- The document discusses securing Rails web applications by improving on the framework's default security settings.
- It emphasizes using HTTPS to encrypt traffic, securing certificates with tools like Let's Encrypt, and strengthening configurations using the Mozilla SSL Configuration Generator.
- Content Security Policies provide an added layer of security by restricting what content can be loaded from external sources, reducing vulnerabilities, though they require careful configuration.
- HTTP Public Key Pinning can lock users out if misconfigured, so caution is advised. Overall, the talk provides guidance on tightening security beyond Rails defaults.
18. Understand that the a+acks
affec/ng a large number of website
owners … are predominantly
automated.1
— Sucuri
1
h$ps://blog.sucuri.net/2015/02/why-websites-get-hacked.html
19. In our analyses, we have found that
it takes about 30 – 45 days for a
new website, with no content or
audience, to be iden7fied and added
to a bot crawler.1
— Sucuri
1
h$ps://blog.sucuri.net/2015/02/why-websites-get-hacked.html
21. All websites have something of
value for a4ackers: reputa'on2
— Troy Hunt
2
h$ps://www.troyhunt.com/all-websites-have-something-of-value-for-a$ackers-reputa=on/
28. Rails's sane (security) defaults
• Encrypted session store
• Encourages good development prac5ces
• has_secure_password (bcrypt hashed passwords)
• secrets.yml
• user inputs escaped by default
29. You get all this for “free” when you use Rails
• CSRF protec-on
• XSS protec-on
• Injec-on protec-on
• SQL
• HTML
• JavaScript
• Default headers
• X-Frame-Options
• X-XSS-Protection
• X-Content-Type-Options
• Encrypted session store
• Encourages good development prac-ces
• has_secure_password (bcrypt hashed passwords)
• secrets.yml
• etc
32. I firmly believe that as web
developers it is our duty to use
HTTPS for everything possible
33. HTTPS: why?
Even if your site has “nothing valuable”, do you trust:
• every shady wifi hotspot a user might be using?
• all the world's ISPs
34. Beyond underhanded, Comcast and
other carriers are inser3ng their own
ads and no3fica3ons into their
customers’ data streams
— InfoWorld3
3
h$p://www.infoworld.com/ar4cle/2925839/net-neutrality/code-injec4on-new-low-isps.html
35. Google Inves+ga+on: Ad Injec+on Is
Infes+ng Millions of Devices
— Adver(singAge4
4
h$p://adage.com/ar1cle/digital/google-ad-injec1on-affec1ng-millions/305321/
36. HTTPS doesn't just provide privacy
and security, it also provides
integrity
37.
38.
39. Eventually, Chrome will show a Not
Secure warning for all pages served
over HTTP
— Eric Lawrence5
5
h$ps://developers.google.com/web/updates/2016/10/avoid-not-secure-warn
40. More technical reasons
• SSL/TLS is essen+ally mandatory with HTTP 2.0
• Some browser features are only available over HTTPS6
• Geoloca+on
• Service workers
• Fullscreen
• and others
6
h$ps://groups.google.com/a/chromium.org/forum/#!msg/blink-dev/2LXKVWYkOus/gT-ZamfwAKsJ
43. HTTPS: cer*ficates
• Let's Encrypt7
is your friend
• Free 90 day cer8ficates
• Automated verifica8on and renewal
• AWS Cer8ficate Manager8
is your friend on AWS
• Free cer8ficates for AWS services
• Including wildcard cer8ficates!
• Paid cer8ficates go for as liHle as $5/year (! ~70 rand)9
9
h$ps://www.ssls.com/
8
h$ps://aws.amazon.com/cer3ficate-manager/
7
h$ps://letsencrypt.org/
44. HTTPS: force_ssl is your friend
Rails.application.configure do
...
# Force all access to the app over SSL,
# use Strict-Transport-Security, and
# use secure cookies.
config.force_ssl = true
...
end
52. This server supports weak Diffie-
Hellman (DH) key exchange
parameters. Grade capped to B.
Learn more
— SSL Report
53. Mozilla SSL Configura0on Generator11
11
h$ps://mozilla.github.io/server-side-tls/ssl-config-generator/
54.
55.
56. server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
# certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
ssl_certificate /path/to/signed_cert_plus_intermediates;
ssl_certificate_key /path/to/private_key;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
# modern configuration. tweak to your needs.
ssl_protocols TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:...';
ssl_prefer_server_ciphers on;
# HSTS (15768000 seconds = 6 months)
add_header Strict-Transport-Security max-age=15768000;
# OCSP Stapling ---
# fetch OCSP records from URL in ssl_certificate and cache them
ssl_stapling on;
ssl_stapling_verify on;
## verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;
resolver <IP DNS resolver>;
....
}
60. HSTS preload
1. Serve a valid cer+ficate.
2. Redirect from HTTP to HTTPS on the same host
3. Serve all subdomains over HTTPS.
4. Serve an HSTS header on the base domain for HTTPS requests
62. Content Security Policy is an added
layer of security that helps to detect
and mi3gate certain types of
a5acks, including Cross Site
Scrip3ng (XSS) and data injec3on
a5acks.
— MDN
63. Content Security Policy: a header
which tells the browser where
assets (scripts, stylesheets, fonts,
and so on) can be loaded from.
— Me
64. Supported by all major browsers,
even Internet Explorer (kind of)
65.
66. CSP: Why?
• Reduces the poten.al surface area for a3acks or malicious
injec.on of scripts
• Can help prevent malicious browser extensions and malware
from inser.ng crap into your pages.
• For example, the CSP on Piranhas.co has stopped some shady
browser extensions from injec.ng ads?
onto the page.
71. Simple example of a CSP
Content-Security-Policy: script-src 'self'
Only allow scripts from the same origin as the page
72. Simple example of a CSP
Content-Security-Policy: script-src 'self' https://apis.google.com
Same origin as the page and apis.google.com
73. Available direc,ves
• default-src: fallback policy
• script-src: which scripts the protected resource can execute
• style-src: which CSS applies to the protected resource
• img-src: where the protected resource can load images
• font-src: where the protected resource can load fonts
• and a lot more, if you have more esoteric needs
74. Repor&ng
The report-uri direc)ve lets you get JSON reports for viola)ons
{
"csp-report": {
"document-uri": "http://example.com/signup.html",
"referrer": "",
"blocked-uri": "http://example.com/css/style.css",
"violated-directive": "style-src cdn.example.com",
"original-policy": "style-src cdn.example.com; report-uri /_csp-reports"
}
}
85. The CSP which didn't fit in the last slide
Content-Security-Policy: default-src 'self' https:;
font-src 'self' https: data:;
img-src 'self' https: data:;
object-src 'none';
script-src https:;
style-src 'self' https: 'unsafe-inline'
You'll probably want to add report-uri to that
88. CSP pro-)ps
• New projects
• Enforce the CSP from the beginning
• Report viola8ons from your staging or produc8on environment
• Old projects
• Add a CSP with all the sources you think you need
• Deploy it as Report Only, leave it for a week or two to uncover anything
you might have forgoBen about
• Deploy the enforced policy once you've accounted for all the viola8ons
89. HTTP, HTTPS, CSP, SSL, TLS, XSS,
CSRF, and so forth
Enough alphabet soup yet?
92. One more security HTTP header
Public-Key-Pins:
pin-sha256="cUPcTAZWKaASuYWhhneDttWpY3oBAkE3h2+soZS7sWs=";
pin-sha256="M8HztCzM3elUxkcjR2S5P4hhyBNf6lHkmjAHKhpGPWE=";
max-age=5184000; includeSubDomains;
report-uri="https://www.example.org/hpkp-report"
Lets you limit what public keys the
browser will trust in the future
99. Some &ps if you do go down this road…
1. Start with a very short expiry 1me (minutes)
2. Include pins for one or two backup keys
3. The backup keys should not touch the server un4l you need
them
• Keep them in cold storage, preferable secure and offline
4. You can also choose to pin a CA public key
101. Summary
• Rails defaults are pre/y good, but can (fairly easily) be 9ghtened
• You should use HTTPS
• Test that HTTPS is set-up correctly
• The Mozilla SSL Configura9on Generator is great
102. Summary
• Use a Content Security Policy, if only to reduce the surface area available
for a9acks
• The more strict its is, the fewer chances there are for third par?es to
mess with your site
• Use the SecureHeaders gem to manage the policy
• It requires more thought than the Rails defaults, but I think it's worth it
• Excep&on to most of the above: If you're working on your first Rails
app, you probably shouldn't add this complexity.
103. Summary
• HTTP Public Key Pinning can be an excellent way to shoot
yourself in the foot
• If used correctly, you can effec=vely prevent a rogue CA from
issuing certs for your domain
• I don't consider this a major vulnerability for most sites