Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Website Security 101
Per Thorsheim
Twitter: @thorsheim
Quick basic tests
DNS – DNSSEC
• .UA root was signed on April 13, 2012
• https://en.wikipedia.org/wiki/.ua
Testing HTTPS configuration
Testing email security (STARTTLS)
Testing Website Security Headers
X-Content-Type-Options
Reduce risk of clientbrowser downloading malware from your server.
Configuration:
X-Content-Type-Op...
X-Xss-Protection
Tells visiting web browsers how to handle input weaknesses in how
webpages handles input. This reduces th...
X-Frame-Options
Tell browsers that your website CAN NOT be displayed inside another
«frame» on a webpage, effectively redu...
HSTS (Strict Transport Security) – RFC 6797
HSTS tells visiting web browsers to always use HTTPS when connecting
to the we...
HPKP (Public Key Pinning) – RFC 7469
HPKP goes one step further compared to HSTS, by adding your website
to a preloaded li...
CSP – Content Security Policy
A CSP is a set of rules that a website sends to a visiting client browser,
telling the brows...
Without Content Security Policy
Online newspaper
Adserver
Evil server
With Content Security Policy
Online newspaper
Adserver
CSP
Evil server
Real-world applicability
Newspapers in Ukraine
Speed (usability)
http://www.http2demo.io/
per@thorsheim.net
+47 90 99 92 59 (Signal, Whatsapp)
@thorsheim
QUESTIONS?
QA Fest 2016. Per Thorsheim. Website security 101
QA Fest 2016. Per Thorsheim. Website security 101
QA Fest 2016. Per Thorsheim. Website security 101
QA Fest 2016. Per Thorsheim. Website security 101
QA Fest 2016. Per Thorsheim. Website security 101
QA Fest 2016. Per Thorsheim. Website security 101
QA Fest 2016. Per Thorsheim. Website security 101
QA Fest 2016. Per Thorsheim. Website security 101
QA Fest 2016. Per Thorsheim. Website security 101
QA Fest 2016. Per Thorsheim. Website security 101
QA Fest 2016. Per Thorsheim. Website security 101
QA Fest 2016. Per Thorsheim. Website security 101
Upcoming SlideShare
Loading in …5
×

QA Fest 2016. Per Thorsheim. Website security 101

417 views

Published on

I use a lot of online services for personal and business purposes. However I usually never sign up for anything without checking their security first.
Using a small number of free & online tools, I will show you how I check the security & privacy of websites before signing up. This will be quick introduction to basic website security which every organisation, website & service should have in place.

Published in: Education
  • Be the first to comment

  • Be the first to like this

QA Fest 2016. Per Thorsheim. Website security 101

  1. 1. Website Security 101 Per Thorsheim Twitter: @thorsheim
  2. 2. Quick basic tests
  3. 3. DNS – DNSSEC • .UA root was signed on April 13, 2012 • https://en.wikipedia.org/wiki/.ua
  4. 4. Testing HTTPS configuration
  5. 5. Testing email security (STARTTLS)
  6. 6. Testing Website Security Headers
  7. 7. X-Content-Type-Options Reduce risk of clientbrowser downloading malware from your server. Configuration: X-Content-Type-Options: nosniff
  8. 8. X-Xss-Protection Tells visiting web browsers how to handle input weaknesses in how webpages handles input. This reduces the risk of phishing and session hijacking. Best configuration: X-XSS-Protection: 1; mode=block
  9. 9. X-Frame-Options Tell browsers that your website CAN NOT be displayed inside another «frame» on a webpage, effectively reducing the risk of phishing attacks. Example configuration: add_header X-Frame-Options "SAMEORIGIN" always;
  10. 10. HSTS (Strict Transport Security) – RFC 6797 HSTS tells visiting web browsers to always use HTTPS when connecting to the website, for N period of time. This only works for websites that offers HTTPS.
  11. 11. HPKP (Public Key Pinning) – RFC 7469 HPKP goes one step further compared to HSTS, by adding your website to a preloaded list in web browsers, telling them to use HTTPS even the first time they connect to a website. Additionally HPKP tells browsers which certificates to expect at all sites using HPKP. This will very effectively block most MitM attacks, but requires good technical knowledge to implement and maintain.
  12. 12. CSP – Content Security Policy A CSP is a set of rules that a website sends to a visiting client browser, telling the browser which external sites that are allowed to serve content for the web page. A lot of companies does MitM of plaintext HTTP traffic, in order to inject or replace ads and other information for the end user. CSP will prevent this from happening. However HTTPS should be used to protect the CSP itself from MitM attacks.
  13. 13. Without Content Security Policy Online newspaper Adserver Evil server
  14. 14. With Content Security Policy Online newspaper Adserver CSP Evil server
  15. 15. Real-world applicability Newspapers in Ukraine
  16. 16. Speed (usability)
  17. 17. http://www.http2demo.io/
  18. 18. per@thorsheim.net +47 90 99 92 59 (Signal, Whatsapp) @thorsheim QUESTIONS?

×