Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
BSides Munich
Search
Sponsored
·
Ship Features Fearlessly
Turn features on and off without deploys. Used by thousands of Ruby developers.
→
Mike West
April 03, 2017
Programming
410
0
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
BSides Munich
Mike West
April 03, 2017
More Decks by Mike West
See All by Mike West
W3C Permissions Workshop - 2022-12-05
mikewest
0
150
Isolation by Default
mikewest
0
2.1k
The Web We Can Ship
mikewest
0
570
Web Platform Security @ CMS Security Summit 2020
mikewest
0
3.8k
Web Platform Security @ TechDays 2019
mikewest
1
220
Cookies are bad @ HTTP Workshop 2019
mikewest
0
530
Web Platform Security @ CMS Security Summit
mikewest
0
160
Web Platform Security PhD Summit @ Google Munich
mikewest
2
1.1k
Hardening the Web Platform - AppSec EU, 2016
mikewest
5
1.6k
Other Decks in Programming
See All in Programming
OSINT for SRE: 学術論文とポストモーテムから探る システム障害の共通パターン / SRE NEXT 2026
tomoyk
1
3.3k
TSKaigi Night Talks 2026_TypeScriptでサプライチェーンの整合性を型に閉じ込める
geekplus_tech
0
440
Honoでのサプライチェーン侵害対策 〜 3つのライブラリに学ぶ
yusukebe
7
1.8k
エンジニアにデザインハーネスを 〜デザインプロセスを規定するためのハーネス〜 / Design harness from an engineer's perspective
rkaga
2
1.3k
ECSアプリログをFireLensでコスト削減しようとしたけど諦めた話 in Fargate×Node.js
akihisaikeda
2
4.2k
どこまでゆるくて許されるのか
tk3fftk
0
470
【やさしく解説 設計編・中級 #1】一つの車に、運転手は一人 ~ある倉庫システムの事例から~
panda728
PRO
0
140
初めてのKubernetes 本番運用でハマった話
oku053
0
120
PHPだって関数型したい 〜できること、できないこと〜 / fp-in-php
jsoizo
0
180
任せる範囲はこう広がった / How the Scope of AI Delegation Has Expanded
nrslib
1
250
Hunting Vulnerabilities in Symfony with LLMs
vinceamstoutz
0
580
才能?センス?知らん、 続けたもん勝ちだ。-- 結婚・出産・癌を越えてなお、私がプロダクトを創り続ける理由
16bitidol
2
830
Featured
See All Featured
30 Presentation Tips
portentint
PRO
1
350
Visual Storytelling: How to be a Superhuman Communicator
reverentgeek
2
590
New Earth Scene 8
popppiees
3
2.4k
Groundhog Day: Seeking Process in Gaming for Health
codingconduct
0
240
Art, The Web, and Tiny UX
lynnandtonic
304
22k
The Invisible Side of Design
smashingmag
301
52k
DBのスキルで生き残る技術 - AI時代におけるテーブル設計の勘所
soudai
PRO
67
56k
State of Search Keynote: SEO is Dead Long Live SEO
ryanjones
0
220
Building an army of robots
kneath
306
46k
HDC tutorial
michielstock
2
740
StorybookのUI Testing Handbookを読んだ
zakiyama
31
6.8k
Abbi's Birthday
coloredviolet
3
8.6k
Transcript
Mike West, @mikewest,
[email protected]
https://goo.gl/F0o9kR Hardening the Web Platform
Slides: https://goo.gl/F0o9kR
None
None
None
https://goo.gl/MycPb7
"Sharpening", https://flic.kr/p/sbo18H
"Vintage Camillus 1006", https://flic.kr/p/eNbtJ8
"Vintage Camillus 1006", https://flic.kr/p/eNbtJ8
None
https://securethe.news/
https://letsencrypt.org/
https://caddyserver.com/
https://goo.gl/ptS8FO https://goo.gl/nzbqQo
Pro tip: Content-Security-Policy: default-src https:; report-uri /reports-r-us
Content-Security-Policy: upgrade-insecure-requests https://goo.gl/hcin3m
https://goo.gl/51hqZa
https://goo.gl/Kd2eMQ
https://goo.gl/ciyreA
https://goo.gl/rStTGz
AppCache getUserMedia crypto.subtle.* ServiceWorker navigator.credentials navigator.geolocation PaymentRequest EME https://goo.gl/rStTGz Notification
https://goo.gl/Wwpnjw https://goo.gl/fzVgNt
127.0.0.1 192.168.1.1 192.220.74.179 https://goo.gl/Wwpnjw
"Vintage Camillus 1006", https://flic.kr/p/eNbtJ8
https://goo.gl/Wamh7S
default-src 'none'; base-uri 'self'; block-all-mixed-content; child-src render.githubusercontent.com; connect-src 'self' uploads.github.com
status.github.com api.github.com www.google-analytics.com github-cloud.s3.amazonaws.com wss://live.github.com; font-src assets-cdn.github.com; form-action 'self' github.com gist.github.com; frame-ancestors 'none'; frame-src render.githubusercontent.com; img-src 'self' data: assets-cdn.github.com identicons.github.com www.google-analytics.com collector.githubapp.com *.gravatar.com *.wp.com *.githubusercontent.com; media-src 'none'; object-src assets-cdn.github.com; plugin-types application/x-shockwave-flash; script-src assets-cdn.github.com; style-src 'unsafe-inline' assets-cdn.github.com
https://goo.gl/lJq6jj https://goo.gl/dqPkYn
script-src https://connect.facebook.net https://cm.g.doubleclick.net https://ssl.google-analytics.com https://graph.facebook.com https://twitter.com 'unsafe-eval' https://*.twimg.com https://api.twitter.com https://analytics.twitter.com
https://publish.twitter.com https://ton.twitter.com https://syndication.twitter.com https://www.google.com https://t.tellapart.com 'nonce-LrNe0GlzopB0DPFNqwdllg==' https://platform.twitter.com https://www.google-analytics.com 'self'; frame-ancestors 'self'; font-src https://twitter.com https://*.twimg.com data: https://ton.twitter.com https://fonts.gstatic.com https://maxcdn.bootstrapcdn.com https://netdna.bootstrapcdn.com 'self'; media-src https://twitter.com https://*.twimg.com https://ton.twitter.com blob: 'self'; connect-src https://graph.facebook.com https://*.giphy.com https://*.twimg.com https://embed.pscp.tv https://api.twitter.com https://pay.twitter.com https://analytics.twitter.com https://*.twprobe.net https://media.riffsy.com https://embed.periscope.tv https://upload.twitter.com 'self'; style-src https://fonts.googleapis.com https://twitter.com https://*.twimg.com https://translate.googleapis.com https://ton.twitter.com 'unsafe-inline' https://platform.twitter.com https://maxcdn.bootstrapcdn.com https://netdna.bootstrapcdn.com 'self'; object-src https://twitter.com https://pbs.twimg.com; default-src 'self'; frame-src https://staticxx.facebook.com https://twitter.com https://*.twimg.com https://5415703.fls.doubleclick.net https://player.vimeo.com https://pay.twitter.com https://www.facebook.com https://ton.twitter.com https://syndication.twitter.com https://vine.co twitter: https://www.youtube.com https://platform.twitter.com https://upload.twitter.com https://s-static.ak.facebook.com https://4337974.fls.doubleclick.net 'self' https://donate.twitter.com; img-src https://graph.facebook.com https://*.giphy.com https://twitter.com https://*.twimg.com https://ad.doubleclick.net data: https://lumiere-a.akamaihd.net https://fbcdn-profile-a.akamaihd.net https://www.facebook.com https://ton.twitter.com https://*.fbcdn.net https://syndication.twitter.com https://media.riffsy.com https://www.google.com https://stats.g.doubleclick.net https://api.mapbox.com https://www.google-analytics.com blob: 'self'; report-uri https://twitter.com/i/csp_report?a=NVQWGYLXFVZXO2LGOQ%3D%3D%3D%3D%3D%3D&ro=false;
https://goo.gl/wSH6sV
https://srihash.org/
https://goo.gl/yxEJiO https://goo.gl/IrPX7b
Set-Cookie: user_session=...; path=/; secure; HttpOnly; SameSite=Lax
https://goo.gl/QcZIBI
✘ Set-Cookie: __Host-SID=12345; Secure; Path=/ ✘ Set-Cookie: __Host-SID=12345 ✘ Set-Cookie:
__Host-SID=12345; Secure ✘ Set-Cookie: __Host-SID=12345; Secure; Path=/subdirectory/ ✘ Set-Cookie: __Host-SID=12345; Domain=example.com ✘ Set-Cookie: __Host-SID=12345; Domain=example.com; Path=/ ✘ Set-Cookie: __Host-SID=12345; Secure; Domain=example.com; Path=/ ✘ Set-Cookie: __Secure-SID=12345; Secure; ✘ Set-Cookie: __Secure-SID=12345
https://goo.gl/gF2clJ
https://goo.gl/FHAeAm
Credential Management API @ I/O: https://goo.gl/FbrO5x navigator.credentials.get({ "password": true, "unmediated":
true }) .then(c => { if (!c) return; // Hooray, we have a credential! signInToYourApplication(c); });
Credential Management API @ I/O: https://goo.gl/FbrO5x function signInToYourApplication(c) { fetch("/signin",
{ "method": "POST", "credentials": c }) .then(r => { if (r.status == 200) { renderSignedInExperience(r); // or: window.location = "/signedin"; } else { renderUsefulErrorMessage(); } }); }
None
https://goo.gl/Un07eJ
https://goo.gl/ILUP12
https://goo.gl/eZ9SKg
scheme://host:port
scheme://host:port scheme://sub1_host:port scheme://sub2_host:port
https://goo.gl/VhLsq2
None
Thank you! https://goo.gl/F0o9kR @mikewest
[email protected]