Hardening the Web Platform - AppSec EU, 2016

Transcript

1. Mike West, @mikewest, [email protected] https://goo.gl/YyrmXp Hardening the Web Platform

2. None
3. None
4. None
5. None

6. https://goo.gl/MycPb7

7. "Sharpening", https://flic.kr/p/sbo18H

8. "Vintage Camillus 1006", https://flic.kr/p/eNbtJ8

9. "Vintage Camillus 1006", https://flic.kr/p/eNbtJ8

10. None

11. https://letsencrypt.org/

12. https://goo.gl/1r7oNF https://goo.gl/nzbqQo

13. Pro tip: Content-Security-Policy: default-src https:; report-uri /reports-r-us

14. Content-Security-Policy: upgrade-insecure-requests https://goo.gl/hcin3m

15. https://goo.gl/rStTGz

16. AppCache getUserMedia crypto.subtle.* ServiceWorker navigator.credentials navigator.geolocation PaymentRequest EME https://goo.gl/rStTGz

17. https://goo.gl/gF2clJ

18. https://goo.gl/Kd2eMQ

19. https://goo.gl/Wwpnjw https://goo.gl/fzVgNt

20. 127.0.0.1 192.168.1.1 192.220.74.179 https://goo.gl/Wwpnjw

21. "Vintage Camillus 1006", https://flic.kr/p/eNbtJ8

22. https://goo.gl/Wamh7S

23. "Making CSP Great Again", https://goo.gl/74D8i5 default-src 'none'; base-uri 'self'; block-all-mixed-content;

    child-src render.githubusercontent.com; connect-src 'self' uploads.github.com status. github.com api.github.com www.google-analytics.com github-cloud.s3. amazonaws.com wss://live.github.com; font-src assets-cdn.github.com; form- action 'self' github.com gist.github.com; frame-ancestors 'none'; frame-src render.githubusercontent.com; img-src 'self' data: assets-cdn.github.com identicons.github.com www.google-analytics.com collector.githubapp.com *. gravatar.com *.wp.com *.githubusercontent.com; media-src 'none'; object-src assets-cdn.github.com; plugin-types application/x-shockwave-flash; script- src assets-cdn.github.com; style-src 'unsafe-inline' assets-cdn.github.com

24. https://goo.gl/lJq6jj https://goo.gl/GXob6d

25. https://srihash.org/

26. https://goo.gl/yxEJiO https://goo.gl/IrPX7b

27. Set-Cookie: user_session=...; path=/; secure; HttpOnly; SameSite=Lax

28. ✘ Set-Cookie: __Host-SID=12345; Secure; Path=/ ✘ Set-Cookie: __Host-SID=12345 ✘ Set-Cookie:

    __Host-SID=12345; Secure ✘ Set-Cookie: __Host-SID=12345; Secure; Path=/subdirectory/ ✘ Set-Cookie: __Host-SID=12345; Domain=example.com ✘ Set-Cookie: __Host-SID=12345; Domain=example.com; Path=/ ✘ Set-Cookie: __Host-SID=12345; Secure; Domain=example.com; Path=/ ✘ Set-Cookie: __Secure-SID=12345; Secure; ✘ Set-Cookie: __Secure-SID=12345

29. https://goo.gl/FHAeAm

30. Credential Management API @ I/O: https://goo.gl/FbrO5x navigator.credentials.get({ "password": true, "unmediated":

    true }) .then(c => { if (!c) return; // Hooray, we have a credential! signInToYourApplication(c); });

31. Credential Management API @ I/O: https://goo.gl/FbrO5x function signInToYourApplication(c) { fetch("/signin",

    { "method": "POST", "credentials": c }) .then(r => { if (r.status == 200) { renderSignedInExperience(r); // or: window.location = "/signedin"; } else { renderUsefulErrorMessage(); } }); }

32. https://goo.gl/M5yVrc

33. https://goo.gl/eZ9SKg

34. scheme://host:port

35. scheme://host:port scheme://sub1_host:port scheme://sub2_host:port

36. None

37. Thank you! https://goo.gl/YyrmXp @mikewest [email protected]