslstripping-and-hsts-bypass/ - https://static.googleusercontent.com/media/research.google.com/en//pubs/archive/45542.pdf - https://technet.microsoft.com/library/security/2524375 - https://csp.withgoogle.com/docs/index.html - The Tagled Web - A Guide to Security Modern Web Applications, Michael Zalewski

Recommandé

Http security response headers
Http security response headers Http security response headers
Http security response headers mohammadhosseinrouha
 
API Security Fundamentals
API Security FundamentalsAPI Security Fundamentals
API Security FundamentalsJosé Haro Peralta
 
Session1-Introduce Http-HTTP Security headers
Session1-Introduce Http-HTTP Security headers Session1-Introduce Http-HTTP Security headers
Session1-Introduce Http-HTTP Security headers zakieh alizadeh
 
HTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsHTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsneexemil
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - IntroductionKnoldus Inc.
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Codingbilcorry
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionMikhail Egorov
 
Preventing XSS with Content Security Policy
Preventing XSS with Content Security PolicyPreventing XSS with Content Security Policy
Preventing XSS with Content Security PolicyKsenia Peguero
 

Recommandé

Http security response headers
Http security response headers Http security response headers
Http security response headers mohammadhosseinrouha
 
API Security Fundamentals
API Security FundamentalsAPI Security Fundamentals
API Security FundamentalsJosé Haro Peralta
 
Session1-Introduce Http-HTTP Security headers
Session1-Introduce Http-HTTP Security headers Session1-Introduce Http-HTTP Security headers
Session1-Introduce Http-HTTP Security headers zakieh alizadeh
 
HTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsHTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsneexemil
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - IntroductionKnoldus Inc.
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Codingbilcorry
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionMikhail Egorov
 
Preventing XSS with Content Security Policy
Preventing XSS with Content Security PolicyPreventing XSS with Content Security Policy
Preventing XSS with Content Security PolicyKsenia Peguero
 
Json Web Token - JWT
Json Web Token - JWTJson Web Token - JWT
Json Web Token - JWTPrashant Walke
 
Content Security Policy
Content Security PolicyContent Security Policy
Content Security PolicyAustin Gil
 
Unrestricted file upload
Unrestricted file uploadUnrestricted file upload
Unrestricted file uploadvikram vashisth
 
XSS Magic tricks
XSS Magic tricksXSS Magic tricks
XSS Magic tricksGarethHeyes
 
Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryDaniel Miessler
 
Attacking thru HTTP Host header
Attacking thru HTTP Host headerAttacking thru HTTP Host header
Attacking thru HTTP Host headerSergey Belov
 
Content security policy
Content security policyContent security policy
Content security policyRonan Dunne, CEH, SSCP
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing TechniquesAvinash Thapa
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World42Crunch
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopPaul Ionescu
 
JSON Web Token
JSON Web TokenJSON Web Token
JSON Web TokenDeddy Setyadi
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
Offzone | Another waf bypass
Offzone | Another waf bypassOffzone | Another waf bypass
Offzone | Another waf bypassДмитрий Бумов
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)TzahiArabov
 
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesXXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesAbraham Aranguren
 
File upload vulnerabilities & mitigation
File upload vulnerabilities & mitigationFile upload vulnerabilities & mitigation
File upload vulnerabilities & mitigationOnwukike Chinedu. CISA, CEH, COBIT5 LI, CCNP
 
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)Marco Balduzzi
 
Api security-testing
Api security-testingApi security-testing
Api security-testingn|u - The Open Security Community
 
W3C Content Security Policy
W3C Content Security PolicyW3C Content Security Policy
W3C Content Security PolicyMarkus Wichmann
 
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
"15 Technique to Exploit File Upload Pages", Ebrahim HegazyHackIT Ukraine
 
Cabeçalhos de Segurança HTTP
Cabeçalhos de Segurança HTTPCabeçalhos de Segurança HTTP
Cabeçalhos de Segurança HTTPIsmael Goncalves
 
セキュアアプリケーションのためのHTTP設定
セキュアアプリケーションのためのHTTP設定セキュアアプリケーションのためのHTTP設定
セキュアアプリケーションのためのHTTP設定ryusukekumita1
 

Contenu connexe

Tendances

Content Security Policy
Content Security PolicyContent Security Policy
Content Security PolicyAustin Gil
 
Unrestricted file upload
Unrestricted file uploadUnrestricted file upload
Unrestricted file uploadvikram vashisth
 
XSS Magic tricks
XSS Magic tricksXSS Magic tricks
XSS Magic tricksGarethHeyes
 
Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryDaniel Miessler
 
Attacking thru HTTP Host header
Attacking thru HTTP Host headerAttacking thru HTTP Host header
Attacking thru HTTP Host headerSergey Belov
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing TechniquesAvinash Thapa
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World42Crunch
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopPaul Ionescu
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)TzahiArabov
 
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesXXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesAbraham Aranguren
 
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)Marco Balduzzi
 
W3C Content Security Policy
W3C Content Security PolicyW3C Content Security Policy
W3C Content Security PolicyMarkus Wichmann
 
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
"15 Technique to Exploit File Upload Pages", Ebrahim HegazyHackIT Ukraine
 

Tendances (20)

Json Web Token - JWT
Json Web Token - JWTJson Web Token - JWT
Json Web Token - JWT
 
Content Security Policy
Content Security PolicyContent Security Policy
Content Security Policy
 
Unrestricted file upload
Unrestricted file uploadUnrestricted file upload
Unrestricted file upload
 
XSS Magic tricks
XSS Magic tricksXSS Magic tricks
XSS Magic tricks
 
Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request Forgery
 
Attacking thru HTTP Host header
Attacking thru HTTP Host headerAttacking thru HTTP Host header
Attacking thru HTTP Host header
 
Content security policy
Content security policyContent security policy
Content security policy
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing Techniques
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa Workshop
 
JSON Web Token
JSON Web TokenJSON Web Token
JSON Web Token
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
 
Offzone | Another waf bypass
Offzone | Another waf bypassOffzone | Another waf bypass
Offzone | Another waf bypass
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)
 
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesXXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
 
File upload vulnerabilities & mitigation
File upload vulnerabilities & mitigationFile upload vulnerabilities & mitigation
File upload vulnerabilities & mitigation
 
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
 
Api security-testing
Api security-testingApi security-testing
Api security-testing
 
W3C Content Security Policy
W3C Content Security PolicyW3C Content Security Policy
W3C Content Security Policy
 
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
 

Similaire à HTTP Security Headers

Cabeçalhos de Segurança HTTP
Cabeçalhos de Segurança HTTPCabeçalhos de Segurança HTTP
Cabeçalhos de Segurança HTTPIsmael Goncalves
 
セキュアアプリケーションのためのHTTP設定
セキュアアプリケーションのためのHTTP設定セキュアアプリケーションのためのHTTP設定
セキュアアプリケーションのためのHTTP設定ryusukekumita1
 
Rails security: above and beyond the defaults
Rails security: above and beyond the defaultsRails security: above and beyond the defaults
Rails security: above and beyond the defaultsMatias Korhonen
 
Mitigate Maliciousness -- jQuery Europe 2013
Mitigate Maliciousness -- jQuery Europe 2013Mitigate Maliciousness -- jQuery Europe 2013
Mitigate Maliciousness -- jQuery Europe 2013Mike West
 
Let's go HTTPS-only! - More Than Buying a Certificate
Let's go HTTPS-only! - More Than Buying a CertificateLet's go HTTPS-only! - More Than Buying a Certificate
Let's go HTTPS-only! - More Than Buying a CertificateSteffen Gebert
 
Csp and http headers
Csp and http headersCsp and http headers
Csp and http headersdevObjective
 
HTTP_Header_Security.pdf
HTTP_Header_Security.pdfHTTP_Header_Security.pdf
HTTP_Header_Security.pdfksudhakarreddy5
 
Defeating Cross-Site Scripting with Content Security Policy (updated)
Defeating Cross-Site Scripting with Content Security Policy (updated)Defeating Cross-Site Scripting with Content Security Policy (updated)
Defeating Cross-Site Scripting with Content Security Policy (updated)Francois Marier
 
Creating Secure Web Apps: What Every Developer Needs to Know About HTTPS Today
Creating Secure Web Apps: What Every Developer Needs to Know About HTTPS TodayCreating Secure Web Apps: What Every Developer Needs to Know About HTTPS Today
Creating Secure Web Apps: What Every Developer Needs to Know About HTTPS TodayHeroku
 
Why Traditional Web Security Technologies no Longer Suffice to Keep You Safe
Why Traditional Web Security Technologies no Longer Suffice to Keep You SafeWhy Traditional Web Security Technologies no Longer Suffice to Keep You Safe
Why Traditional Web Security Technologies no Longer Suffice to Keep You SafePhilippe De Ryck
 
Honing headers for highly hardened highspeed hypertext
Honing headers for highly hardened highspeed hypertextHoning headers for highly hardened highspeed hypertext
Honing headers for highly hardened highspeed hypertextFastly
 
Honing headers for highly hardened highspeed hypertext
Honing headers for highly hardened highspeed hypertextHoning headers for highly hardened highspeed hypertext
Honing headers for highly hardened highspeed hypertextFastly
 
Content-Security-Policy 2018.0
Content-Security-Policy 2018.0Content-Security-Policy 2018.0
Content-Security-Policy 2018.0Philippe Gamache
 
Configuring SSL on NGNINX and less tricky servers
Configuring SSL on NGNINX and less tricky serversConfiguring SSL on NGNINX and less tricky servers
Configuring SSL on NGNINX and less tricky serversAxilis
 
Modern Web Application Defense
Modern Web Application DefenseModern Web Application Defense
Modern Web Application DefenseFrank Kim
 
Security and Privacy on the Web in 2015
Security and Privacy on the Web in 2015Security and Privacy on the Web in 2015
Security and Privacy on the Web in 2015Francois Marier
 
WebAppSec Updates from W3C
WebAppSec Updates from W3CWebAppSec Updates from W3C
WebAppSec Updates from W3CNatasha Rooney
 

Similaire à HTTP Security Headers (20)

Cabeçalhos de Segurança HTTP
Cabeçalhos de Segurança HTTPCabeçalhos de Segurança HTTP
Cabeçalhos de Segurança HTTP
 
セキュアアプリケーションのためのHTTP設定
セキュアアプリケーションのためのHTTP設定セキュアアプリケーションのためのHTTP設定
セキュアアプリケーションのためのHTTP設定
 
Rails security: above and beyond the defaults
Rails security: above and beyond the defaultsRails security: above and beyond the defaults
Rails security: above and beyond the defaults
 
Mitigate Maliciousness -- jQuery Europe 2013
Mitigate Maliciousness -- jQuery Europe 2013Mitigate Maliciousness -- jQuery Europe 2013
Mitigate Maliciousness -- jQuery Europe 2013
 
Let's go HTTPS-only! - More Than Buying a Certificate
Let's go HTTPS-only! - More Than Buying a CertificateLet's go HTTPS-only! - More Than Buying a Certificate
Let's go HTTPS-only! - More Than Buying a Certificate
 
Csp and http headers
Csp and http headersCsp and http headers
Csp and http headers
 
Csp and http headers
Csp and http headersCsp and http headers
Csp and http headers
 
HTTP_Header_Security.pdf
HTTP_Header_Security.pdfHTTP_Header_Security.pdf
HTTP_Header_Security.pdf
 
Defeating Cross-Site Scripting with Content Security Policy (updated)
Defeating Cross-Site Scripting with Content Security Policy (updated)Defeating Cross-Site Scripting with Content Security Policy (updated)
Defeating Cross-Site Scripting with Content Security Policy (updated)
 
Creating Secure Web Apps: What Every Developer Needs to Know About HTTPS Today
Creating Secure Web Apps: What Every Developer Needs to Know About HTTPS TodayCreating Secure Web Apps: What Every Developer Needs to Know About HTTPS Today
Creating Secure Web Apps: What Every Developer Needs to Know About HTTPS Today
 
Web Security - CSP & Web Cryptography
Web Security - CSP & Web CryptographyWeb Security - CSP & Web Cryptography
Web Security - CSP & Web Cryptography
 
Why Traditional Web Security Technologies no Longer Suffice to Keep You Safe
Why Traditional Web Security Technologies no Longer Suffice to Keep You SafeWhy Traditional Web Security Technologies no Longer Suffice to Keep You Safe
Why Traditional Web Security Technologies no Longer Suffice to Keep You Safe
 
Honing headers for highly hardened highspeed hypertext
Honing headers for highly hardened highspeed hypertextHoning headers for highly hardened highspeed hypertext
Honing headers for highly hardened highspeed hypertext
 
Honing headers for highly hardened highspeed hypertext
Honing headers for highly hardened highspeed hypertextHoning headers for highly hardened highspeed hypertext
Honing headers for highly hardened highspeed hypertext
 
Content-Security-Policy 2018.0
Content-Security-Policy 2018.0Content-Security-Policy 2018.0
Content-Security-Policy 2018.0
 
Configuring SSL on NGNINX and less tricky servers
Configuring SSL on NGNINX and less tricky serversConfiguring SSL on NGNINX and less tricky servers
Configuring SSL on NGNINX and less tricky servers
 
Modern Web Application Defense
Modern Web Application DefenseModern Web Application Defense
Modern Web Application Defense
 
Security and Privacy on the Web in 2015
Security and Privacy on the Web in 2015Security and Privacy on the Web in 2015
Security and Privacy on the Web in 2015
 
WebAppSec Updates from W3C
WebAppSec Updates from W3CWebAppSec Updates from W3C
WebAppSec Updates from W3C
 
Csp vortrag
Csp vortragCsp vortrag
Csp vortrag
 

Dernier

WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...WSO2
 
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...masabamasaba
 
%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...
%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...
%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...masabamasaba
 
8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech studentsHimanshiGarg82
 
WSO2CON2024 - It's time to go Platformless
WSO2CON2024 - It's time to go PlatformlessWSO2CON2024 - It's time to go Platformless
WSO2CON2024 - It's time to go PlatformlessWSO2
 
%in Soweto+277-882-255-28 abortion pills for sale in soweto
%in Soweto+277-882-255-28 abortion pills for sale in soweto%in Soweto+277-882-255-28 abortion pills for sale in soweto
%in Soweto+277-882-255-28 abortion pills for sale in sowetomasabamasaba
 
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...WSO2
 
%in Harare+277-882-255-28 abortion pills for sale in Harare
%in Harare+277-882-255-28 abortion pills for sale in Harare%in Harare+277-882-255-28 abortion pills for sale in Harare
%in Harare+277-882-255-28 abortion pills for sale in Hararemasabamasaba
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️Delhi Call girls
 
Announcing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK SoftwareAnnouncing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK SoftwareJim McKeeth
 
The title is not connected to what is inside
The title is not connected to what is insideThe title is not connected to what is inside
The title is not connected to what is insideshinachiaurasa2
 
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesAI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesVictorSzoltysek
 
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024VictoriaMetrics
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...Health
 
%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrandmasabamasaba
 
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfonteinmasabamasaba
 
Harnessing ChatGPT - Elevating Productivity in Today's Agile Environment
Harnessing ChatGPT - Elevating Productivity in Today's Agile EnvironmentHarnessing ChatGPT - Elevating Productivity in Today's Agile Environment
Harnessing ChatGPT - Elevating Productivity in Today's Agile EnvironmentVictorSzoltysek
 
tonesoftg
tonesoftgtonesoftg
tonesoftglanshi9
 

Dernier (20)

WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
 
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
 
%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...
%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...
%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...
 
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
 
8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students
 
WSO2CON2024 - It's time to go Platformless
WSO2CON2024 - It's time to go PlatformlessWSO2CON2024 - It's time to go Platformless
WSO2CON2024 - It's time to go Platformless
 
%in Soweto+277-882-255-28 abortion pills for sale in soweto
%in Soweto+277-882-255-28 abortion pills for sale in soweto%in Soweto+277-882-255-28 abortion pills for sale in soweto
%in Soweto+277-882-255-28 abortion pills for sale in soweto
 
Microsoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdfMicrosoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdf
 
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
 
%in Harare+277-882-255-28 abortion pills for sale in Harare
%in Harare+277-882-255-28 abortion pills for sale in Harare%in Harare+277-882-255-28 abortion pills for sale in Harare
%in Harare+277-882-255-28 abortion pills for sale in Harare
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
Announcing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK SoftwareAnnouncing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK Software
 
The title is not connected to what is inside
The title is not connected to what is insideThe title is not connected to what is inside
The title is not connected to what is inside
 
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesAI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
 
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
 
%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand
 
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
 
Harnessing ChatGPT - Elevating Productivity in Today's Agile Environment
Harnessing ChatGPT - Elevating Productivity in Today's Agile EnvironmentHarnessing ChatGPT - Elevating Productivity in Today's Agile Environment
Harnessing ChatGPT - Elevating Productivity in Today's Agile Environment
 
tonesoftg
tonesoftgtonesoftg
tonesoftg
 

HTTP Security Headers

  • 1. HTTP Security Headers Ismael Gonçalves Mar/2017 https://sharingsec.blogspot.com
  • 2. Agenda • Who I am • HTTP Security Headers Introduction • HTTP Strict Transport Security (HSTS) • HTTP Public Key Pins (HPKP) • X-Frame-Options • X-XSS-Protection • Content Security Policy (CSP) • Set-Cookie Options • X-Content-Type-Options • Referrer-Policy • Conclusion • References
  • 3. Who I am • Sr Consultant at F5 Networks • 10 years of work related to application security (coding, attacking, defending) • OWASP Contributor (former Brasília Chapter leader, Top Ten Cheatsheet, OWASP Testing Guide) • Practioner of responsible security vulnerability disclosure • ISC2 volunteer – SME for CISSP exam development • Independent research • Blogger at http://sharingsec.blogspot.com (where there is time!)
  • 4. HTTP Security Headers Introduction • Security model evolution • Channel communication protection • Client-side Security • Security policies enforced by the browser
  • 5. HTTP Request/Response GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Linux; Android 6.0; Nexus 5 Build/MRA58N) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.110 Mobile Safari/537.36 Host: www.exemplo.com Accept: */* HTTP/1.1 200 OK Date: Fri, 17 Mar 2017 07:45:30 GMT Server: Apache/2.2.8 (Ubuntu) DAV/2 X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 891 Content-Type: text/html
  • 6. HTTP Request/Response GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Linux; Android 6.0; Nexus 5 Build/MRA58N) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.110 Mobile Safari/537.36 Host: www.exemplo.com Accept: */* HTTP/1.1 200 OK Date: Fri, 17 Mar 2017 07:45:30 GMT Server: Apache/2.2.8 (Ubuntu) DAV/2 X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 891 Content-Type: text/html X-Frame-Options: DENY Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
  • 7. HTTP Strict Transport Security (HSTS) Strict-Transport-Security: max-age=<expire-time> Strict-Transport-Security: max-age=<expire-time>; includeSubDomains Strict-Transport-Security: max-age=<expire-time>; preload
  • 8. Tipical HTTP to HTTPS transition http://www.exemplo.com GET / HTTP/1.0 Host: www.exemplo.com 301 Moved Permantenly Content-Length: 0 Location: https://www.exemplo.com https://www.exemplo.com GET / HTTP/1.0 Host: www.exemplo.com
  • 9. SSLStrip GET https://www.exemplo.comGET http://www.exemplo.com HTML ResponseModified HTLM response and in clear text
  • 11. HSTS – under the hood
  • 12. HSTS – Observations - Suitable for sites supporting entire content in HTTPS - Implementation might be difficult due L7 routing - Preload list always require subdomains - Difficult to remove due browser updates - Mitigate SSLStrip and potentially, SSLStri2 with preload + subdomains - Protection against MITM with invalid certificates
  • 13. HTTP Public Key Pins (HPKP) Public-Key-Pins: pin-sha256=<base64==>; max-age=<expireTime>; Public-Key-Pins: pin-sha256=<base64==>; max-age=<expireTime>; includeSubDomains Public-Key-Pins: pin-sha256=<base64==>; max-age=<expireTime>; report-uri=<reportURI>
  • 14. Valid response with HPKP headers HTTP/1.1 200 OK Server: GitHub.com Status: 200 OK Strict-Transport-Security: max-age=31536000; includeSubdomains; preload Public-Key-Pins: max-age=5184000; pin- sha256="WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18="; pin- sha256="RRM1dGqnDFsCJXBTHky16vi1obOlCgFFn/yOhI/y+ho="; pin- sha256="k2v657xBsOVe1PQRwOsHsw3bsGT2VzIqz5K+59sNQws="; pin- sha256="K87oWBWM9UZfyddvDfoxL+8lpNyoUB2ptGtn0fv6G2Q="; pin- sha256="IQBnNBEiFuhj+8x6X8XLgh01V9Ic5/V3IRQLNFFc7v4="; pin- sha256="iie1VXtL7HzAMF+/PVPR9xzT80kQxdZeJ+zduCB3uj0="; pin- sha256="LvRiGEjRqfzurezaWuj8Wie2gyHMrW5Q06LspMnox7A="; includeSubDomains Vary: Accept-Encoding X-Served-By: d41662224d8c44f09604b862e979767a X-GitHub-Request-Id: B36F2320:987D:E88A2AC:5741D913
  • 15. Public Key Pins Support http://caniuse.com/#feat=publickeypinning
  • 16. HTTP Public Key Pins - Observations - It requires a good level of maturity - report-only (Public-Key-Pins-Report-Only) mode? - Does it mitigate MITM? - Internal root CA? - Chrome/Firefox support
  • 17. Curiosities (HSTS, HPKP, Static Pinning) - Static pinning (Chromium.org) - https://cs.chromium.org/chromium/src/net/http/transport_security_state_st atic.json - Google, Facebook, Twitter, Dropbox, Yahoo, Tor - +23k domains using HSTS pre-load
  • 21. X-Frame-Options - Observations - Does the website needs to be open by another in a frame? - It does not support more than one URL in allow-from - CSP 2 frame-ancestor a good replacement - It mitigates clickjacking
  • 25. X-XSS-Protection - Observations - It offers protection against reflected XSS - It is not supported by Firefox - Issues with XSS filter
  • 26. Content Security Policy (CSP) Content-Security-Policy: <policy>; <policy>
  • 27. Content Security Policy (CSP) https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
  • 28. CSP header example Resposta https://twitter.com/ Content-Security-Policy: script-src 'nonce-7tS2MKRWrGdmy1/R72jiDQ==' https://connect.facebook.net https://cm.g.doubleclick.net https://ssl.google-analytics.com https://graph.facebook.com https://twitter.com 'unsafe-eval' https://*.twimg.com https://api.twitter.com https://analytics.twitter.com https://publish.twitter.com https://ton.twitter.com https://syndication.twitter.com https://www.google.com https://t.tellapart.com https://platform.twitter.com https://www.google- analytics.com 'self'; frame-ancestors 'self'; font-src https://twitter.com https://*.twimg.com data: https://ton.twitter.com https://fonts.gstatic.com https://maxcdn.bootstrapcdn.com https://netdna.bootstrapcdn.com 'self'; media-src https://twitter.com https://*.twimg.com https://ton.twitter.com blob: 'self'; connect-src https://graph.facebook.com https://*.giphy.com https://*.twimg.com https://api.twitter.com https://pay.twitter.com https://analytics.twitter.com https://*.twprobe.net https://media.riffsy.com https://embed.periscope.tv https://upload.twitter.com 'self'; style-src https://fonts.googleapis.com https://twitter.com https://*.twimg.com https://translate.googleapis.com https://ton.twitter.com 'unsafe-inline' https://platform.twitter.com https://maxcdn.bootstrapcdn.com https://netdna.bootstrapcdn.com 'self'; object-src https://twitter.com https://pbs.twimg.com; default-src 'self'; frame-src https://staticxx.facebook.com https://twitter.com https://*.twimg.com https://5415703.fls.doubleclick.net https://player.vimeo.com https://pay.twitter.com https://www.facebook.com https://ton.twitter.com https://syndication.twitter.com https://vine.co twitter: https://www.youtube.com https://platform.twitter.com https://upload.twitter.com https://s-static.ak.facebook.com https://4337974.fls.doubleclick.net 'self' https://donate.twitter.com; img-src https://graph.facebook.com https://*.giphy.com https://twitter.com https://*.twimg.com https://ad.doubleclick.net data: https://lumiere-a.akamaihd.net https://fbcdn-profile-a.akamaihd.net https://www.facebook.com https://ton.twitter.com https://*.fbcdn.net https://syndication.twitter.com https://media.riffsy.com https://www.google.com https://stats.g.doubleclick.net https://api.mapbox.com https://www.google-analytics.com blob: 'self'; report-uri https://twitter.com/i/csp_report?a=NVQWGYLXFVZXO2LGOQ%3D%3D%3D%3D%3D%3D&ro=false; Set-Cookie: fm=0; Expires=Tue, 28 Mar 2017 11:35:01 UTC; Path=/; Domain=.twitter.com; Secure; HTTPOnly Strict-Transport-Security: max-age=631138519 X-Frame-Options: SAMEORIGIN X-XSS-Protection: 1; mode=block
  • 29. Content Security Policy (CSP) support http://caniuse.com/#feat=contentsecuritypolicy2
  • 30. Content Security Policy (CSP) - considerations - Difficult to implement, removal of inline javascripts <html> <head> <script>var msg = ‘javascript inline’; alert(msg);</script> </head> <body>Ola!</body></html> - Unsafe-inline, Unsafe-eval could mine efforts - Protection against XSS (Reflected/Stored), but definitive? - Protection against clickjacking - Not supported by all browsers
  • 31. Set-Cookie (cookie options) Set-Cookie: <key>=<value>; Expires=<expiryDate>; Secure; HttpOnly; SameSite=<strict/lax>
  • 32. Set-Cookie (cookie options) HttpOnly – Cookie not accessible via Javascript Secure – Prevents sending cookies in a clear text channel SameSite – Prevents sending cookies in cross-site request (very useful against CSRF)
  • 33. CSRF
  • 34. Set-Cookie (cookie options) - observations - Secure and HttpOnly - Protection against cookie hijacking in HTTP clear text traffic - Reduces impact on a XSS attack – session hijacking - SameSite – Only supported by Chrome - Still in draft - It supplies good protection against CSRF/XSSI - Lax – used with HTTP “secure” methods - Could it affect browsing in general?
  • 36. X-Content-Type-Options - Observations - Supported by all popular browsers but Safari - It mitigates MIME Confusion attacks - Server must return correct MIME type (Content-type)
  • 37. Referrer-Policy Referrer-Policy: <option> Referrer-Policy: no-referrer Referrer-Policy: no-referrer-when-downgrade Referrer-Policy: origin Referrer-Policy: origin-when-cross-origin Referrer-Policy: same-origin Referrer-Policy: strict-origin Referrer-Policy: strict-origin-when-cross-origin Referrer-Policy: unsafe-url
  • 38. Referrer-Policy Policy Document Navigation to Referrer no-referrer https://example.com/page.html any domain or path no referrer no-referrer-when-downgrade https://example.com/page.html https://example.com/otherpage.html https://example.com/page.html no-referrer-when-downgrade https://example.com/page.html https://mozilla.org https://example.com/page.html no-referrer-when-downgrade https://example.com/page.html http://example.org no referrer origin https://example.com/page.html any domain or path https://example.com/ origin-when-cross-origin https://example.com/page.html https://example.com/otherpage.html https://example.com/page.html origin-when-cross-origin https://example.com/page.html https://mozilla.org https://example.com/ origin-when-cross-origin https://example.com/page.html http://example.com/page.html https://example.com/ same-origin https://example.com/page.html https://example.com/otherpage.html https://example.com/page.html same-origin https://example.com/page.html https://mozilla.org no referrer strict-origin https://example.com/page.html https://mozilla.org https://example.com/ strict-origin https://example.com/page.html http://example.org no referrer strict-origin http://example.com/page.html any domain or path http://example.com/ strict-origin-when-cross-origin https://example.com/page.html https://example.com/otherpage.html https://example.com/page.html strict-origin-when-cross-origin https://example.com/page.html https://mozilla.org https://example.com/ strict-origin-when-cross-origin https://example.com/page.html http://example.org no referrer unsafe-url https://example.com/page.html any domain or path https://example.com/page.html https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
  • 40. Referrer-Policy - observations - Still under development - Still limited support (Firefox and some options for Chrome) - It treats privacy concerns Referer: https://github.com/irgoncalves/jwtbf
  • 41. Tools to investigate HTTP headers https://observatory.mozilla.org/ https://securityheaders.io https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#t ab=Technical_Resources
  • 42. Conclusions - HTTP security headers could improve security and privacy of users - Part of defense in depth strategy - Some of them have pitfalls and require maturity - They still need additional controls - Different support level per browsers
  • 43. References - https://tools.ietf.org/html/rfc6797 - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers - https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF) - https://www.owasp.org/index.php/Clickjacking - https://www.owasp.org/index.php/Cross-site_Scripting_(XSS) - https://scotthelme.co.uk/ - https://www.wired.com/2016/03/https-adoption-google-report/ - http://www.html5rocks.com/en/tutorials/security/content-security-policy/ - https://www.bettercap.org/blog/sslstripping-and-hsts-bypass/ - https://static.googleusercontent.com/media/research.google.com/en//pubs/archive/45542.pdf - https://technet.microsoft.com/library/security/2524375 - https://csp.withgoogle.com/docs/index.html - The Tagled Web - A Guide to Security Modern Web Applications, Michael Zalewski