Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
BSides Munich
Search
Sponsored
·
Ship Features Fearlessly
Turn features on and off without deploys. Used by thousands of Ruby developers.
→
Mike West
April 03, 2017
Programming
410
0
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
BSides Munich
Mike West
April 03, 2017
More Decks by Mike West
See All by Mike West
W3C Permissions Workshop - 2022-12-05
mikewest
0
150
Isolation by Default
mikewest
0
2.1k
The Web We Can Ship
mikewest
0
570
Web Platform Security @ CMS Security Summit 2020
mikewest
0
3.8k
Web Platform Security @ TechDays 2019
mikewest
1
220
Cookies are bad @ HTTP Workshop 2019
mikewest
0
530
Web Platform Security @ CMS Security Summit
mikewest
0
160
Web Platform Security PhD Summit @ Google Munich
mikewest
2
1.1k
Hardening the Web Platform - AppSec EU, 2016
mikewest
5
1.6k
Other Decks in Programming
See All in Programming
エージェンティックRAGにAWSで入門しよう!
har1101
9
1.9k
Vue × Nuxt × Oxc どこまで使える?実運用の現在地
andpad
0
370
AIエージェントで 変わるAndroid開発環境
takahirom
2
490
Dataformのリポジトリを立ち上げるときにまずやること / dataform-day0-2026
snhryt
0
220
LaravelLive Japan の裏方のすべて — 第188回 PHP勉強会@東京 (2026-06-24)
suguruooki
2
150
霧の中の代数的エフェクト
funnyycat
1
340
1B+ /day規模のログを管理する技術
broadleaf
0
130
Even G2とAWSで推しのエージェントを召喚しよう!
har1101
1
160
Welcome to the "Parametricity" 🏙️ − Generic だけど Specific な世界 −
guvalif
PRO
1
140
スマートグラスで並列バイブコーディング
hyshu
0
290
Snowflake Summitでの新機能 CoCo / CoWork / snowflake-summit-2026-overall-what-new-coco
tatsuhiro
1
220
act1-costs.pdf
sumedhbala
0
210
Featured
See All Featured
How to audit for AI Accessibility on your Front & Back End
davetheseo
0
460
What’s in a name? Adding method to the madness
productmarketing
PRO
24
4.1k
Six Lessons from altMBA
skipperchong
29
4.3k
The Curse of the Amulet
leimatthew05
2
13k
Money Talks: Using Revenue to Get Sh*t Done
nikkihalliwell
0
300
Technical Leadership for Architectural Decision Making
baasie
3
440
エンジニアに許された特別な時間の終わり
watany
107
250k
Automating Front-end Workflow
addyosmani
1370
210k
AI Search: Where Are We & What Can We Do About It?
aleyda
0
7.7k
Stewardship and Sustainability of Urban and Community Forests
pwiseman
0
270
Ethics towards AI in product and experience design
skipperchong
2
330
Ten Tips & Tricks for a 🌱 transition
stuffmc
0
150
Transcript
Mike West, @mikewest,
[email protected]
https://goo.gl/F0o9kR Hardening the Web Platform
Slides: https://goo.gl/F0o9kR
None
None
None
https://goo.gl/MycPb7
"Sharpening", https://flic.kr/p/sbo18H
"Vintage Camillus 1006", https://flic.kr/p/eNbtJ8
"Vintage Camillus 1006", https://flic.kr/p/eNbtJ8
None
https://securethe.news/
https://letsencrypt.org/
https://caddyserver.com/
https://goo.gl/ptS8FO https://goo.gl/nzbqQo
Pro tip: Content-Security-Policy: default-src https:; report-uri /reports-r-us
Content-Security-Policy: upgrade-insecure-requests https://goo.gl/hcin3m
https://goo.gl/51hqZa
https://goo.gl/Kd2eMQ
https://goo.gl/ciyreA
https://goo.gl/rStTGz
AppCache getUserMedia crypto.subtle.* ServiceWorker navigator.credentials navigator.geolocation PaymentRequest EME https://goo.gl/rStTGz Notification
https://goo.gl/Wwpnjw https://goo.gl/fzVgNt
127.0.0.1 192.168.1.1 192.220.74.179 https://goo.gl/Wwpnjw
"Vintage Camillus 1006", https://flic.kr/p/eNbtJ8
https://goo.gl/Wamh7S
default-src 'none'; base-uri 'self'; block-all-mixed-content; child-src render.githubusercontent.com; connect-src 'self' uploads.github.com
status.github.com api.github.com www.google-analytics.com github-cloud.s3.amazonaws.com wss://live.github.com; font-src assets-cdn.github.com; form-action 'self' github.com gist.github.com; frame-ancestors 'none'; frame-src render.githubusercontent.com; img-src 'self' data: assets-cdn.github.com identicons.github.com www.google-analytics.com collector.githubapp.com *.gravatar.com *.wp.com *.githubusercontent.com; media-src 'none'; object-src assets-cdn.github.com; plugin-types application/x-shockwave-flash; script-src assets-cdn.github.com; style-src 'unsafe-inline' assets-cdn.github.com
https://goo.gl/lJq6jj https://goo.gl/dqPkYn
script-src https://connect.facebook.net https://cm.g.doubleclick.net https://ssl.google-analytics.com https://graph.facebook.com https://twitter.com 'unsafe-eval' https://*.twimg.com https://api.twitter.com https://analytics.twitter.com
https://publish.twitter.com https://ton.twitter.com https://syndication.twitter.com https://www.google.com https://t.tellapart.com 'nonce-LrNe0GlzopB0DPFNqwdllg==' https://platform.twitter.com https://www.google-analytics.com 'self'; frame-ancestors 'self'; font-src https://twitter.com https://*.twimg.com data: https://ton.twitter.com https://fonts.gstatic.com https://maxcdn.bootstrapcdn.com https://netdna.bootstrapcdn.com 'self'; media-src https://twitter.com https://*.twimg.com https://ton.twitter.com blob: 'self'; connect-src https://graph.facebook.com https://*.giphy.com https://*.twimg.com https://embed.pscp.tv https://api.twitter.com https://pay.twitter.com https://analytics.twitter.com https://*.twprobe.net https://media.riffsy.com https://embed.periscope.tv https://upload.twitter.com 'self'; style-src https://fonts.googleapis.com https://twitter.com https://*.twimg.com https://translate.googleapis.com https://ton.twitter.com 'unsafe-inline' https://platform.twitter.com https://maxcdn.bootstrapcdn.com https://netdna.bootstrapcdn.com 'self'; object-src https://twitter.com https://pbs.twimg.com; default-src 'self'; frame-src https://staticxx.facebook.com https://twitter.com https://*.twimg.com https://5415703.fls.doubleclick.net https://player.vimeo.com https://pay.twitter.com https://www.facebook.com https://ton.twitter.com https://syndication.twitter.com https://vine.co twitter: https://www.youtube.com https://platform.twitter.com https://upload.twitter.com https://s-static.ak.facebook.com https://4337974.fls.doubleclick.net 'self' https://donate.twitter.com; img-src https://graph.facebook.com https://*.giphy.com https://twitter.com https://*.twimg.com https://ad.doubleclick.net data: https://lumiere-a.akamaihd.net https://fbcdn-profile-a.akamaihd.net https://www.facebook.com https://ton.twitter.com https://*.fbcdn.net https://syndication.twitter.com https://media.riffsy.com https://www.google.com https://stats.g.doubleclick.net https://api.mapbox.com https://www.google-analytics.com blob: 'self'; report-uri https://twitter.com/i/csp_report?a=NVQWGYLXFVZXO2LGOQ%3D%3D%3D%3D%3D%3D&ro=false;
https://goo.gl/wSH6sV
https://srihash.org/
https://goo.gl/yxEJiO https://goo.gl/IrPX7b
Set-Cookie: user_session=...; path=/; secure; HttpOnly; SameSite=Lax
https://goo.gl/QcZIBI
✘ Set-Cookie: __Host-SID=12345; Secure; Path=/ ✘ Set-Cookie: __Host-SID=12345 ✘ Set-Cookie:
__Host-SID=12345; Secure ✘ Set-Cookie: __Host-SID=12345; Secure; Path=/subdirectory/ ✘ Set-Cookie: __Host-SID=12345; Domain=example.com ✘ Set-Cookie: __Host-SID=12345; Domain=example.com; Path=/ ✘ Set-Cookie: __Host-SID=12345; Secure; Domain=example.com; Path=/ ✘ Set-Cookie: __Secure-SID=12345; Secure; ✘ Set-Cookie: __Secure-SID=12345
https://goo.gl/gF2clJ
https://goo.gl/FHAeAm
Credential Management API @ I/O: https://goo.gl/FbrO5x navigator.credentials.get({ "password": true, "unmediated":
true }) .then(c => { if (!c) return; // Hooray, we have a credential! signInToYourApplication(c); });
Credential Management API @ I/O: https://goo.gl/FbrO5x function signInToYourApplication(c) { fetch("/signin",
{ "method": "POST", "credentials": c }) .then(r => { if (r.status == 200) { renderSignedInExperience(r); // or: window.location = "/signedin"; } else { renderUsefulErrorMessage(); } }); }
None
https://goo.gl/Un07eJ
https://goo.gl/ILUP12
https://goo.gl/eZ9SKg
scheme://host:port
scheme://host:port scheme://sub1_host:port scheme://sub2_host:port
https://goo.gl/VhLsq2
None
Thank you! https://goo.gl/F0o9kR @mikewest
[email protected]