QA Fest 2016. Per Thorsheim. Website security 101

Q
QAFest
Website Security 101 Per Thorsheim Twitter: @thorsheim
QA Fest 2016. Per Thorsheim. Website security 101
Quick basic tests
QA Fest 2016. Per Thorsheim. Website security 101
QA Fest 2016. Per Thorsheim. Website security 101
QA Fest 2016. Per Thorsheim. Website security 101
DNS – DNSSEC • .UA root was signed on April 13, 2012 • https://en.wikipedia.org/wiki/.ua
Testing HTTPS configuration
QA Fest 2016. Per Thorsheim. Website security 101
Testing email security (STARTTLS)
QA Fest 2016. Per Thorsheim. Website security 101
Testing Website Security Headers
QA Fest 2016. Per Thorsheim. Website security 101
X-Content-Type-Options Reduce risk of clientbrowser downloading malware from your server. Configuration: X-Content-Type-Options: nosniff
X-Xss-Protection Tells visiting web browsers how to handle input weaknesses in how webpages handles input. This reduces the risk of phishing and session hijacking. Best configuration: X-XSS-Protection: 1; mode=block
X-Frame-Options Tell browsers that your website CAN NOT be displayed inside another «frame» on a webpage, effectively reducing the risk of phishing attacks. Example configuration: add_header X-Frame-Options "SAMEORIGIN" always;
HSTS (Strict Transport Security) – RFC 6797 HSTS tells visiting web browsers to always use HTTPS when connecting to the website, for N period of time. This only works for websites that offers HTTPS.
HPKP (Public Key Pinning) – RFC 7469 HPKP goes one step further compared to HSTS, by adding your website to a preloaded list in web browsers, telling them to use HTTPS even the first time they connect to a website. Additionally HPKP tells browsers which certificates to expect at all sites using HPKP. This will very effectively block most MitM attacks, but requires good technical knowledge to implement and maintain.
CSP – Content Security Policy A CSP is a set of rules that a website sends to a visiting client browser, telling the browser which external sites that are allowed to serve content for the web page. A lot of companies does MitM of plaintext HTTP traffic, in order to inject or replace ads and other information for the end user. CSP will prevent this from happening. However HTTPS should be used to protect the CSP itself from MitM attacks.
Without Content Security Policy Online newspaper Adserver Evil server
With Content Security Policy Online newspaper Adserver CSP Evil server
Real-world applicability Newspapers in Ukraine
QA Fest 2016. Per Thorsheim. Website security 101
Speed (usability)
http://www.http2demo.io/
QA Fest 2016. Per Thorsheim. Website security 101
QA Fest 2016. Per Thorsheim. Website security 101
QA Fest 2016. Per Thorsheim. Website security 101
QA Fest 2016. Per Thorsheim. Website security 101
per@thorsheim.net +47 90 99 92 59 (Signal, Whatsapp) @thorsheim QUESTIONS?
1 of 30

QA Fest 2016. Per Thorsheim. Website security 101

Education

I use a lot of online services for personal and business purposes. However I usually never sign up for anything without checking their security first. Using a small number of free & online tools, I will show you how I check the security & privacy of websites before signing up. This will be quick introduction to basic website security which every organisation, website & service should have in place.

Q
QAFest

Recommended

http security response headers for web security by
http security response headers for web securityhttp security response headers for web security
http security response headers for web securityOlatunji Adetunji
117 views6 slides
Secure HTTP Headers c0c0n 2011 Akash Mahajan by
Secure HTTP Headers c0c0n 2011 Akash MahajanSecure HTTP Headers c0c0n 2011 Akash Mahajan
Secure HTTP Headers c0c0n 2011 Akash MahajanAkash Mahajan
1.6K views14 slides
Protecting Web App users in today’s hostile environment by
Protecting Web App users in today’s hostile environmentProtecting Web App users in today’s hostile environment
Protecting Web App users in today’s hostile environmentajitdhumale
236 views23 slides
Hosting by
HostingHosting
Hostinghostingzilla.in
66 views1 slide
Browser Wars 2019 - Implementing a Content Security Policy by
Browser Wars 2019 - Implementing a Content Security PolicyBrowser Wars 2019 - Implementing a Content Security Policy
Browser Wars 2019 - Implementing a Content Security PolicyGeorge Boobyer
423 views63 slides
Secure wordpress by
Secure wordpressSecure wordpress
Secure wordpressPrabesh Thapa
180 views25 slides

More Related Content

Similar to QA Fest 2016. Per Thorsheim. Website security 101

List of useful security related http headers by
List of useful security related http headersList of useful security related http headers
List of useful security related http headers한익 주
1.3K views22 slides
Tsc summit #2 - HTTP Header Security by
Tsc summit #2 - HTTP Header SecurityTsc summit #2 - HTTP Header Security
Tsc summit #2 - HTTP Header SecurityMikal Villa
938 views11 slides
Analysis of HTTP Security Headers in Turkey by
Analysis of HTTP Security Headers in TurkeyAnalysis of HTTP Security Headers in Turkey
Analysis of HTTP Security Headers in TurkeyDr. Emin İslam Tatlı
852 views36 slides
Web security by
Web securityWeb security
Web securitytruong nguyen
161 views6 slides
W3 conf hill-html5-security-realities by
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesBrad Hill
840 views60 slides
White paper screen by
White paper screenWhite paper screen
White paper screeneltincho89
261 views14 slides

Similar to QA Fest 2016. Per Thorsheim. Website security 101(20)

List of useful security related http headers by 한익 주
List of useful security related http headersList of useful security related http headers
List of useful security related http headers
한익 주1.3K views
Tsc summit #2 - HTTP Header Security by Mikal Villa
Tsc summit #2 - HTTP Header SecurityTsc summit #2 - HTTP Header Security
Tsc summit #2 - HTTP Header Security
Mikal Villa938 views
Analysis of HTTP Security Headers in Turkey by Dr. Emin İslam Tatlı
Analysis of HTTP Security Headers in TurkeyAnalysis of HTTP Security Headers in Turkey
Analysis of HTTP Security Headers in Turkey
Dr. Emin İslam Tatlı852 views
Web security by truong nguyen
Web securityWeb security
Web security
truong nguyen161 views
W3 conf hill-html5-security-realities by Brad Hill
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realities
Brad Hill840 views
White paper screen by eltincho89
White paper screenWhite paper screen
White paper screen
eltincho89261 views
Http security response headers by mohammadhosseinrouha
Http security response headers Http security response headers
Http security response headers
mohammadhosseinrouha105 views
Website hacking and prevention (All Tools,Topics & Technique ) by Jay Nagar
Website hacking and prevention (All Tools,Topics & Technique )Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )
Jay Nagar669 views
OMB M 15-13, Policy to Require Secure Connections across Federal Websites and... by DigitalGov from General Services Administration
OMB M 15-13, Policy to Require Secure Connections across Federal Websites and...OMB M 15-13, Policy to Require Secure Connections across Federal Websites and...
OMB M 15-13, Policy to Require Secure Connections across Federal Websites and...
DigitalGov from General Services Administration1.4K views
Lec 2.pptx by ssuserbab2f4
Lec 2.pptxLec 2.pptx
Lec 2.pptx
ssuserbab2f46 views
Why Traditional Web Security Technologies no Longer Suffice to Keep You Safe by Philippe De Ryck
Why Traditional Web Security Technologies no Longer Suffice to Keep You SafeWhy Traditional Web Security Technologies no Longer Suffice to Keep You Safe
Why Traditional Web Security Technologies no Longer Suffice to Keep You Safe
Philippe De Ryck355 views
HTTP basics in relation to Applicaiton Security - OWASP by Eoin Keary
HTTP basics in relation to Applicaiton Security - OWASPHTTP basics in relation to Applicaiton Security - OWASP
HTTP basics in relation to Applicaiton Security - OWASP
Eoin Keary1.7K views
XST - Cross Site Tracing by Magno Logan
XST - Cross Site TracingXST - Cross Site Tracing
XST - Cross Site Tracing
Magno Logan2.2K views
Top 10 Web Hacks 2012 by Matt Johansen
Top 10 Web Hacks 2012Top 10 Web Hacks 2012
Top 10 Web Hacks 2012
Matt Johansen29.5K views
Content security policy by Ronan Dunne, CEH, SSCP
Content security policyContent security policy
Content security policy
Ronan Dunne, CEH, SSCP2.4K views
Top Ten Web Hacking Techniques of 2012 by Jeremiah Grossman
Top Ten Web Hacking Techniques of 2012Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012
Jeremiah Grossman3.9K views
Browser Security ppt.pptx by AjaySahre
Browser Security ppt.pptxBrowser Security ppt.pptx
Browser Security ppt.pptx
AjaySahre51 views
Crypto workshop part 1 - Web and Crypto by hannob
Crypto workshop part 1 - Web and CryptoCrypto workshop part 1 - Web and Crypto
Crypto workshop part 1 - Web and Crypto
hannob1.2K views
Cloud Computing Assignment 3 by Gurpreet singh
Cloud Computing Assignment 3Cloud Computing Assignment 3
Cloud Computing Assignment 3
Gurpreet singh2.3K views
A Practical Guide to Securing Modern Web Applications by Manish Shekhawat
A Practical Guide to Securing Modern Web ApplicationsA Practical Guide to Securing Modern Web Applications
A Practical Guide to Securing Modern Web Applications
Manish Shekhawat196 views

More from QAFest

QA Fest 2019. Сергій Короленко. Топ веб вразливостей за 40 хвилин by
QA Fest 2019. Сергій Короленко. Топ веб вразливостей за 40 хвилинQA Fest 2019. Сергій Короленко. Топ веб вразливостей за 40 хвилин
QA Fest 2019. Сергій Короленко. Топ веб вразливостей за 40 хвилинQAFest
979 views44 slides
QA Fest 2019. Анна Чернышова. Self-healing test automation 2.0. The Future by
QA Fest 2019. Анна Чернышова. Self-healing test automation 2.0. The FutureQA Fest 2019. Анна Чернышова. Self-healing test automation 2.0. The Future
QA Fest 2019. Анна Чернышова. Self-healing test automation 2.0. The FutureQAFest
931 views44 slides
QA Fest 2019. Doug Sillars. It's just too Slow: Testing Mobile application pe... by
QA Fest 2019. Doug Sillars. It's just too Slow: Testing Mobile application pe...QA Fest 2019. Doug Sillars. It's just too Slow: Testing Mobile application pe...
QA Fest 2019. Doug Sillars. It's just too Slow: Testing Mobile application pe...QAFest
322 views131 slides
QA Fest 2019. Катерина Спринсян. Параллельное покрытие автотестами и другие и... by
QA Fest 2019. Катерина Спринсян. Параллельное покрытие автотестами и другие и...QA Fest 2019. Катерина Спринсян. Параллельное покрытие автотестами и другие и...
QA Fest 2019. Катерина Спринсян. Параллельное покрытие автотестами и другие и...QAFest
336 views92 slides
QA Fest 2019. Никита Галкин. Как зарабатывать больше by
QA Fest 2019. Никита Галкин. Как зарабатывать большеQA Fest 2019. Никита Галкин. Как зарабатывать больше
QA Fest 2019. Никита Галкин. Как зарабатывать большеQAFest
389 views40 slides
QA Fest 2019. Сергей Пирогов. Why everything is spoiled by
QA Fest 2019. Сергей Пирогов. Why everything is spoiledQA Fest 2019. Сергей Пирогов. Why everything is spoiled
QA Fest 2019. Сергей Пирогов. Why everything is spoiledQAFest
342 views33 slides

More from QAFest(20)

QA Fest 2019. Сергій Короленко. Топ веб вразливостей за 40 хвилин by QAFest
QA Fest 2019. Сергій Короленко. Топ веб вразливостей за 40 хвилинQA Fest 2019. Сергій Короленко. Топ веб вразливостей за 40 хвилин
QA Fest 2019. Сергій Короленко. Топ веб вразливостей за 40 хвилин
QAFest979 views
QA Fest 2019. Анна Чернышова. Self-healing test automation 2.0. The Future by QAFest
QA Fest 2019. Анна Чернышова. Self-healing test automation 2.0. The FutureQA Fest 2019. Анна Чернышова. Self-healing test automation 2.0. The Future
QA Fest 2019. Анна Чернышова. Self-healing test automation 2.0. The Future
QAFest931 views
QA Fest 2019. Doug Sillars. It's just too Slow: Testing Mobile application pe... by QAFest
QA Fest 2019. Doug Sillars. It's just too Slow: Testing Mobile application pe...QA Fest 2019. Doug Sillars. It's just too Slow: Testing Mobile application pe...
QA Fest 2019. Doug Sillars. It's just too Slow: Testing Mobile application pe...
QAFest322 views
QA Fest 2019. Катерина Спринсян. Параллельное покрытие автотестами и другие и... by QAFest
QA Fest 2019. Катерина Спринсян. Параллельное покрытие автотестами и другие и...QA Fest 2019. Катерина Спринсян. Параллельное покрытие автотестами и другие и...
QA Fest 2019. Катерина Спринсян. Параллельное покрытие автотестами и другие и...
QAFest336 views
QA Fest 2019. Никита Галкин. Как зарабатывать больше by QAFest
QA Fest 2019. Никита Галкин. Как зарабатывать большеQA Fest 2019. Никита Галкин. Как зарабатывать больше
QA Fest 2019. Никита Галкин. Как зарабатывать больше
QAFest389 views
QA Fest 2019. Сергей Пирогов. Why everything is spoiled by QAFest
QA Fest 2019. Сергей Пирогов. Why everything is spoiledQA Fest 2019. Сергей Пирогов. Why everything is spoiled
QA Fest 2019. Сергей Пирогов. Why everything is spoiled
QAFest342 views
QA Fest 2019. Сергей Новик. Между мотивацией и выгоранием by QAFest
QA Fest 2019. Сергей Новик. Между мотивацией и выгораниемQA Fest 2019. Сергей Новик. Между мотивацией и выгоранием
QA Fest 2019. Сергей Новик. Между мотивацией и выгоранием
QAFest249 views
QA Fest 2019. Владимир Никонов. Код Шредингера или зачем и как мы тестируем н... by QAFest
QA Fest 2019. Владимир Никонов. Код Шредингера или зачем и как мы тестируем н...QA Fest 2019. Владимир Никонов. Код Шредингера или зачем и как мы тестируем н...
QA Fest 2019. Владимир Никонов. Код Шредингера или зачем и как мы тестируем н...
QAFest338 views
QA Fest 2019. Владимир Трандафилов. GUI automation of WEB application with SV... by QAFest
QA Fest 2019. Владимир Трандафилов. GUI automation of WEB application with SV...QA Fest 2019. Владимир Трандафилов. GUI automation of WEB application with SV...
QA Fest 2019. Владимир Трандафилов. GUI automation of WEB application with SV...
QAFest227 views
QA Fest 2019. Иван Крутов. Bulletproof Selenium Cluster by QAFest
QA Fest 2019. Иван Крутов. Bulletproof Selenium ClusterQA Fest 2019. Иван Крутов. Bulletproof Selenium Cluster
QA Fest 2019. Иван Крутов. Bulletproof Selenium Cluster
QAFest282 views
QA Fest 2019. Николай Мижигурский. Миссия /*не*/выполнима: гуманитарий собесе... by QAFest
QA Fest 2019. Николай Мижигурский. Миссия /*не*/выполнима: гуманитарий собесе...QA Fest 2019. Николай Мижигурский. Миссия /*не*/выполнима: гуманитарий собесе...
QA Fest 2019. Николай Мижигурский. Миссия /*не*/выполнима: гуманитарий собесе...
QAFest251 views
QA Fest 2019. Володимир Стиран. Чим раніше – тим вигідніше, але ніколи не піз... by QAFest
QA Fest 2019. Володимир Стиран. Чим раніше – тим вигідніше, але ніколи не піз...QA Fest 2019. Володимир Стиран. Чим раніше – тим вигідніше, але ніколи не піз...
QA Fest 2019. Володимир Стиран. Чим раніше – тим вигідніше, але ніколи не піз...
QAFest301 views
QA Fest 2019. Дмитрий Прокопук. Mocks and network tricks in UI automation by QAFest
QA Fest 2019. Дмитрий Прокопук. Mocks and network tricks in UI automationQA Fest 2019. Дмитрий Прокопук. Mocks and network tricks in UI automation
QA Fest 2019. Дмитрий Прокопук. Mocks and network tricks in UI automation
QAFest225 views
QA Fest 2019. Екатерина Дядечко. Тестирование медицинского софта — вызовы и в... by QAFest
QA Fest 2019. Екатерина Дядечко. Тестирование медицинского софта — вызовы и в...QA Fest 2019. Екатерина Дядечко. Тестирование медицинского софта — вызовы и в...
QA Fest 2019. Екатерина Дядечко. Тестирование медицинского софта — вызовы и в...
QAFest243 views
QA Fest 2019. Катерина Черникова. Tune your P’s: the pop-art of keeping testa... by QAFest
QA Fest 2019. Катерина Черникова. Tune your P’s: the pop-art of keeping testa...QA Fest 2019. Катерина Черникова. Tune your P’s: the pop-art of keeping testa...
QA Fest 2019. Катерина Черникова. Tune your P’s: the pop-art of keeping testa...
QAFest376 views
QA Fest 2019. Алиса Бойко. Какнезапутаться в коммуникативных сетях IT by QAFest
QA Fest 2019. Алиса Бойко. Какнезапутаться в коммуникативных сетях ITQA Fest 2019. Алиса Бойко. Какнезапутаться в коммуникативных сетях IT
QA Fest 2019. Алиса Бойко. Какнезапутаться в коммуникативных сетях IT
QAFest209 views
QA Fest 2019. Святослав Логин. Как найти уязвимости в мобильном приложении by QAFest
QA Fest 2019. Святослав Логин. Как найти уязвимости в мобильном приложенииQA Fest 2019. Святослав Логин. Как найти уязвимости в мобильном приложении
QA Fest 2019. Святослав Логин. Как найти уязвимости в мобильном приложении
QAFest607 views
QA Fest 2019. Катерина Шепелєва та Інна Оснач. Що українцям потрібно знати пр... by QAFest
QA Fest 2019. Катерина Шепелєва та Інна Оснач. Що українцям потрібно знати пр...QA Fest 2019. Катерина Шепелєва та Інна Оснач. Що українцям потрібно знати пр...
QA Fest 2019. Катерина Шепелєва та Інна Оснач. Що українцям потрібно знати пр...
QAFest321 views
QA Fest 2019. Антон Серпутько. Нагрузочное тестирование распределенных асинхр... by QAFest
QA Fest 2019. Антон Серпутько. Нагрузочное тестирование распределенных асинхр...QA Fest 2019. Антон Серпутько. Нагрузочное тестирование распределенных асинхр...
QA Fest 2019. Антон Серпутько. Нагрузочное тестирование распределенных асинхр...
QAFest296 views
QA Fest 2019. Петр Тарасенко. QA Hackathon - The Cookbook 22 by QAFest
QA Fest 2019. Петр Тарасенко. QA Hackathon - The Cookbook 22QA Fest 2019. Петр Тарасенко. QA Hackathon - The Cookbook 22
QA Fest 2019. Петр Тарасенко. QA Hackathon - The Cookbook 22
QAFest164 views

Recently uploaded

REPRESENTATION - GAUNTLET.pptx by
REPRESENTATION - GAUNTLET.pptxREPRESENTATION - GAUNTLET.pptx
REPRESENTATION - GAUNTLET.pptxiammrhaywood
83 views26 slides
11.30.23 Poverty and Inequality in America.pptx by
11.30.23 Poverty and Inequality in America.pptx11.30.23 Poverty and Inequality in America.pptx
11.30.23 Poverty and Inequality in America.pptxmary850239
144 views33 slides
Scope of Biochemistry.pptx by
Scope of Biochemistry.pptxScope of Biochemistry.pptx
Scope of Biochemistry.pptxshoba shoba
124 views55 slides
Drama KS5 Breakdown by
Drama KS5 BreakdownDrama KS5 Breakdown
Drama KS5 BreakdownWestHatch
71 views2 slides
Class 10 English lesson plans by
Class 10 English lesson plansClass 10 English lesson plans
Class 10 English lesson plansTARIQ KHAN
257 views53 slides
American Psychological Association 7th Edition.pptx by
American Psychological Association 7th Edition.pptxAmerican Psychological Association 7th Edition.pptx
American Psychological Association 7th Edition.pptxSamiullahAfridi4
82 views8 slides

Recently uploaded(20)

REPRESENTATION - GAUNTLET.pptx by iammrhaywood
REPRESENTATION - GAUNTLET.pptxREPRESENTATION - GAUNTLET.pptx
REPRESENTATION - GAUNTLET.pptx
iammrhaywood83 views
11.30.23 Poverty and Inequality in America.pptx by mary850239
11.30.23 Poverty and Inequality in America.pptx11.30.23 Poverty and Inequality in America.pptx
11.30.23 Poverty and Inequality in America.pptx
mary850239144 views
Scope of Biochemistry.pptx by shoba shoba
Scope of Biochemistry.pptxScope of Biochemistry.pptx
Scope of Biochemistry.pptx
shoba shoba124 views
Drama KS5 Breakdown by WestHatch
Drama KS5 BreakdownDrama KS5 Breakdown
Drama KS5 Breakdown
WestHatch71 views
Class 10 English lesson plans by TARIQ KHAN
Class 10 English lesson plansClass 10 English lesson plans
Class 10 English lesson plans
TARIQ KHAN257 views
American Psychological Association 7th Edition.pptx by SamiullahAfridi4
American Psychological Association 7th Edition.pptxAmerican Psychological Association 7th Edition.pptx
American Psychological Association 7th Edition.pptx
SamiullahAfridi482 views
Google solution challenge..pptx by ChitreshGyanani1
Google solution challenge..pptxGoogle solution challenge..pptx
Google solution challenge..pptx
ChitreshGyanani198 views
The Accursed House by Émile Gaboriau by DivyaSheta
The Accursed House by Émile GaboriauThe Accursed House by Émile Gaboriau
The Accursed House by Émile Gaboriau
DivyaSheta158 views
ACTIVITY BOOK key water sports.pptx by Mar Caston Palacio
ACTIVITY BOOK key water sports.pptxACTIVITY BOOK key water sports.pptx
ACTIVITY BOOK key water sports.pptx
Mar Caston Palacio430 views
The Open Access Community Framework (OACF) 2023 (1).pptx by Jisc
The Open Access Community Framework (OACF) 2023 (1).pptxThe Open Access Community Framework (OACF) 2023 (1).pptx
The Open Access Community Framework (OACF) 2023 (1).pptx
Jisc85 views
Narration lesson plan.docx by TARIQ KHAN
Narration lesson plan.docxNarration lesson plan.docx
Narration lesson plan.docx
TARIQ KHAN104 views
Education and Diversity.pptx by DrHafizKosar
Education and Diversity.pptxEducation and Diversity.pptx
Education and Diversity.pptx
DrHafizKosar118 views
GSoC 2024 by DeveloperStudentClub10
GSoC 2024GSoC 2024
GSoC 2024
DeveloperStudentClub1068 views
Sociology KS5 by WestHatch
Sociology KS5Sociology KS5
Sociology KS5
WestHatch64 views
Recap of our Class by Corinne Weisgerber
Recap of our ClassRecap of our Class
Recap of our Class
Corinne Weisgerber73 views
AUDIENCE - BANDURA.pptx by iammrhaywood
AUDIENCE - BANDURA.pptxAUDIENCE - BANDURA.pptx
AUDIENCE - BANDURA.pptx
iammrhaywood69 views
AI Tools for Business and Startups by Svetlin Nakov
AI Tools for Business and StartupsAI Tools for Business and Startups
AI Tools for Business and Startups
Svetlin Nakov101 views
Use of Probiotics in Aquaculture.pptx by AKSHAY MANDAL
Use of Probiotics in Aquaculture.pptxUse of Probiotics in Aquaculture.pptx
Use of Probiotics in Aquaculture.pptx
AKSHAY MANDAL89 views
Are we onboard yet University of Sussex.pptx by Jisc
Are we onboard yet University of Sussex.pptxAre we onboard yet University of Sussex.pptx
Are we onboard yet University of Sussex.pptx
Jisc77 views
UWP OA Week Presentation (1).pptx by Jisc
UWP OA Week Presentation (1).pptxUWP OA Week Presentation (1).pptx
UWP OA Week Presentation (1).pptx
Jisc74 views

QA Fest 2016. Per Thorsheim. Website security 101