SlideShare a Scribd company logo

HTTP basics in relation to Applicaiton Security - OWASP

โ€ขDownload as PPTX, PDFโ€ข
โ€ข
Eoin Keary
Eoin Keary

Slides covering HTTP from an application security standpoint. Presented by @manicode and @eoinkeary For more see bccriskadvisory.com & manicode.net

Internet
1 of 14
The OWASP Foundation http://www.owasp.org Web Application Security Host Apps Firewall Host Apps Database Host Web server App server DB server Securing the application Input validation Session mgmt Authentication Authorization Config mgmt Error handling Secure storage Auditing/logging Securing the network Router Firewall Switch Securing the host Patches/updates Accounts Ports Services Files/directories Registry Protocols Shares Auditing/logging Firewall
The OWASP Foundation http://www.owasp.org ๏€ผHTTP is stateless and hence requests and responses to communicate between browser and server have no memory. ๏€ผMost typical HTTP requests utilise either GET or POST methods ๏€ผScripting can occur on: ๏€ดServer-Side (e.g. perl, asp, jsp) ๏€ดClient-Side (javascript, flash, applets) ๏€ผWeb server file mappings allow the web server to handle certain file types using specific handlers (ASP, ASP.NET, Java, JSP,CFM etc) ๏€ผData is posted to the application through HTTP methods, this data is processed by the relevant script and result returned to the userโ€™s browser Web Application Behaviour 2
The OWASP Foundation http://www.owasp.org HTTP POST HTTP GET โ€œGETโ€ exposes sensitive authentication information in the URL ๏€ผIn Web Server and Proxy Server logs ๏€ผIn the http referer header ๏€ผIn Bookmarks/Favorites often emailed to others โ€œPOSTโ€ places information in the body of the request and not the URL Enforce HTTPS POST For Sensitive Data Transport 3
The OWASP Foundation http://www.owasp.org GET vs POST HTTP Request GET /search.jsp?name=blah&type=1 HTTP/1.0 User-Agent: Mozilla/4.0 Host: www.mywebsite.com Cookie: SESSIONID=2KDSU72H9GSA289 <CRLF> GET request POST request POST /search.jsp HTTP/1.0 User-Agent: Mozilla/4.0 Host: www.mywebsite.com Content-Length: 16 Cookie: SESSIONID=2KDSU72H9GSA289 <CRLF> name=blah&type=1 <CRLF>
The OWASP Foundation http://www.owasp.org What are HTTP Headers? HTTP headers are components of the message header of HTTP Requests and Responses HTTP headers define different aspects of an HTTP transaction HTTP headers are colon-separated name-value pairs in clear-text string format, terminated by a carriage return (CR) and line feed (LF) character sequence. http://en.wikipedia.org/wiki/List_of_HTTP_header_fields
The OWASP Foundation http://www.owasp.org Security HTTP Response Headers X-Frame-Options X-Xss-Protection X-Content-Type-Options Content Security Policy Access-Control-Allow-Origin HTTPS Strict Transport Security Cache-Control / Pragma
The OWASP Foundation http://www.owasp.org Security HTTP Response headers X-Frame-Options 'SAMEORIGIN' - allow framing on same domain. Set it to 'DENY' to deny framing at all or 'ALLOWALL' if you want to allow framing for all website. X-XSS-Protection '1; mode=block' - use XSS Auditor and block page if XSS attack is detected. Set it to '0;' if you want to switch XSS Auditor off(useful if response contents scripts from request parameters) X-Content-Type-Options 'nosniffโ€™ - stops the browser from guessing the MIME type of a file. X-Content-Security-Policy - A powerful mechanism for controlling which sites certain content types can be loaded from Access-Control-Allow-Origin - used to control which sites are allowed to bypass same origin policies and send cross-origin requests. Strict-Transport-Security - used to control if the browser is allowed to only access a site over a secure connection Cache-Control - used to control mandatory content caching rules
The OWASP Foundation http://www.owasp.org X-Frame-Options Protects you from most classes of Clickjacking X-Frame-Options: DENY X-Frame-Options: SAMEORIGIN X-Frame-Options: ALLOW FROM
The OWASP Foundation http://www.owasp.org X-XSS-Protection Use the browserโ€™s built in XSS Auditor X-XSS-Protection: [0-1](; mode=block)? X-XSS-Protection: 1; mode=block
The OWASP Foundation http://www.owasp.org X-ContentType-Options Fixes mime sniffing attacks Only applies to IE, because only IE would do something like this X-Content-Type-Options = โ€˜nosniffโ€™
The OWASP Foundation http://www.owasp.org Content Security Policy โ€ข Anti-XSS W3C standard http://www.w3.org/TR/CSP/ โ€ข Move all inline script and style into external files โ€ข Add the X-Content-Security-Policy response header to instruct the browser that CSP is in use โ€ข Define a policy for the site regarding loading of content โ€ข Chrome version 25 and later (50%) โ€ข Firefox version 23 and later (30%) โ€ข Internet Explorer version 10 and later (10%)
The OWASP Foundation http://www.owasp.org Strict Transport Security Strict-transport-security: max-age=10000000 Do all of your subdomains support SSL? Strict-transport-security: max-age=10000000; includeSubdomains
The OWASP Foundation http://www.owasp.org Disabling the Browser Cache Add the following as part of your HTTP Response Cache-Control: no-store, no-cache, must-revalidate Expires: -1
The OWASP Foundation http://www.owasp.org HTTP Security Headers Tool Secure headers! Open source https://github.com/twitter/secureheaders

Recommended

Session1-Introduce Http-HTTP Security headers
Session1-Introduce Http-HTTP Security headers Session1-Introduce Http-HTTP Security headers
Session1-Introduce Http-HTTP Security headers zakieh alizadeh
ย 
Cross Site Scripting (XSS)
Cross Site Scripting (XSS)Cross Site Scripting (XSS)
Cross Site Scripting (XSS)OWASP Khartoum
ย 
Blind xss
Blind xssBlind xss
Blind xssRonan Dunne, CEH, SSCP
ย 
15 owasp top 10 - a3-xss
15 owasp top 10 - a3-xss15 owasp top 10 - a3-xss
15 owasp top 10 - a3-xssappsec
ย 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Securityn|u - The Open Security Community
ย 
SSL
SSLSSL
SSLHiep Luong
ย 
XSS
XSSXSS
XSSHrishikesh Mishra
ย 
Cross site scripting XSS
Cross site scripting XSSCross site scripting XSS
Cross site scripting XSSRonan Dunne, CEH, SSCP
ย 

Recommended

Session1-Introduce Http-HTTP Security headers
Session1-Introduce Http-HTTP Security headers Session1-Introduce Http-HTTP Security headers
Session1-Introduce Http-HTTP Security headers zakieh alizadeh
ย 
Cross Site Scripting (XSS)
Cross Site Scripting (XSS)Cross Site Scripting (XSS)
Cross Site Scripting (XSS)OWASP Khartoum
ย 
Blind xss
Blind xssBlind xss
Blind xssRonan Dunne, CEH, SSCP
ย 
15 owasp top 10 - a3-xss
15 owasp top 10 - a3-xss15 owasp top 10 - a3-xss
15 owasp top 10 - a3-xssappsec
ย 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Securityn|u - The Open Security Community
ย 
SSL
SSLSSL
SSLHiep Luong
ย 
XSS
XSSXSS
XSSHrishikesh Mishra
ย 
Cross site scripting XSS
Cross site scripting XSSCross site scripting XSS
Cross site scripting XSSRonan Dunne, CEH, SSCP
ย 
Xss talk, attack and defense
Xss talk, attack and defenseXss talk, attack and defense
Xss talk, attack and defensePrakashchand Suthar
ย 
File uploads
File uploadsFile uploads
File uploadspenetration Tester
ย 
Cross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning CenterCross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning CenterMichael Coates
ย 
Secure Code Warrior - Local storage
Secure Code Warrior - Local storageSecure Code Warrior - Local storage
Secure Code Warrior - Local storageSecure Code Warrior
ย 
Drupal Security Hardening
Drupal Security HardeningDrupal Security Hardening
Drupal Security HardeningGerald Villorente
ย 
Cross Site Scripting Going Beyond the Alert Box
Cross Site Scripting Going Beyond the Alert BoxCross Site Scripting Going Beyond the Alert Box
Cross Site Scripting Going Beyond the Alert BoxAaron Weaver
ย 
Information Security Systems
Information Security SystemsInformation Security Systems
Information Security SystemsEyad Mhanna
ย 
List of useful security related http headers
List of useful security related http headersList of useful security related http headers
List of useful security related http headersํ•œ์ต ์ฃผ
ย 
Using Proxies To Secure Applications And More
Using Proxies To Secure Applications And MoreUsing Proxies To Secure Applications And More
Using Proxies To Secure Applications And MoreJosh Sokol
ย 
Browser security
Browser securityBrowser security
Browser securityUday Anand
ย 
Secure Mashups
Secure MashupsSecure Mashups
Secure Mashupskriszyp
ย 
HTTP Security Headers Every Java Developer Must Know
HTTP Security Headers Every Java Developer Must KnowHTTP Security Headers Every Java Developer Must Know
HTTP Security Headers Every Java Developer Must KnowAyoma Wijethunga
ย 
Pentesting web applications
Pentesting web applicationsPentesting web applications
Pentesting web applicationsSatish b
ย 
[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security Headers[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security HeadersOWASP
ย 
Browser Security
Browser SecurityBrowser Security
Browser SecurityRoberto Suggi Liverani
ย 
OWASP ESAPI and Microsoft Web Libraries in Cross-Site Scripting
OWASP ESAPI and Microsoft Web Libraries in Cross-Site ScriptingOWASP ESAPI and Microsoft Web Libraries in Cross-Site Scripting
OWASP ESAPI and Microsoft Web Libraries in Cross-Site ScriptingDenim Group
ย 
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...Jeremiah Grossman
ย 
Web Browser Basics, Tips & Tricks Draft 17
Web Browser Basics, Tips & Tricks Draft 17Web Browser Basics, Tips & Tricks Draft 17
Web Browser Basics, Tips & Tricks Draft 17msz
ย 
Secure java script-for-developers
Secure java script-for-developersSecure java script-for-developers
Secure java script-for-developersn|u - The Open Security Community
ย 
Web Browser Basics, Tips & Tricks - Draft 20 (Revised 5/18/17)
Web Browser Basics, Tips & Tricks - Draft 20 (Revised 5/18/17)Web Browser Basics, Tips & Tricks - Draft 20 (Revised 5/18/17)
Web Browser Basics, Tips & Tricks - Draft 20 (Revised 5/18/17)msz
ย 
Hacking HTML5 offensive course (Zeronights edition)
Hacking HTML5 offensive course (Zeronights edition)Hacking HTML5 offensive course (Zeronights edition)
Hacking HTML5 offensive course (Zeronights edition)Krzysztof Kotowicz
ย 
10 things Iโ€™ve learnt about web application security
10 things Iโ€™ve learnt about web application security10 things Iโ€™ve learnt about web application security
10 things Iโ€™ve learnt about web application securityJames Crowley
ย 

More Related Content

What's hot

Xss talk, attack and defense
Xss talk, attack and defenseXss talk, attack and defense
Xss talk, attack and defensePrakashchand Suthar
ย 
Cross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning CenterCross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning CenterMichael Coates
ย 
Secure Code Warrior - Local storage
Secure Code Warrior - Local storageSecure Code Warrior - Local storage
Secure Code Warrior - Local storageSecure Code Warrior
ย 
Drupal Security Hardening
Drupal Security HardeningDrupal Security Hardening
Drupal Security HardeningGerald Villorente
ย 
Cross Site Scripting Going Beyond the Alert Box
Cross Site Scripting Going Beyond the Alert BoxCross Site Scripting Going Beyond the Alert Box
Cross Site Scripting Going Beyond the Alert BoxAaron Weaver
ย 
Information Security Systems
Information Security SystemsInformation Security Systems
Information Security SystemsEyad Mhanna
ย 

What's hot (7)

Xss talk, attack and defense
Xss talk, attack and defenseXss talk, attack and defense
Xss talk, attack and defense
ย 
File uploads
File uploadsFile uploads
File uploads
ย 
Cross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning CenterCross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning Center
ย 
Secure Code Warrior - Local storage
Secure Code Warrior - Local storageSecure Code Warrior - Local storage
Secure Code Warrior - Local storage
ย 
Drupal Security Hardening
Drupal Security HardeningDrupal Security Hardening
Drupal Security Hardening
ย 
Cross Site Scripting Going Beyond the Alert Box
Cross Site Scripting Going Beyond the Alert BoxCross Site Scripting Going Beyond the Alert Box
Cross Site Scripting Going Beyond the Alert Box
ย 
Information Security Systems
Information Security SystemsInformation Security Systems
Information Security Systems
ย 

Similar to HTTP basics in relation to Applicaiton Security - OWASP

List of useful security related http headers
List of useful security related http headersList of useful security related http headers
List of useful security related http headersํ•œ์ต ์ฃผ
ย 
Using Proxies To Secure Applications And More
Using Proxies To Secure Applications And MoreUsing Proxies To Secure Applications And More
Using Proxies To Secure Applications And MoreJosh Sokol
ย 
Browser security
Browser securityBrowser security
Browser securityUday Anand
ย 
Secure Mashups
Secure MashupsSecure Mashups
Secure Mashupskriszyp
ย 
HTTP Security Headers Every Java Developer Must Know
HTTP Security Headers Every Java Developer Must KnowHTTP Security Headers Every Java Developer Must Know
HTTP Security Headers Every Java Developer Must KnowAyoma Wijethunga
ย 
Pentesting web applications
Pentesting web applicationsPentesting web applications
Pentesting web applicationsSatish b
ย 
[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security Headers[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security HeadersOWASP
ย 
OWASP ESAPI and Microsoft Web Libraries in Cross-Site Scripting
OWASP ESAPI and Microsoft Web Libraries in Cross-Site ScriptingOWASP ESAPI and Microsoft Web Libraries in Cross-Site Scripting
OWASP ESAPI and Microsoft Web Libraries in Cross-Site ScriptingDenim Group
ย 
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...Jeremiah Grossman
ย 
Web Browser Basics, Tips & Tricks Draft 17
Web Browser Basics, Tips & Tricks Draft 17Web Browser Basics, Tips & Tricks Draft 17
Web Browser Basics, Tips & Tricks Draft 17msz
ย 
Web Browser Basics, Tips & Tricks - Draft 20 (Revised 5/18/17)
Web Browser Basics, Tips & Tricks - Draft 20 (Revised 5/18/17)Web Browser Basics, Tips & Tricks - Draft 20 (Revised 5/18/17)
Web Browser Basics, Tips & Tricks - Draft 20 (Revised 5/18/17)msz
ย 
Hacking HTML5 offensive course (Zeronights edition)
Hacking HTML5 offensive course (Zeronights edition)Hacking HTML5 offensive course (Zeronights edition)
Hacking HTML5 offensive course (Zeronights edition)Krzysztof Kotowicz
ย 
10 things Iโ€™ve learnt about web application security
10 things Iโ€™ve learnt about web application security10 things Iโ€™ve learnt about web application security
10 things Iโ€™ve learnt about web application securityJames Crowley
ย 
DVWA BruCON Workshop
DVWA BruCON WorkshopDVWA BruCON Workshop
DVWA BruCON Workshoptestuser1223
ย 
White paper screen
White paper screenWhite paper screen
White paper screeneltincho89
ย 
Warning Ahead: SecurityStorms are Brewing in Your JavaScript
Warning Ahead: SecurityStorms are Brewing in Your JavaScriptWarning Ahead: SecurityStorms are Brewing in Your JavaScript
Warning Ahead: SecurityStorms are Brewing in Your JavaScriptCyber Security Alliance
ย 

Similar to HTTP basics in relation to Applicaiton Security - OWASP (20)

List of useful security related http headers
List of useful security related http headersList of useful security related http headers
List of useful security related http headers
ย 
Using Proxies To Secure Applications And More
Using Proxies To Secure Applications And MoreUsing Proxies To Secure Applications And More
Using Proxies To Secure Applications And More
ย 
Browser security
Browser securityBrowser security
Browser security
ย 
Secure Mashups
Secure MashupsSecure Mashups
Secure Mashups
ย 
HTTP Security Headers Every Java Developer Must Know
HTTP Security Headers Every Java Developer Must KnowHTTP Security Headers Every Java Developer Must Know
HTTP Security Headers Every Java Developer Must Know
ย 
Pentesting web applications
Pentesting web applicationsPentesting web applications
Pentesting web applications
ย 
[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security Headers[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security Headers
ย 
Browser Security
Browser SecurityBrowser Security
Browser Security
ย 
OWASP ESAPI and Microsoft Web Libraries in Cross-Site Scripting
OWASP ESAPI and Microsoft Web Libraries in Cross-Site ScriptingOWASP ESAPI and Microsoft Web Libraries in Cross-Site Scripting
OWASP ESAPI and Microsoft Web Libraries in Cross-Site Scripting
ย 
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
ย 
Web Browser Basics, Tips & Tricks Draft 17
Web Browser Basics, Tips & Tricks Draft 17Web Browser Basics, Tips & Tricks Draft 17
Web Browser Basics, Tips & Tricks Draft 17
ย 
Secure java script-for-developers
Secure java script-for-developersSecure java script-for-developers
Secure java script-for-developers
ย 
Web Browser Basics, Tips & Tricks - Draft 20 (Revised 5/18/17)
Web Browser Basics, Tips & Tricks - Draft 20 (Revised 5/18/17)Web Browser Basics, Tips & Tricks - Draft 20 (Revised 5/18/17)
Web Browser Basics, Tips & Tricks - Draft 20 (Revised 5/18/17)
ย 
Hacking HTML5 offensive course (Zeronights edition)
Hacking HTML5 offensive course (Zeronights edition)Hacking HTML5 offensive course (Zeronights edition)
Hacking HTML5 offensive course (Zeronights edition)
ย 
10 things Iโ€™ve learnt about web application security
10 things Iโ€™ve learnt about web application security10 things Iโ€™ve learnt about web application security
10 things Iโ€™ve learnt about web application security
ย 
DVWA BruCON Workshop
DVWA BruCON WorkshopDVWA BruCON Workshop
DVWA BruCON Workshop
ย 
Romulus OWASP
Romulus OWASPRomulus OWASP
Romulus OWASP
ย 
Analysis of HTTP Security Headers in Turkey
Analysis of HTTP Security Headers in TurkeyAnalysis of HTTP Security Headers in Turkey
Analysis of HTTP Security Headers in Turkey
ย 
White paper screen
White paper screenWhite paper screen
White paper screen
ย 
Warning Ahead: SecurityStorms are Brewing in Your JavaScript
Warning Ahead: SecurityStorms are Brewing in Your JavaScriptWarning Ahead: SecurityStorms are Brewing in Your JavaScript
Warning Ahead: SecurityStorms are Brewing in Your JavaScript
ย 

More from Eoin Keary

IISF-March2023.pptx
IISF-March2023.pptxIISF-March2023.pptx
IISF-March2023.pptxEoin Keary
ย 
Validation of vulnerabilities.pdf
Validation of vulnerabilities.pdfValidation of vulnerabilities.pdf
Validation of vulnerabilities.pdfEoin Keary
ย 
Does a Hybrid model for vulnerability Management Make Sense.pdf
Does a Hybrid model for vulnerability Management Make Sense.pdfDoes a Hybrid model for vulnerability Management Make Sense.pdf
Does a Hybrid model for vulnerability Management Make Sense.pdfEoin Keary
ย 
Edgescan 2022 Vulnerability Statistics Report
Edgescan 2022 Vulnerability Statistics ReportEdgescan 2022 Vulnerability Statistics Report
Edgescan 2022 Vulnerability Statistics ReportEoin Keary
ย 
Edgescan 2021 Vulnerability Stats Report
Edgescan 2021 Vulnerability Stats ReportEdgescan 2021 Vulnerability Stats Report
Edgescan 2021 Vulnerability Stats ReportEoin Keary
ย 
One login enemy at the gates
One login enemy at the gatesOne login enemy at the gates
One login enemy at the gatesEoin Keary
ย 
Edgescan vulnerability stats report 2020
Edgescan vulnerability stats report 2020Edgescan vulnerability stats report 2020
Edgescan vulnerability stats report 2020Eoin Keary
ย 
edgescan vulnerability stats report (2018)
edgescan vulnerability stats report (2018) edgescan vulnerability stats report (2018)
edgescan vulnerability stats report (2018) Eoin Keary
ย 
edgescan vulnerability stats report (2019)
edgescan vulnerability stats report (2019) edgescan vulnerability stats report (2019)
edgescan vulnerability stats report (2019) Eoin Keary
ย 
Full stack vulnerability management at scale
Full stack vulnerability management at scaleFull stack vulnerability management at scale
Full stack vulnerability management at scaleEoin Keary
ย 
Vulnerability Intelligence - Standing Still in a world full of change
Vulnerability Intelligence - Standing Still in a world full of changeVulnerability Intelligence - Standing Still in a world full of change
Vulnerability Intelligence - Standing Still in a world full of changeEoin Keary
ย 
Edgescan vulnerability stats report 2019 - h-isac-2-2-2019
Edgescan vulnerability stats report 2019 - h-isac-2-2-2019Edgescan vulnerability stats report 2019 - h-isac-2-2-2019
Edgescan vulnerability stats report 2019 - h-isac-2-2-2019Eoin Keary
ย 
Hide and seek - Attack Surface Management and continuous assessment.
Hide and seek - Attack Surface Management and continuous assessment.Hide and seek - Attack Surface Management and continuous assessment.
Hide and seek - Attack Surface Management and continuous assessment.Eoin Keary
ย 
Online Gaming Cyber security and Threat Model
Online Gaming Cyber security and Threat ModelOnline Gaming Cyber security and Threat Model
Online Gaming Cyber security and Threat ModelEoin Keary
ย 
Keeping the wolf from 1000 doors.
Keeping the wolf from 1000 doors.Keeping the wolf from 1000 doors.
Keeping the wolf from 1000 doors.Eoin Keary
ย 
Security by the numbers
Security by the numbersSecurity by the numbers
Security by the numbersEoin Keary
ย 
Web security โ€“ everything we know is wrong cloud version
Web security โ€“ everything we know is wrong cloud versionWeb security โ€“ everything we know is wrong cloud version
Web security โ€“ everything we know is wrong cloud versionEoin Keary
ย 
Cybersecurity by the numbers
Cybersecurity by the numbersCybersecurity by the numbers
Cybersecurity by the numbersEoin Keary
ย 
Ebu class edgescan-2017
Ebu class edgescan-2017Ebu class edgescan-2017
Ebu class edgescan-2017Eoin Keary
ย 
Vulnerability management and threat detection by the numbers
Vulnerability management and threat detection by the numbersVulnerability management and threat detection by the numbers
Vulnerability management and threat detection by the numbersEoin Keary
ย 

More from Eoin Keary (20)

IISF-March2023.pptx
IISF-March2023.pptxIISF-March2023.pptx
IISF-March2023.pptx
ย 
Validation of vulnerabilities.pdf
Validation of vulnerabilities.pdfValidation of vulnerabilities.pdf
Validation of vulnerabilities.pdf
ย 
Does a Hybrid model for vulnerability Management Make Sense.pdf
Does a Hybrid model for vulnerability Management Make Sense.pdfDoes a Hybrid model for vulnerability Management Make Sense.pdf
Does a Hybrid model for vulnerability Management Make Sense.pdf
ย 
Edgescan 2022 Vulnerability Statistics Report
Edgescan 2022 Vulnerability Statistics ReportEdgescan 2022 Vulnerability Statistics Report
Edgescan 2022 Vulnerability Statistics Report
ย 
Edgescan 2021 Vulnerability Stats Report
Edgescan 2021 Vulnerability Stats ReportEdgescan 2021 Vulnerability Stats Report
Edgescan 2021 Vulnerability Stats Report
ย 
One login enemy at the gates
One login enemy at the gatesOne login enemy at the gates
One login enemy at the gates
ย 
Edgescan vulnerability stats report 2020
Edgescan vulnerability stats report 2020Edgescan vulnerability stats report 2020
Edgescan vulnerability stats report 2020
ย 
edgescan vulnerability stats report (2018)
edgescan vulnerability stats report (2018) edgescan vulnerability stats report (2018)
edgescan vulnerability stats report (2018)
ย 
edgescan vulnerability stats report (2019)
edgescan vulnerability stats report (2019) edgescan vulnerability stats report (2019)
edgescan vulnerability stats report (2019)
ย 
Full stack vulnerability management at scale
Full stack vulnerability management at scaleFull stack vulnerability management at scale
Full stack vulnerability management at scale
ย 
Vulnerability Intelligence - Standing Still in a world full of change
Vulnerability Intelligence - Standing Still in a world full of changeVulnerability Intelligence - Standing Still in a world full of change
Vulnerability Intelligence - Standing Still in a world full of change
ย 
Edgescan vulnerability stats report 2019 - h-isac-2-2-2019
Edgescan vulnerability stats report 2019 - h-isac-2-2-2019Edgescan vulnerability stats report 2019 - h-isac-2-2-2019
Edgescan vulnerability stats report 2019 - h-isac-2-2-2019
ย 
Hide and seek - Attack Surface Management and continuous assessment.
Hide and seek - Attack Surface Management and continuous assessment.Hide and seek - Attack Surface Management and continuous assessment.
Hide and seek - Attack Surface Management and continuous assessment.
ย 
Online Gaming Cyber security and Threat Model
Online Gaming Cyber security and Threat ModelOnline Gaming Cyber security and Threat Model
Online Gaming Cyber security and Threat Model
ย 
Keeping the wolf from 1000 doors.
Keeping the wolf from 1000 doors.Keeping the wolf from 1000 doors.
Keeping the wolf from 1000 doors.
ย 
Security by the numbers
Security by the numbersSecurity by the numbers
Security by the numbers
ย 
Web security โ€“ everything we know is wrong cloud version
Web security โ€“ everything we know is wrong cloud versionWeb security โ€“ everything we know is wrong cloud version
Web security โ€“ everything we know is wrong cloud version
ย 
Cybersecurity by the numbers
Cybersecurity by the numbersCybersecurity by the numbers
Cybersecurity by the numbers
ย 
Ebu class edgescan-2017
Ebu class edgescan-2017Ebu class edgescan-2017
Ebu class edgescan-2017
ย 
Vulnerability management and threat detection by the numbers
Vulnerability management and threat detection by the numbersVulnerability management and threat detection by the numbers
Vulnerability management and threat detection by the numbers
ย 

Recently uploaded

Russian Call girl in Ajman +971563133746 Ajman Call girl Service
Russian Call girl in Ajman +971563133746 Ajman Call girl ServiceRussian Call girl in Ajman +971563133746 Ajman Call girl Service
Russian Call girl in Ajman +971563133746 Ajman Call girl Servicegwenoracqe6
ย 
VVIP Pune Call Girls Sinhagad WhatSapp Number 8005736733 With Elite Staff And...
VVIP Pune Call Girls Sinhagad WhatSapp Number 8005736733 With Elite Staff And...VVIP Pune Call Girls Sinhagad WhatSapp Number 8005736733 With Elite Staff And...
VVIP Pune Call Girls Sinhagad WhatSapp Number 8005736733 With Elite Staff And...SUHANI PANDEY
ย 
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...tanu pandey
ย 
VIP Call Girls Pollachi 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Pollachi 7001035870 Whatsapp Number, 24/07 BookingVIP Call Girls Pollachi 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Pollachi 7001035870 Whatsapp Number, 24/07 Bookingdharasingh5698
ย 
Call Girls in Prashant Vihar, Delhi ๐Ÿ’ฏ Call Us ๐Ÿ”9953056974 ๐Ÿ” Escort Service
Call Girls in Prashant Vihar, Delhi ๐Ÿ’ฏ Call Us ๐Ÿ”9953056974 ๐Ÿ” Escort ServiceCall Girls in Prashant Vihar, Delhi ๐Ÿ’ฏ Call Us ๐Ÿ”9953056974 ๐Ÿ” Escort Service
Call Girls in Prashant Vihar, Delhi ๐Ÿ’ฏ Call Us ๐Ÿ”9953056974 ๐Ÿ” Escort Service9953056974 Low Rate Call Girls In Saket, Delhi NCR
ย 
Hireโ† Young Call Girls in Tilak nagar (Delhi) โ˜Ž๏ธ 9205541914 โ˜Ž๏ธ Independent Esc...
Hireโ† Young Call Girls in Tilak nagar (Delhi) โ˜Ž๏ธ 9205541914 โ˜Ž๏ธ Independent Esc...Hireโ† Young Call Girls in Tilak nagar (Delhi) โ˜Ž๏ธ 9205541914 โ˜Ž๏ธ Independent Esc...
Hireโ† Young Call Girls in Tilak nagar (Delhi) โ˜Ž๏ธ 9205541914 โ˜Ž๏ธ Independent Esc...Delhi Call girls
ย 
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service AvailableCall Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service AvailableSeo
ย 
Sarola * Female Escorts Service in Pune | 8005736733 Independent Escorts & Da...
Sarola * Female Escorts Service in Pune | 8005736733 Independent Escorts & Da...Sarola * Female Escorts Service in Pune | 8005736733 Independent Escorts & Da...
Sarola * Female Escorts Service in Pune | 8005736733 Independent Escorts & Da...SUHANI PANDEY
ย 
Top Rated Pune Call Girls Daund โŸŸ 6297143586 โŸŸ Call Me For Genuine Sex Servi...
Top Rated Pune Call Girls Daund โŸŸ 6297143586 โŸŸ Call Me For Genuine Sex Servi...Top Rated Pune Call Girls Daund โŸŸ 6297143586 โŸŸ Call Me For Genuine Sex Servi...
Top Rated Pune Call Girls Daund โŸŸ 6297143586 โŸŸ Call Me For Genuine Sex Servi...Call Girls in Nagpur High Profile
ย 
Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...
Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...
Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...SUHANI PANDEY
ย 
Katraj ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...
Katraj ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...Katraj ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...
Katraj ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...tanu pandey
ย 
Real Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirtReal Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirtrahman018755
ย 
Dubai=Desi Dubai Call Girls O525547819 Outdoor Call Girls Dubai
Dubai=Desi Dubai Call Girls O525547819 Outdoor Call Girls DubaiDubai=Desi Dubai Call Girls O525547819 Outdoor Call Girls Dubai
Dubai=Desi Dubai Call Girls O525547819 Outdoor Call Girls Dubaikojalkojal131
ย 
VVVIP Call Girls In Connaught Place โžก๏ธ Delhi โžก๏ธ 9999965857 ๐Ÿš€ No Advance 24HRS...
VVVIP Call Girls In Connaught Place โžก๏ธ Delhi โžก๏ธ 9999965857 ๐Ÿš€ No Advance 24HRS...VVVIP Call Girls In Connaught Place โžก๏ธ Delhi โžก๏ธ 9999965857 ๐Ÿš€ No Advance 24HRS...
VVVIP Call Girls In Connaught Place โžก๏ธ Delhi โžก๏ธ 9999965857 ๐Ÿš€ No Advance 24HRS...Call Girls In Delhi Whatsup 9873940964 Enjoy Unlimited Pleasure
ย 
Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...
Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...
Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...tanu pandey
ย 
(+971568250507 ))# Young Call Girls in Ajman By Pakistani Call Girls in ...
(+971568250507 ))# Young Call Girls in Ajman By Pakistani Call Girls in ...(+971568250507 ))# Young Call Girls in Ajman By Pakistani Call Girls in ...
(+971568250507 ))# Young Call Girls in Ajman By Pakistani Call Girls in ...Escorts Call Girls
ย 
Al Barsha Night Partner +0567686026 Call Girls Dubai
Al Barsha Night Partner +0567686026 Call Girls DubaiAl Barsha Night Partner +0567686026 Call Girls Dubai
Al Barsha Night Partner +0567686026 Call Girls DubaiEscorts Call Girls
ย 
Call Now โ˜Ž 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
Call Now โ˜Ž 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.Call Now โ˜Ž 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
Call Now โ˜Ž 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.soniya singh
ย 

Recently uploaded (20)

Russian Call girl in Ajman +971563133746 Ajman Call girl Service
Russian Call girl in Ajman +971563133746 Ajman Call girl ServiceRussian Call girl in Ajman +971563133746 Ajman Call girl Service
Russian Call girl in Ajman +971563133746 Ajman Call girl Service
ย 
VVIP Pune Call Girls Sinhagad WhatSapp Number 8005736733 With Elite Staff And...
VVIP Pune Call Girls Sinhagad WhatSapp Number 8005736733 With Elite Staff And...VVIP Pune Call Girls Sinhagad WhatSapp Number 8005736733 With Elite Staff And...
VVIP Pune Call Girls Sinhagad WhatSapp Number 8005736733 With Elite Staff And...
ย 
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
ย 
VIP Call Girls Pollachi 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Pollachi 7001035870 Whatsapp Number, 24/07 BookingVIP Call Girls Pollachi 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Pollachi 7001035870 Whatsapp Number, 24/07 Booking
ย 
Call Girls in Prashant Vihar, Delhi ๐Ÿ’ฏ Call Us ๐Ÿ”9953056974 ๐Ÿ” Escort Service
Call Girls in Prashant Vihar, Delhi ๐Ÿ’ฏ Call Us ๐Ÿ”9953056974 ๐Ÿ” Escort ServiceCall Girls in Prashant Vihar, Delhi ๐Ÿ’ฏ Call Us ๐Ÿ”9953056974 ๐Ÿ” Escort Service
Call Girls in Prashant Vihar, Delhi ๐Ÿ’ฏ Call Us ๐Ÿ”9953056974 ๐Ÿ” Escort Service
ย 
Low Sexy Call Girls In Mohali 9053900678 ๐ŸฅตHave Save And Good Place ๐Ÿฅต
Low Sexy Call Girls In Mohali 9053900678 ๐ŸฅตHave Save And Good Place ๐ŸฅตLow Sexy Call Girls In Mohali 9053900678 ๐ŸฅตHave Save And Good Place ๐Ÿฅต
Low Sexy Call Girls In Mohali 9053900678 ๐ŸฅตHave Save And Good Place ๐Ÿฅต
ย 
Hireโ† Young Call Girls in Tilak nagar (Delhi) โ˜Ž๏ธ 9205541914 โ˜Ž๏ธ Independent Esc...
Hireโ† Young Call Girls in Tilak nagar (Delhi) โ˜Ž๏ธ 9205541914 โ˜Ž๏ธ Independent Esc...Hireโ† Young Call Girls in Tilak nagar (Delhi) โ˜Ž๏ธ 9205541914 โ˜Ž๏ธ Independent Esc...
Hireโ† Young Call Girls in Tilak nagar (Delhi) โ˜Ž๏ธ 9205541914 โ˜Ž๏ธ Independent Esc...
ย 
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service AvailableCall Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
ย 
Sarola * Female Escorts Service in Pune | 8005736733 Independent Escorts & Da...
Sarola * Female Escorts Service in Pune | 8005736733 Independent Escorts & Da...Sarola * Female Escorts Service in Pune | 8005736733 Independent Escorts & Da...
Sarola * Female Escorts Service in Pune | 8005736733 Independent Escorts & Da...
ย 
Top Rated Pune Call Girls Daund โŸŸ 6297143586 โŸŸ Call Me For Genuine Sex Servi...
Top Rated Pune Call Girls Daund โŸŸ 6297143586 โŸŸ Call Me For Genuine Sex Servi...Top Rated Pune Call Girls Daund โŸŸ 6297143586 โŸŸ Call Me For Genuine Sex Servi...
Top Rated Pune Call Girls Daund โŸŸ 6297143586 โŸŸ Call Me For Genuine Sex Servi...
ย 
Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...
Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...
Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...
ย 
Katraj ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...
Katraj ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...Katraj ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...
Katraj ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...
ย 
(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7
(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7
(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7
ย 
Real Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirtReal Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirt
ย 
Dubai=Desi Dubai Call Girls O525547819 Outdoor Call Girls Dubai
Dubai=Desi Dubai Call Girls O525547819 Outdoor Call Girls DubaiDubai=Desi Dubai Call Girls O525547819 Outdoor Call Girls Dubai
Dubai=Desi Dubai Call Girls O525547819 Outdoor Call Girls Dubai
ย 
VVVIP Call Girls In Connaught Place โžก๏ธ Delhi โžก๏ธ 9999965857 ๐Ÿš€ No Advance 24HRS...
VVVIP Call Girls In Connaught Place โžก๏ธ Delhi โžก๏ธ 9999965857 ๐Ÿš€ No Advance 24HRS...VVVIP Call Girls In Connaught Place โžก๏ธ Delhi โžก๏ธ 9999965857 ๐Ÿš€ No Advance 24HRS...
VVVIP Call Girls In Connaught Place โžก๏ธ Delhi โžก๏ธ 9999965857 ๐Ÿš€ No Advance 24HRS...
ย 
Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...
Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...
Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...
ย 
(+971568250507 ))# Young Call Girls in Ajman By Pakistani Call Girls in ...
(+971568250507 ))# Young Call Girls in Ajman By Pakistani Call Girls in ...(+971568250507 ))# Young Call Girls in Ajman By Pakistani Call Girls in ...
(+971568250507 ))# Young Call Girls in Ajman By Pakistani Call Girls in ...
ย 
Al Barsha Night Partner +0567686026 Call Girls Dubai
Al Barsha Night Partner +0567686026 Call Girls DubaiAl Barsha Night Partner +0567686026 Call Girls Dubai
Al Barsha Night Partner +0567686026 Call Girls Dubai
ย 
Call Now โ˜Ž 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
Call Now โ˜Ž 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.Call Now โ˜Ž 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
Call Now โ˜Ž 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
ย 

HTTP basics in relation to Applicaiton Security - OWASP

  • 1. The OWASP Foundation http://www.owasp.org Web Application Security Host Apps Firewall Host Apps Database Host Web server App server DB server Securing the application Input validation Session mgmt Authentication Authorization Config mgmt Error handling Secure storage Auditing/logging Securing the network Router Firewall Switch Securing the host Patches/updates Accounts Ports Services Files/directories Registry Protocols Shares Auditing/logging Firewall
  • 2. The OWASP Foundation http://www.owasp.org ๏€ผHTTP is stateless and hence requests and responses to communicate between browser and server have no memory. ๏€ผMost typical HTTP requests utilise either GET or POST methods ๏€ผScripting can occur on: ๏€ดServer-Side (e.g. perl, asp, jsp) ๏€ดClient-Side (javascript, flash, applets) ๏€ผWeb server file mappings allow the web server to handle certain file types using specific handlers (ASP, ASP.NET, Java, JSP,CFM etc) ๏€ผData is posted to the application through HTTP methods, this data is processed by the relevant script and result returned to the userโ€™s browser Web Application Behaviour 2
  • 3. The OWASP Foundation http://www.owasp.org HTTP POST HTTP GET โ€œGETโ€ exposes sensitive authentication information in the URL ๏€ผIn Web Server and Proxy Server logs ๏€ผIn the http referer header ๏€ผIn Bookmarks/Favorites often emailed to others โ€œPOSTโ€ places information in the body of the request and not the URL Enforce HTTPS POST For Sensitive Data Transport 3
  • 4. The OWASP Foundation http://www.owasp.org GET vs POST HTTP Request GET /search.jsp?name=blah&type=1 HTTP/1.0 User-Agent: Mozilla/4.0 Host: www.mywebsite.com Cookie: SESSIONID=2KDSU72H9GSA289 <CRLF> GET request POST request POST /search.jsp HTTP/1.0 User-Agent: Mozilla/4.0 Host: www.mywebsite.com Content-Length: 16 Cookie: SESSIONID=2KDSU72H9GSA289 <CRLF> name=blah&type=1 <CRLF>
  • 5. The OWASP Foundation http://www.owasp.org What are HTTP Headers? HTTP headers are components of the message header of HTTP Requests and Responses HTTP headers define different aspects of an HTTP transaction HTTP headers are colon-separated name-value pairs in clear-text string format, terminated by a carriage return (CR) and line feed (LF) character sequence. http://en.wikipedia.org/wiki/List_of_HTTP_header_fields
  • 6. The OWASP Foundation http://www.owasp.org Security HTTP Response Headers X-Frame-Options X-Xss-Protection X-Content-Type-Options Content Security Policy Access-Control-Allow-Origin HTTPS Strict Transport Security Cache-Control / Pragma
  • 7. The OWASP Foundation http://www.owasp.org Security HTTP Response headers X-Frame-Options 'SAMEORIGIN' - allow framing on same domain. Set it to 'DENY' to deny framing at all or 'ALLOWALL' if you want to allow framing for all website. X-XSS-Protection '1; mode=block' - use XSS Auditor and block page if XSS attack is detected. Set it to '0;' if you want to switch XSS Auditor off(useful if response contents scripts from request parameters) X-Content-Type-Options 'nosniffโ€™ - stops the browser from guessing the MIME type of a file. X-Content-Security-Policy - A powerful mechanism for controlling which sites certain content types can be loaded from Access-Control-Allow-Origin - used to control which sites are allowed to bypass same origin policies and send cross-origin requests. Strict-Transport-Security - used to control if the browser is allowed to only access a site over a secure connection Cache-Control - used to control mandatory content caching rules
  • 8. The OWASP Foundation http://www.owasp.org X-Frame-Options Protects you from most classes of Clickjacking X-Frame-Options: DENY X-Frame-Options: SAMEORIGIN X-Frame-Options: ALLOW FROM
  • 9. The OWASP Foundation http://www.owasp.org X-XSS-Protection Use the browserโ€™s built in XSS Auditor X-XSS-Protection: [0-1](; mode=block)? X-XSS-Protection: 1; mode=block
  • 10. The OWASP Foundation http://www.owasp.org X-ContentType-Options Fixes mime sniffing attacks Only applies to IE, because only IE would do something like this X-Content-Type-Options = โ€˜nosniffโ€™
  • 11. The OWASP Foundation http://www.owasp.org Content Security Policy โ€ข Anti-XSS W3C standard http://www.w3.org/TR/CSP/ โ€ข Move all inline script and style into external files โ€ข Add the X-Content-Security-Policy response header to instruct the browser that CSP is in use โ€ข Define a policy for the site regarding loading of content โ€ข Chrome version 25 and later (50%) โ€ข Firefox version 23 and later (30%) โ€ข Internet Explorer version 10 and later (10%)
  • 12. The OWASP Foundation http://www.owasp.org Strict Transport Security Strict-transport-security: max-age=10000000 Do all of your subdomains support SSL? Strict-transport-security: max-age=10000000; includeSubdomains
  • 13. The OWASP Foundation http://www.owasp.org Disabling the Browser Cache Add the following as part of your HTTP Response Cache-Control: no-store, no-cache, must-revalidate Expires: -1
  • 14. The OWASP Foundation http://www.owasp.org HTTP Security Headers Tool Secure headers! Open source https://github.com/twitter/secureheaders

Editor's Notes

  1. Note that security is often begun in the network and host boxes, but application security requires work at the top box (application layer)
  2. // HTTP 1.1 response.setHeader("Cache-Control", "no-store, no-cache, must-revalidate"); // HTTP 1.0 response.setHeader("Pragma","no-cache"); response.setDateHeader("Expires", -1);
  3. save resources since nothing is framed