Secure HTTP Headers    Akash Mahajan     c0c0n 2011
Agenda• Programmers should know about the new  HTTP response headers• Web security testers should be testing for  these re...
Overview of the Talk• Cover all some of the new HTTP response  headers• Cover which attacks are mitigated by using  these ...
HTTP Response Headers•   X-Frame-Options•   X-XSS-Protection•   X-Content-Type-Options•   X-Content-Security-Policy•   Set...
X-Frame-Options• Used to prevent Clickjacking• Doesn’t allow page to be rendered in a frame• DENY : Don’t render at all if...
X-XSS-Protection• Used to prevent reflected XSS• Doesn’t allow the page to be rendered if a  reflected XSS attack is detec...
X-Content-Type-Options• Used to prevent mime based attacks.• Browser will not try to figure out content type  if not sent ...
X-Content-Security-Policy: policy• Used to define a whitelist of domains and  actions which are allowed.• Example usage  –...
Set-Cookie with Secure and HTTPOnly• With Secure keyword  – Only allow cookie to travel with a secure    connection  – An ...
Compatibility with browsers                             MS Internet          Google        MozillaHeaders / Browsers      ...
A logical argument for upgrading IE• A ten year old browser ( IE6 ) just can’t keep  up with the advanced web application ...
Revisiting the attacks and headers• X-Frame-Options  – Especially useful against clickjacking• X-XSS-Protection  – Refelec...
Revisiting the attacks and headers• Set-Cookie  – Secure     • No sniffing of user session cookie  – HttpOnly     • Not al...
My info while I answer your questions       Akash Mahajan           That Web Application Security Guy – Web Application Se...
Upcoming SlideShare
Loading in …5
×

Secure HTTP Headers c0c0n 2011 Akash Mahajan

2,216 views
2,107 views

Published on

Web site users are facing new and improved threats nowadays. These range from clickjacking, json injection to likejacking among others. Companies like Google, Mozilla, Microsoft etc. have started implementing new HTTP response headers to counter some of the advanced attacks against their website users. Some of the new attacks aren't well understood by the application developers and hence they aren’t using the new secure headers supported by the new browsers. This is either due to ignorance or in order to keep supporting older insecure browsers versions of Internet Explorer.

This talk we will walkthrough what these attacks are, how this various security headers protect the web application users and what is the status of compatibility currently.

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,216
On SlideShare
0
From Embeds
0
Number of Embeds
53
Actions
Shares
0
Downloads
43
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide
  • The onus of sending the correct content type is on the web app developer to ensure their css, script, generated image is rendered correctly
  • Secure HTTP Headers c0c0n 2011 Akash Mahajan

    1. 1. Secure HTTP Headers Akash Mahajan c0c0n 2011
    2. 2. Agenda• Programmers should know about the new HTTP response headers• Web security testers should be testing for these response headers as defenses• All you Facebook/Google+ users should be aware of these as well
    3. 3. Overview of the Talk• Cover all some of the new HTTP response headers• Cover which attacks are mitigated by using these headers• Build an case for upgrading to IE8/9, Firefox 5+ or Chrome if that is your type
    4. 4. HTTP Response Headers• X-Frame-Options• X-XSS-Protection• X-Content-Type-Options• X-Content-Security-Policy• Set-Cookie – Secure – HttpOnly
    5. 5. X-Frame-Options• Used to prevent Clickjacking• Doesn’t allow page to be rendered in a frame• DENY : Don’t render at all if inside a frame, SAMEORIGIN : Only if being served from the origin• IE8+, FF4+, Chrome5+
    6. 6. X-XSS-Protection• Used to prevent reflected XSS• Doesn’t allow the page to be rendered if a reflected XSS attack is detected• 0 is off, 1 is on, Additional mode = block• IE8+, Chrome, No FF ( use noscript )
    7. 7. X-Content-Type-Options• Used to prevent mime based attacks.• Browser will not try to figure out content type if not sent to it in the response header – An image uploading site with script code is bad• X-Content-Type-Options: nosniff• IE8+
    8. 8. X-Content-Security-Policy: policy• Used to define a whitelist of domains and actions which are allowed.• Example usage – X-Content-Security-Policy: allow self; img-src *; object-src media1.com media2.com; script-src userscripts.example.com; allow https://payments.example.com• FF4+
    9. 9. Set-Cookie with Secure and HTTPOnly• With Secure keyword – Only allow cookie to travel with a secure connection – An attack where HTTP and HTTPs is mixed• With HTTPOnly keyword – Scripts can’t read the cookie – Any attack where session cookie is stolen• IE7+, Chrome12+, FF3+
    10. 10. Compatibility with browsers MS Internet Google MozillaHeaders / Browsers Explorer Chrome FirefoxX-Frame-Options YES YES YESX-XSS-Protection YES YES NOX-Content-Type-Options YES NO NOX-Content-Security-Policy NO NO YESSet-Cookie Secure HttpOnly YES YES YES This slide needs a lot more work. Specific versions, more browsers.
    11. 11. A logical argument for upgrading IE• A ten year old browser ( IE6 ) just can’t keep up with the advanced web application attacks against users. The new crop of browsers are proactively adding support to stop the attacks at the browser level itself.• Microsoft runs a http://ie6countdown.com with a mission of moving the world off Internet Explorer 6
    12. 12. Revisiting the attacks and headers• X-Frame-Options – Especially useful against clickjacking• X-XSS-Protection – Refelected XSS• X-Content-Type-Options – Mime attacks for executing malicious scripts
    13. 13. Revisiting the attacks and headers• Set-Cookie – Secure • No sniffing of user session cookie – HttpOnly • Not allowing javascript to read the session cookie• X-Content-Security-Policy – Whitelisting of content domains for including in the page
    14. 14. My info while I answer your questions Akash Mahajan That Web Application Security Guy – Web Application Security Consultant – null Co-Founder, Bangalore Chapter Lead – Certified Ethical Hacker @makash | http://akashm.com | akashmahajan@gmail.com | 9980527182

    ×