Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Security Headers, why should we care

Security Headers, why should we care

Artur Hil

April 20, 2021
Tweet

More Decks by Artur Hil

Other Decks in Education

Transcript

  1. Why to use the Security headers • It’s a good

    place to start when you want to secure your web app • Easy to implement and only require a slight web server configuration change • Provide yet another layer of security by helping to mitigate attacks and security vulnerabilities • Ensures your clients you are keeping up with best practices • Discourages most of hackers to play with your app
  2. Today we will focus on: • HTTP Strict Transport Security

    • X-Frame-Options • X-Content-Type-Options • Referrer-Policy • Content-Security-Policy
  3. Today we will not focus on: Rarely used • X-Permitted-Cross-Domain-Policies

    • Clear-Site-Data • Cross-Origin-Embedder-Policy • Cross-Origin-Opener-Policy • Cross-Origin-Resource-Policy Almost Deprecated • Feature-Policy • Expect-CT Deprecated: • Public-Key-Pins • X-XSS-Protection
  4. HTTP Strict Transport Security (HSTS) HTTP Strict Transport Security X-Frame-Options

    X-Content-Type-Options Referrer-Policy Content-Security-Policy
  5. HTTP Strict Transport Security (HSTS) Strict-Transport-Security: max-age=<expire-time>; includeSubDomains Strict-Transport-Security: max-age=31536000

    ; includeSubDomains Strict-Transport-Security: max-age=<expire-time>; includeSubDomains; preload Strict-Transport-Security: max-age=31536000 ; includeSubDomains; preload Strict-Transport-Security: max-age=<expire-time> Strict-Transport-Security: max-age=300 The best HTTP Strict Transport Security X-Frame-Options X-Content-Type-Options Referrer-Policy Content-Security-Policy
  6. X-Frame-Options Syntax: Do: X-Frame-Options: DENY No one will be able

    to Frame your application Dont: X-Frame-Options: SAMEORIGIN X-Frame-Options: ALLOW-FROM https://example.com/ Small protection against Clickjacking, but better than none HTTP Strict Transport Security X-Frame-Options X-Content-Type-Options Referrer-Policy Content-Security-Policy
  7. MIME sniffing text/plain is not a valid JavaScript MIME type

    HTTP Strict Transport Security X-Frame-Options X-Content-Type-Options Referrer-Policy Content-Security-Policy
  8. X-Content-Type-Options • Always make sure that all resources served by

    a web application has a correct Content-Type header in response • X-Content-Type-Options: nosniff should be deployed for all application responses HTTP Strict Transport Security X-Frame-Options X-Content-Type-Options Referrer-Policy Content-Security-Policy
  9. Information leakage via referer header Private information: https://news.example/search?q=covid-19&sort=newest Private and

    Sensitive: https://healthcare.example/patient/history/injuries/arm Private and Identity information: https://mybook.example.com/profile/[email protected] Critical information: https://mail.example/password_reset?token=b08476ff4b8c961375c89e6671b56111 HTTP Strict Transport Security X-Frame-Options X-Content-Type-Options Referrer-Policy Content-Security-Policy
  10. Referrer-Policy Referrer-Policy: no-referrer No Referer information in any case Referrer-Policy:

    no-referrer-when-downgrade Origin, path, query in Referer when HTTP→HTTP, HTTP→HTTPS, HTTPS→HTTPS No Referer information when HTTPS→HTTP, HTTPS→file Referrer-Policy: origin Only Origin https://example.com/page.html >> https://example.com/ Referrer-Policy: origin-when-cross-origin Origin, path, query in Referer when a same-origin request to the same protocol Send origin (only) for cross origin requests and requests to less secure destinations. HTTP Strict Transport Security X-Frame-Options X-Content-Type-Options Referrer-Policy Content-Security-Policy
  11. Referrer-Policy Referrer-Policy: same-origin Origin, path, query in Referer when same-origin

    requests No Referer information when cross-origin requests Referrer-Policy: strict-origin Only Origin when protocol security level stays the same (HTTPS→HTTPS) No Referer information when less secure destinations (HTTPS→HTTP) Referrer-Policy: strict-origin-when-cross-origin Default if no policy is specified Origin, path, query in Referer when same-origin requests Only Origin when protocol security level stays the same (HTTPS→HTTPS) No Referer information when less secure destinations (HTTPS→HTTP) Referrer-Policy: unsafe-url Origin, path, query in Referer in any case HTTP Strict Transport Security X-Frame-Options X-Content-Type-Options Referrer-Policy Content-Security-Policy
  12. The most secure approach for security headers X-Frame-Options: deny Referrer-Policy:

    no-referrer X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000 ; includeSubDomains
  13. The most secure approach for security headers X-Frame-Options: deny Referrer-Policy:

    strict-origin-when-cross-origin X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000 ; includeSubDomains
  14. Alexa top 1 million security headers analysis HTTP Strict Transport

    Security X-Frame-Options X-Content-Type-Options Referrer-Policy Content-Security-Policy
  15. Why so hard to implement? • More than 30 directives

    • More than half of them are experimental • Some of the directives interference each other • Sometimes you need to rebuild your entire app to use CSP properly • Improper implementation of CSP could help hackers to break into your app HTTP Strict Transport Security X-Frame-Options X-Content-Type-Options Referrer-Policy Content-Security-Policy
  16. So you have decide to implement CSP Do not start

    with Content-Security-Policy Start with Content-Security-Policy-Report-Only HTTP Strict Transport Security X-Frame-Options X-Content-Type-Options Referrer-Policy Content-Security-Policy
  17. Content-Security-Policy-Report-Only: default-src 'none'; form-action 'none'; frame-ancestors 'none'; Strictest policy HTTP

    Strict Transport Security X-Frame-Options X-Content-Type-Options Referrer-Policy Content-Security-Policy
  18. Possible Errors that will appear [Report Only] Refused to load

    the stylesheet 'https://example.com/style.css' because it violates the following Content Security Policy directive: "default-src 'none'". Note that 'style-src' was not explicitly set, so 'default-src' is used as a fallback. To be fixed with: Content-Security-Policy-Report-Only: default-src 'none'; form-action 'none'; frame-ancestors 'none'; style-src 'self'; image-src 'self'; script-src 'self'; HTTP Strict Transport Security X-Frame-Options X-Content-Type-Options Referrer-Policy Content-Security-Policy
  19. Possible Errors that will appear [Report Only] Refused to load

    the stylesheet 'https://example.com/style.css' because it violates the following Content Security Policy directive: "default-src 'none'". Note that 'style-src' was not explicitly set, so 'default-src' is used as a fallback. To be fixed with: Content-Security-Policy-Report-Only: default-src 'self'; form-action 'none'; frame-ancestors 'none'; HTTP Strict Transport Security X-Frame-Options X-Content-Type-Options Referrer-Policy Content-Security-Policy
  20. Inline scripts Content-Security-Policy-Report-Only: default-src 'none'; form-action 'none'; frame-ancestors 'none'; style-src

    'self'; script-src 'unsafe-inline'; img-src 'self'; Content-Security-Policy-Report-Only: default-src 'none'; form-action 'none'; frame-ancestors 'none'; style-src 'self'; script-src 'unsafe-inline'; img-src 'self'; Content-Security-Policy-Report-Only: default-src 'none'; form-action 'none'; frame-ancestors 'none'; style-src 'self'; script-src 'self' cdnjs.com sha256-c2u0cNUv1GcIb92+ybgJ4yMPatX/k+xxHHbugKVGUU8=; img-src 'self'; Content-Security-Policy-Report-Only: default-src 'none'; form-action 'none'; frame-ancestors 'none'; style-src 'self'; script-src 'nonce-2726c7f26c'; img-src 'self'; HTTP Strict Transport Security X-Frame-Options X-Content-Type-Options Referrer-Policy Content-Security-Policy
  21. Where to locate CSP errors Content-Security-Policy-Report-Only: default-src 'none'; form-action 'none';

    frame-ancestors 'none'; report-uri /csp-violation-report-endpoint/ Content-Security-Policy-Report-Only: default-src 'none'; form-action 'none'; frame-ancestors 'none'; report-uri https://provider.report-uri.com/r/d/csp/reportOnly HTTP Strict Transport Security X-Frame-Options X-Content-Type-Options Referrer-Policy Content-Security-Policy
  22. Having a CSP with a few unsafe rules is still

    better than not having a CSP at all. HTTP Strict Transport Security X-Frame-Options X-Content-Type-Options Referrer-Policy Content-Security-Policy
  23. The most secure approach for CSP default-src 'self'; object-src 'none';

    child-src 'self'; frame-ancestors 'none'; upgrade-insecure-requests; HTTP Strict Transport Security X-Frame-Options X-Content-Type-Options Referrer-Policy Content-Security-Policy
  24. Q&A