One important concept in web application security is defense in depth. You protect your server, your network, your database and your application, but what about the user browser? Can it be done?
Yes! Several new technologies and protocols to assist security has been added to the browsers. Several should be added, activated and configure from your web server or web page. In this presentation we will explore these technologies and learn how to use them. You’ll learn about the Robots meta tags (for crawlers indexing), Browsing Compatibility, XSS and Clickjaking Protection, SSL/TLS Control, and the new Feature Policy.
2. About me
HI I’M PHILIPPE
I’m a Senior Application Security Analyst at
Lightspeed. Long-time internet developer, author,
screen caster, podcaster and speaker. I’m specializes
in PHP, Symfony, security, code quality, performance,
real time and geolocation.
Sécurité PHP 5 et MySQL 5
OWASP Montreal
PHP Quebec
Table Top Game Developer
Pen & Paper RPG Writer
3. Purpose of the Presentation
Improve the code of your website
Protect your site against certain attacks
Protect your users from certain attacks
Protect your development sites
4. Protect Your Dev Sites
Avoid Leaks
Dev/test/qa/regression servers
If they are available via the web
Robots.txt is not enough
forget
File compliance
15. Meta/Header: X-UA-Compatible
Normally, for IE8 +
Requests IE to use the latest render engines or a particular version.
Should use the ChromeFrame renderer (for IE6 and IE7)
Does not validate
Reduce the display speed of the site if it needs to change mode
Does not work in a conditional comment ( <!--[if lt IE 7]> )
17. Header: X-UA-Compatible
#apache
<IfModule mod_headers.c>
Header set X-UA-Compatible "IE=Edge,chrome=1"
# Mod_headers Does not use the content type,
# but we do not want to send this header
<FilesMatch ".(js|css|gif|png|jpe?g|pdf|xml|oga|ogg|
m4a|ogv|mp4|m4v|webm|svg|svgz|eot|ttf|otf|woff|ico|webp|
appcache|manifest|htc|crx|oex|xpi|safariextz|vcf)$" >
Header unset X-UA-Compatible
</FilesMatch>
</IfModule>
22. Header: X-Content-Type-Options
Only one value: nosniff
Android Chrome Edge Firefox Internet Explorer Opera Safari
nosniff 3+ 1.0+* 11+ 50+** 8+ 13+ N/A
* during download
** or with NoScript
24. Meta/Header: XSS Protection
Automatic protection against XSS
mode=block
report=<reporting-URI>
Android Chrome Edge Firefox Internet Explorer Opera Safari
X-XSS-Protection (Yes) 4+ 11+ N/A* 8+ Yes 4+
report No Chromium No No No No No
* yes with NoScript
35. HTTP Strict Transport Security
Require the browser to use a site in SSL (and retains the information)
Android Chrome Edge Firefox Internet Explorer Opera Safari
Strict-Transport-Security 4.4+ 4+ 12+ 4+ 11+ 12+ 7+
37. Apache Example
#apache
<VirtualHost *:80>
ServerAlias *
RewriteEngine On
RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [redirect=301]
</VirtualHost>
<VirtualHost *:443>
ServerAlias *
...
<IfModule mod_headers.c>
Header set Strict-Transport-Security "max-age=16070400; preload"
</IfModule>
</VirtualHost>
38. PHP Example
<?php
// IIS defines the HTTPS protocol to be "off" for non-SSL requests
if (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] != 'off') {
header(’Strict-Transport-Security: max-age=16070400’);
} else {
header('Location: https://’.$_SERVER[’HTTP_HOST'] .
$_SERVER['REQUEST_URI'], true, 301);
exit;
}
39. Header: Referrer-Policy
Allows you to specify when the browser will define a Referer header
Referer is actually a misspelling of the word "referrer".
The Referrer-Policy header does not share this misspelling.
40. Header: Referrer-Policy
Policy Document Navigation to Referrer
no-referrer
https://example.com/
page.html
any domain or path no referrer
no-referrer-when-
downgrade
https://example.com/
page.html
https://example.com/
page2.html
https://example.com/
page.html
no-referrer-when-
downgrade
https://example.com/
page.html
https://
lightspeed.com
https://example.com/
page.html
no-referrer-when-
downgrade
https://example.com/
page.html
http://example.com no referrer
origin
https://example.com/
page.html
any domain or path https://example.com
45. Feature-Policy
The HTTP Feature-Policy header provides a mechanism to explicitly declare what
functionality is allowed on a website.
Android Chrome Edge Firefox Internet Explorer Opera Safari
Feature-Policy 60+ 60+ N/A N/A N/A 48+ N/A