Soumettre la recherche
Mettre en ligne
セキュアアプリケーションのためのHTTP設定
•
0 j'aime
•
543 vues
R
ryusukekumita1
Suivre
PHP Conference2018 の登壇資料です
Lire moins
Lire la suite
Ingénierie
Signaler
Partager
Signaler
Partager
1 sur 64
Télécharger maintenant
Télécharger pour lire hors ligne
Recommandé
Harness the power of http headers to secure your web apps
Harness the power of http headers to secure your web apps
Daniel Gartmann
HTTP Security Headers
HTTP Security Headers
Ismael Goncalves
Cabeçalhos de Segurança HTTP
Cabeçalhos de Segurança HTTP
Ismael Goncalves
Rails security: above and beyond the defaults
Rails security: above and beyond the defaults
Matias Korhonen
The Last Mile
The Last Mile
Stephen Melrose
Mitigate Maliciousness -- jQuery Europe 2013
Mitigate Maliciousness -- jQuery Europe 2013
Mike West
Stefan Judis "HTTP headers for the responsible developer"
Stefan Judis "HTTP headers for the responsible developer"
Fwdays
Progressive downloads and rendering (Stoyan Stefanov)
Progressive downloads and rendering (Stoyan Stefanov)
Ontico
Recommandé
Harness the power of http headers to secure your web apps
Harness the power of http headers to secure your web apps
Daniel Gartmann
HTTP Security Headers
HTTP Security Headers
Ismael Goncalves
Cabeçalhos de Segurança HTTP
Cabeçalhos de Segurança HTTP
Ismael Goncalves
Rails security: above and beyond the defaults
Rails security: above and beyond the defaults
Matias Korhonen
The Last Mile
The Last Mile
Stephen Melrose
Mitigate Maliciousness -- jQuery Europe 2013
Mitigate Maliciousness -- jQuery Europe 2013
Mike West
Stefan Judis "HTTP headers for the responsible developer"
Stefan Judis "HTTP headers for the responsible developer"
Fwdays
Progressive downloads and rendering (Stoyan Stefanov)
Progressive downloads and rendering (Stoyan Stefanov)
Ontico
HTTP_Header_Security.pdf
HTTP_Header_Security.pdf
ksudhakarreddy5
Csp vortrag
Csp vortrag
András Ottó
Creating Secure Web Apps: What Every Developer Needs to Know About HTTPS Today
Creating Secure Web Apps: What Every Developer Needs to Know About HTTPS Today
Heroku
BigWP: Delivering the news over HTTPS
BigWP: Delivering the news over HTTPS
Paul Schreiber
Mehr Performance für WordPress - WordCamp Köln
Mehr Performance für WordPress - WordCamp Köln
Walter Ebert
CSS and image optimization
CSS and image optimization
Stoyan Stefanov
SEO Considerations When Migrating to HTTPS by Kenneth Sytian
SEO Considerations When Migrating to HTTPS by Kenneth Sytian
Glen Dimaandal
High Performance Webdesign
High Performance Webdesign
拓樹 谷
The Future of https in Search
The Future of https in Search
semrush_webinars
Google are pushing HTTPS hard. Why? And, when should you act? by Mark Thoma...
Google are pushing HTTPS hard. Why? And, when should you act? by Mark Thoma...
SEO monitor
Content Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at Yahoo
Binu Ramakrishnan
HTTPS The Road To A More Secure Web / SEOCamp Paris
HTTPS The Road To A More Secure Web / SEOCamp Paris
Aysun Akarsu
Connecting to the Pulse of the Planet with the Twitter Platform
Connecting to the Pulse of the Planet with the Twitter Platform
Andy Piper
Progressive Downloads and Rendering
Progressive Downloads and Rendering
Stoyan Stefanov
GIB2020 - Building Event-Driven Integration Architectures
GIB2020 - Building Event-Driven Integration Architectures
Daniel Toomey
Security and Privacy on the Web in 2015
Security and Privacy on the Web in 2015
Francois Marier
Web Security - CSP & Web Cryptography
Web Security - CSP & Web Cryptography
Samsung Open Source Group
Content Security Policies: A whole new way of securing your website that no o...
Content Security Policies: A whole new way of securing your website that no o...
Miriam Schwab
Content Security Policies: A whole new way of securing your website that no o...
Content Security Policies: A whole new way of securing your website that no o...
Miriam Schwab
Hacking Web Performance
Hacking Web Performance
Maximiliano Firtman
Virtual memory management in Operating System
Virtual memory management in Operating System
Rashmi Bhat
Internet of things -Arshdeep Bahga .pptx
Internet of things -Arshdeep Bahga .pptx
VelmuruganTECE
Contenu connexe
Similaire à セキュアアプリケーションのためのHTTP設定
HTTP_Header_Security.pdf
HTTP_Header_Security.pdf
ksudhakarreddy5
Csp vortrag
Csp vortrag
András Ottó
Creating Secure Web Apps: What Every Developer Needs to Know About HTTPS Today
Creating Secure Web Apps: What Every Developer Needs to Know About HTTPS Today
Heroku
BigWP: Delivering the news over HTTPS
BigWP: Delivering the news over HTTPS
Paul Schreiber
Mehr Performance für WordPress - WordCamp Köln
Mehr Performance für WordPress - WordCamp Köln
Walter Ebert
CSS and image optimization
CSS and image optimization
Stoyan Stefanov
SEO Considerations When Migrating to HTTPS by Kenneth Sytian
SEO Considerations When Migrating to HTTPS by Kenneth Sytian
Glen Dimaandal
High Performance Webdesign
High Performance Webdesign
拓樹 谷
The Future of https in Search
The Future of https in Search
semrush_webinars
Google are pushing HTTPS hard. Why? And, when should you act? by Mark Thoma...
Google are pushing HTTPS hard. Why? And, when should you act? by Mark Thoma...
SEO monitor
Content Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at Yahoo
Binu Ramakrishnan
HTTPS The Road To A More Secure Web / SEOCamp Paris
HTTPS The Road To A More Secure Web / SEOCamp Paris
Aysun Akarsu
Connecting to the Pulse of the Planet with the Twitter Platform
Connecting to the Pulse of the Planet with the Twitter Platform
Andy Piper
Progressive Downloads and Rendering
Progressive Downloads and Rendering
Stoyan Stefanov
GIB2020 - Building Event-Driven Integration Architectures
GIB2020 - Building Event-Driven Integration Architectures
Daniel Toomey
Security and Privacy on the Web in 2015
Security and Privacy on the Web in 2015
Francois Marier
Web Security - CSP & Web Cryptography
Web Security - CSP & Web Cryptography
Samsung Open Source Group
Content Security Policies: A whole new way of securing your website that no o...
Content Security Policies: A whole new way of securing your website that no o...
Miriam Schwab
Content Security Policies: A whole new way of securing your website that no o...
Content Security Policies: A whole new way of securing your website that no o...
Miriam Schwab
Hacking Web Performance
Hacking Web Performance
Maximiliano Firtman
Similaire à セキュアアプリケーションのためのHTTP設定
(20)
HTTP_Header_Security.pdf
HTTP_Header_Security.pdf
Csp vortrag
Csp vortrag
Creating Secure Web Apps: What Every Developer Needs to Know About HTTPS Today
Creating Secure Web Apps: What Every Developer Needs to Know About HTTPS Today
BigWP: Delivering the news over HTTPS
BigWP: Delivering the news over HTTPS
Mehr Performance für WordPress - WordCamp Köln
Mehr Performance für WordPress - WordCamp Köln
CSS and image optimization
CSS and image optimization
SEO Considerations When Migrating to HTTPS by Kenneth Sytian
SEO Considerations When Migrating to HTTPS by Kenneth Sytian
High Performance Webdesign
High Performance Webdesign
The Future of https in Search
The Future of https in Search
Google are pushing HTTPS hard. Why? And, when should you act? by Mark Thoma...
Google are pushing HTTPS hard. Why? And, when should you act? by Mark Thoma...
Content Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at Yahoo
HTTPS The Road To A More Secure Web / SEOCamp Paris
HTTPS The Road To A More Secure Web / SEOCamp Paris
Connecting to the Pulse of the Planet with the Twitter Platform
Connecting to the Pulse of the Planet with the Twitter Platform
Progressive Downloads and Rendering
Progressive Downloads and Rendering
GIB2020 - Building Event-Driven Integration Architectures
GIB2020 - Building Event-Driven Integration Architectures
Security and Privacy on the Web in 2015
Security and Privacy on the Web in 2015
Web Security - CSP & Web Cryptography
Web Security - CSP & Web Cryptography
Content Security Policies: A whole new way of securing your website that no o...
Content Security Policies: A whole new way of securing your website that no o...
Content Security Policies: A whole new way of securing your website that no o...
Content Security Policies: A whole new way of securing your website that no o...
Hacking Web Performance
Hacking Web Performance
Dernier
Virtual memory management in Operating System
Virtual memory management in Operating System
Rashmi Bhat
Internet of things -Arshdeep Bahga .pptx
Internet of things -Arshdeep Bahga .pptx
VelmuruganTECE
Industrial Safety Unit-IV workplace health and safety.ppt
Industrial Safety Unit-IV workplace health and safety.ppt
Narmatha D
Crushers to screens in aggregate production
Crushers to screens in aggregate production
ChinnuNinan
Earthing details of Electrical Substation
Earthing details of Electrical Substation
stephanwindworld
POWER SYSTEMS-1 Complete notes examples
POWER SYSTEMS-1 Complete notes examples
Dr. Gudipudi Nageswara Rao
Risk Management in Engineering Construction Project
Risk Management in Engineering Construction Project
Erbil Polytechnic University
Mine Environment II Lab_MI10448MI__________.pptx
Mine Environment II Lab_MI10448MI__________.pptx
Romil Mishra
Design and analysis of solar grass cutter.pdf
Design and analysis of solar grass cutter.pdf
Tagore Institute of Engineering And Technology
welding defects observed during the welding
welding defects observed during the welding
MuhammadUzairLiaqat
complete construction, environmental and economics information of biomass com...
complete construction, environmental and economics information of biomass com...
asadnawaz62
multiple access in wireless communication
multiple access in wireless communication
panditadesh123
BSNL Internship Training presentation.pptx
BSNL Internship Training presentation.pptx
NiranjanYadav41
Transport layer issues and challenges - Guide
Transport layer issues and challenges - Guide
GOPINATHS437943
DM Pillar Training Manual.ppt will be useful in deploying TPM in project
DM Pillar Training Manual.ppt will be useful in deploying TPM in project
ssuserb6619e
Ch10-Global Supply Chain - Cadena de Suministro.pdf
Ch10-Global Supply Chain - Cadena de Suministro.pdf
ChristianCDAM
Designing pile caps according to ACI 318-19.pptx
Designing pile caps according to ACI 318-19.pptx
Erbil Polytechnic University
Work Experience-Dalton Park.pptxfvvvvvvv
Work Experience-Dalton Park.pptxfvvvvvvv
LewisJB
Sachpazis Costas: Geotechnical Engineering: A student's Perspective Introduction
Sachpazis Costas: Geotechnical Engineering: A student's Perspective Introduction
Dr.Costas Sachpazis
Input Output Management in Operating System
Input Output Management in Operating System
Rashmi Bhat
Dernier
(20)
Virtual memory management in Operating System
Virtual memory management in Operating System
Internet of things -Arshdeep Bahga .pptx
Internet of things -Arshdeep Bahga .pptx
Industrial Safety Unit-IV workplace health and safety.ppt
Industrial Safety Unit-IV workplace health and safety.ppt
Crushers to screens in aggregate production
Crushers to screens in aggregate production
Earthing details of Electrical Substation
Earthing details of Electrical Substation
POWER SYSTEMS-1 Complete notes examples
POWER SYSTEMS-1 Complete notes examples
Risk Management in Engineering Construction Project
Risk Management in Engineering Construction Project
Mine Environment II Lab_MI10448MI__________.pptx
Mine Environment II Lab_MI10448MI__________.pptx
Design and analysis of solar grass cutter.pdf
Design and analysis of solar grass cutter.pdf
welding defects observed during the welding
welding defects observed during the welding
complete construction, environmental and economics information of biomass com...
complete construction, environmental and economics information of biomass com...
multiple access in wireless communication
multiple access in wireless communication
BSNL Internship Training presentation.pptx
BSNL Internship Training presentation.pptx
Transport layer issues and challenges - Guide
Transport layer issues and challenges - Guide
DM Pillar Training Manual.ppt will be useful in deploying TPM in project
DM Pillar Training Manual.ppt will be useful in deploying TPM in project
Ch10-Global Supply Chain - Cadena de Suministro.pdf
Ch10-Global Supply Chain - Cadena de Suministro.pdf
Designing pile caps according to ACI 318-19.pptx
Designing pile caps according to ACI 318-19.pptx
Work Experience-Dalton Park.pptxfvvvvvvv
Work Experience-Dalton Park.pptxfvvvvvvv
Sachpazis Costas: Geotechnical Engineering: A student's Perspective Introduction
Sachpazis Costas: Geotechnical Engineering: A student's Perspective Introduction
Input Output Management in Operating System
Input Output Management in Operating System
セキュアアプリケーションのためのHTTP設定
1.
HTTP by Kumita Ryusuke
2.
3.
T P PHP WEB SEO NLP
blockchain H T P @reus_k95
4.
5.
• H • …
6.
SSL HTTPS SEO 2014 HTTPS
P Google H H https://webmaster-ja.googleblog.com/2014/08/https-as-ranking-signal.html HTTPS UX 2018 HTTP T
7.
HTTP • P SEO H •
P SSL T
8.
Today’s Topics 1. XSS Content
Security Policy / 2. SSL HTTP Public Key Pinning / Certificate Transparency / HTTP Strict Transport Security 3. ReportURI
9.
Today’s Topics 1. XSS Content
Security Policy / 2. SSL HTTP Public Key Pinning / Certificate Transparency / HTTP Strict Transport Security 3. ReportURI
10.
Content Security Policy
11.
CSP https://csp.com script.comimage.com csp.com unknown.com … script.com OK image.com
OK … CSP
12.
CSP • C • C •
C • P Script T • Content-Security-Policy-Report-Only T H S
13.
CSP H • HTML •
WEB conf C • C C
14.
CSP nc?HTML if
g h • if j <meta http-equiv="Content-Security-Policy" content=”...”> • lmC H :: - - - / / - =- . - : - : - : a C H TP S b ed?
15.
CSP WEB • Nginx
Apache add_header Content-Security-Policy “...”; • C H C
16.
CSP C • PHP
header header(“Content-Security-Policy: ...”); • C
17.
CSP default-src 'self’; upgrade-insecure-requests;
report-uri endpoint; • • Fetch • Reporting H • etc… C
18.
Fetch default-src ‘self’; script-src
‘A.com’; style-src ‘B.com’; frame-src ’none’; • S H • A.com T B.com C ‘self’ frame • • S H P
19.
FetchH • default-src T •
script-src JavaScript • style-src • img-src • connect-src JavaScript URL • font-src @font-face • frame-src <frame> <iframe> • manifest-src P • media-src <audio> <video> <track> H • object-src <object> <embed> <applet> • prefetch-src fetch T • webrtc-src WebRTC S • child-src web workers <frame>/<iframe> • worker-src Worker, SharedWorker, ServiceWorker T C T S
20.
Reporting H • S •
report-to report-uri H • report-uri T CSP Level3 deprecated • report-to • H report-to C P S
21.
report-to Report-To: {“group”: “csp-report”,
”include-subdomains”: false, “max- age”: 86400, endpoints: {“url”: “...”}} Content-Security-Policy: ...; report-to csp-report; • Report-To • • P report-uri C H
22.
report-uri Content-Security-Policy: ...; report-uri:
endpoint; • JSON C { "csp-report": { "document-uri": "https://myblog.jp/entries/12", "blocked-uri": "ms-browser-extension", "violated-directive": "default-src 'self' https://asset.myblog.jp ...", "original-policy": "default-src 'self' https://asset.myblog.jp ...", "effective-directive": "img-src", "status-code": 0 } }
23.
report-uri • blocked-uri URI •
document-uri URI • violated-directive C
24.
H • Mixed Content
H • HTTPS S HTTP T • upgrade-insecure-requests http https C • block-all-mixed-content http T C P
25.
CSP GitHub Content-Security-Policy: default-src
'none'; base-uri 'self'; block-all-mixed-content; connect-src 'self' uploads.github.com githubstatus.com collector.githubapp.com api.github.com www.google- analytics.com github-cloud.s3.amazonaws.com github- production-repository-file-5c1aeb.s3.amazonaws.com github-production-upload-manifest-file- 7fdce7.s3.amazonaws.com github-production-user-asset- 6210df.s3.amazonaws.com wss://live.github.com; font-src github.githubassets.com; form-action 'self' github.com gist.github.com; frame-ancestors 'none'; frame-src render.githubusercontent.com; img-src 'self' data: github.githubassets.com identicons.github.com collector.githubapp.com github-cloud.s3.amazonaws.com *.githubusercontent.com; manifest-src 'self'; media-src 'none'; script-src github.githubassets.com; style-src 'unsafe-inline' github.githubassets.com
26.
CSP Twitter content-security-policy: script-src
https://ssl.google-analytics.com 'nonce-oTPLYVAFzPwnlPVafnQbGQ==' https://twitter.com 'unsafe-eval' https://*.twimg.com https://api.twitter.com https://analytics.twitter.com https://publish.twitter.com https://ton.twitter.com https://syndication.twitter.com https://www.google.com https://platform.twitter.com https://www.google-analytics.com blob: 'self'; frame-ancestors 'self'; font-src https://twitter.com https://*.twimg.com data: https://ton.twitter.com 'self'; media-src https://rmpdhdsnappytv-vh.akamaihd.net https://prod-video-eu-central-1.pscp.tv https://prod-video-ap-south-1.pscp.tv https://v.cdn.vine.co https://dwo3ckksxlb0v.cloudfront.net https://twitter.com https://prod-video-us-east-2.pscp.tv https://prod-video- cn-north-1.pscp.tv https://amp.twimg.com https://smmdhdsnappytv-vh.akamaihd.net https://*.twimg.com https://prod-video-eu-west- 1.pscp.tv https://*.video.pscp.tv https://rmmdhdsnappytv-vh.akamaihd.net https://clips-media-assets.twitch.tv https://prod-video-ap- northeast-2.pscp.tv https://prod-video-us-west-2.pscp.tv https://prod-video-us-west-1.pscp.tv https://prod-video-ap-northeast-1.pscp.tv https://smdhdsnappytv-vh.akamaihd.net https://ton.twitter.com https://prod-video-eu-west-3.pscp.tv https://rmdhdsnappytv- vh.akamaihd.net https://mmdhdsnappytv-vh.akamaihd.net https://prod-video-ca-central-1.pscp.tv https://smpdhdsnappytv-vh.akamaihd.net https://prod-video-sa-east-1.pscp.tv https://mdhdsnappytv-vh.akamaihd.net https://prod-video-ap-southeast-2.pscp.tv https://mtc.cdn.vine.co https://prod-video-cn-northwest-1.pscp.tv https://prod-video-eu-west-2.pscp.tv https://canary-video-us-east- 1.pscp.tv https://dev-video-us-west-2.pscp.tv https://prod-video-us-east-1.pscp.tv blob: 'self' https://prod-video-ap-northeast- 3.pscp.tv https://prod-video-ap-southeast-1.pscp.tv https://mpdhdsnappytv-vh.akamaihd.net https://dev-video-eu-west-1.pscp.tv; connect- src https://rmpdhdsnappytv-vh.akamaihd.net https://prod-video-eu-central-1.pscp.tv https://prod-video-ap-south-1.pscp.tv https://*.giphy.com https://dwo3ckksxlb0v.cloudfront.net https://prod-video-us-east-2.pscp.tv https://prod-video-cn-north-1.pscp.tv https://vmaprel.snappytv.com https://smmdhdsnappytv-vh.akamaihd.net https://*.twimg.com https://embed.pscp.tv https://api.twitter.com https://prod-video-eu-west-1.pscp.tv https://*.video.pscp.tv https://rmmdhdsnappytv-vh.akamaihd.net https://clips-media- assets.twitch.tv https://prod-video-ap-northeast-2.pscp.tv https://prod-video-us-west-2.pscp.tv https://pay.twitter.com https://prod- video-us-west-1.pscp.tv https://analytics.twitter.com https://vmap.snappytv.com https://*.twprobe.net https://prod-video-ap-northeast- 1.pscp.tv https://smdhdsnappytv-vh.akamaihd.net https://prod-video-eu-west-3.pscp.tv https://syndication.twitter.com https://sentry.io https://rmdhdsnappytv-vh.akamaihd.net https://media.riffsy.com https://mmdhdsnappytv-vh.akamaihd.net https://prod-video-ca-central- 1.pscp.tv https://embed.periscope.tv https://smpdhdsnappytv-vh.akamaihd.net https://prod-video-sa-east-1.pscp.tv https://vmapstage.snappytv.com https://upload.twitter.com https://proxsee.pscp.tv https://mdhdsnappytv-vh.akamaihd.net https://prod- video-ap-southeast-2.pscp.tv https://prod-video-cn-northwest-1.pscp.tv https://prod-video-eu-west-2.pscp.tv https://canary-video-us- east-1.pscp.tv https://dev-video-us-west-2.pscp.tv https://prod-video-us-east-1.pscp.tv blob: 'self' https://prod-video-ap-northeast- 3.pscp.tv https://vmap.grabyo.com https://prod-video-ap-southeast-1.pscp.tv https://mpdhdsnappytv-vh.akamaihd.net https://dev-video-eu- west-1.pscp.tv; style-src https://fonts.googleapis.com https://twitter.com https://*.twimg.com https://translate.googleapis.com https://ton.twitter.com 'unsafe-inline' https://platform.twitter.com 'self'; object-src https://twitter.com https://pbs.twimg.com; default-src 'self' blob:; frame-src https://twitter.com https://*.twimg.com https://player.vimeo.com https://pay.twitter.com https://ton.twitter.com https://syndication.twitter.com https://vine.co twitter: https://www.youtube.com https://platform.twitter.com https://upload.twitter.com 'self'; img-src https://*.giphy.com https://*.pscp.tv https://twitter.com https://*.twimg.com data: https://clips-media-assets.twitch.tv https://lumiere-a.akamaihd.net https://ton.twitter.com https://syndication.twitter.com https://media.riffsy.com https://www.google.com https://platform.twitter.com https://api.mapbox.com https://www.google-analytics.com blob: https://*.periscope.tv 'self'; report-uri https://twitter.com/i/csp_report?a=NVQWGYLXFVZXO2LGOQ%3D%3D%3D%3D%3D%3D&ro=false;
27.
CSP • CSP nonce
/ strict-dynamic P • H Level3 • • script C
28.
script-src • CSP URL • script
TS script TS • P C H unsafe-inline CSP • nonce / strict-dynamic
29.
nonce • S T
nonce • script nonce • script nonce S nonce script nonce H CCP
30.
nonce • HTTP script-src: 'nonce-43f23r98’ • <script
src="..." nonce="43f23r98"></script>
31.
nonce PTS • script
nonce • H script • strict-dynamic C
32.
nonce + strict-dynamic •
PS nonce T • scriptDOM P • HTTPC script-src: 'nonce-43f23r98' 'strict-dynamic’ • <script nonce="43f23r98">...</script> H
33.
nonce + strict-dynamic •
strictCSP https://csp.withgoogle.com/docs/strict-csp.html • script • T T C • S • T H PT
34.
CSP • Report-Only S •
H • T C 20 CSP • T C P
35.
36.
X-XSS-Protection X-XSS-Protection: 0 or
1; [mode=block;] [report=...;] • XSS H • mode=block • report
37.
X-Content-Type-Options X-XSS-Protection: nosniff • • IE H
38.
Today’s Topics 1. XSS Content
Security Policy / 2. SSL HTTP Public Key Pinning / Certificate Transparency / HTTP Strict Transport Security 3. ReportURI
39.
HTTP Public Key
Pinning
40.
HPKP hpkp.com https://hpkp.com hpkp.com
41.
HPKP T • HTTP
Public Key Pinning • WEB • 2 P • T H • PHP header K
42.
HPKP Public-Key-Pins: pin-sha256=”base64=="; max-age=5184000; [includeSubDomains;]
[report-uri=”...”;] • Base64 P • max-age T • includeSubDomains • report-uri H KH
43.
HPKP H • HPKP •
K
44.
HPKP hpkp.com K H P https://hpkp.com hpkp.com KK HPKP H max-age
45.
HPKP H K hpkp.com H https://hpkp.com hpkp.com HH
46.
HPKP HK • • P •
47.
HPKP P T •
max-age ≦ T H • K T HPKP K T max-age
48.
HPKP • • T • • Chrome
67 P • CT H K
49.
CT
50.
CT https://ct.com ct.comC CT … ct.com … C
51.
CT • Certificate Transparency
T • C SCT Signed Certificate Timestamp • SCT • Let’s Encrypt Amazon Certificate Manager • Expect-CT H P
52.
Expect-CT H Expect-CT: max-age=86400,
[enforce,] [report-uri=”...”] • max-age • enforce C report-only • report-uri
53.
CT • … P C
C • H • T
54.
CT • HPKP • HPKP
CT • T C H P
55.
HTTP Strict Transport
Security
56.
HSTS hsts.com HTTPS http://hpkp.com hsts.com https://hpkp.com
57.
HSTS S • HTTP
Strict Transport Security • HTTPS H • HTTPS H • PHP header P
58.
HSTS Strict-Transport-Security: max-age=31536000; [includeSubDomains;] [preload;] •
max-age • includeSubDomains • preload
59.
• S HTTPS
P https://hstspreload.org/ • T H
60.
Today’s Topics 1. XSS Content
Security Policy / 2. SSL HTTP Public Key Pinning / Certificate Transparency / HTTP Strict Transport Security 3. ReportURI
61.
• HTTP report • H •
ReportURIT P
62.
ReportURI • • 10,000 report
/ month $100 1000,000 report /month • H H CSP Except-CT H P • • T H
63.
To close • CSP • •
64.
Thank you for listening.
Télécharger maintenant