Successfully reported this slideshow.

QA Fest 2016. Per Thorsheim. Website security 101

0

Share

Loading in …3
×
1 of 30
1 of 30

QA Fest 2016. Per Thorsheim. Website security 101

0

Share

I use a lot of online services for personal and business purposes. However I usually never sign up for anything without checking their security first.
Using a small number of free & online tools, I will show you how I check the security & privacy of websites before signing up. This will be quick introduction to basic website security which every organisation, website & service should have in place.

I use a lot of online services for personal and business purposes. However I usually never sign up for anything without checking their security first.
Using a small number of free & online tools, I will show you how I check the security & privacy of websites before signing up. This will be quick introduction to basic website security which every organisation, website & service should have in place.

More Related Content

More from QAFest

Related Books

Free with a 14 day trial from Scribd

See all

QA Fest 2016. Per Thorsheim. Website security 101

  1. 1. Website Security 101 Per Thorsheim Twitter: @thorsheim
  2. 2. Quick basic tests
  3. 3. DNS – DNSSEC • .UA root was signed on April 13, 2012 • https://en.wikipedia.org/wiki/.ua
  4. 4. Testing HTTPS configuration
  5. 5. Testing email security (STARTTLS)
  6. 6. Testing Website Security Headers
  7. 7. X-Content-Type-Options Reduce risk of clientbrowser downloading malware from your server. Configuration: X-Content-Type-Options: nosniff
  8. 8. X-Xss-Protection Tells visiting web browsers how to handle input weaknesses in how webpages handles input. This reduces the risk of phishing and session hijacking. Best configuration: X-XSS-Protection: 1; mode=block
  9. 9. X-Frame-Options Tell browsers that your website CAN NOT be displayed inside another «frame» on a webpage, effectively reducing the risk of phishing attacks. Example configuration: add_header X-Frame-Options "SAMEORIGIN" always;
  10. 10. HSTS (Strict Transport Security) – RFC 6797 HSTS tells visiting web browsers to always use HTTPS when connecting to the website, for N period of time. This only works for websites that offers HTTPS.
  11. 11. HPKP (Public Key Pinning) – RFC 7469 HPKP goes one step further compared to HSTS, by adding your website to a preloaded list in web browsers, telling them to use HTTPS even the first time they connect to a website. Additionally HPKP tells browsers which certificates to expect at all sites using HPKP. This will very effectively block most MitM attacks, but requires good technical knowledge to implement and maintain.
  12. 12. CSP – Content Security Policy A CSP is a set of rules that a website sends to a visiting client browser, telling the browser which external sites that are allowed to serve content for the web page. A lot of companies does MitM of plaintext HTTP traffic, in order to inject or replace ads and other information for the end user. CSP will prevent this from happening. However HTTPS should be used to protect the CSP itself from MitM attacks.
  13. 13. Without Content Security Policy Online newspaper Adserver Evil server
  14. 14. With Content Security Policy Online newspaper Adserver CSP Evil server
  15. 15. Real-world applicability Newspapers in Ukraine
  16. 16. Speed (usability)
  17. 17. http://www.http2demo.io/
  18. 18. per@thorsheim.net +47 90 99 92 59 (Signal, Whatsapp) @thorsheim QUESTIONS?

×