Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Csp and http headers

Csp and http headers

  • Login to see the comments

  • Be the first to like this

Csp and http headers

  1. 1. W3C Content Security Policy
 and HTTP Headers for Security David Epler Security Architect depler@aboutweb.com
  2. 2. About Me • Application Developer originally • Contributor to Learn CF In a Week • OWASP Individual Member • OWASP Zed Attack Proxy (ZAP) Evangelist • Security Certifications - CEH, GWAPT
  3. 3. About the Session • What will be covered • HTTP Header Basics • HTTP Headers for Security • X-Content-Type-Options • X-XSS-Protection • X-Frame-Options • Cookies • HTTP Strict Transport Security (HSTS) • W3C Content Security Policy (CSP)
  4. 4. HTTP Basics HTTP Request GET  /  HTTP/1.1
 Host:  www.aboutweb.com HTTP Response HTTP/1.1  200  OK
 Date:  Tue,  7  Apr  2015  20:21:22  GMT
 Server:  Apache
 Content-­‐Type:  text/html  
  5. 5. HTTP Response Headers • Can be set by web server, web application, or anything that interacts with HTTP response Header  always  set  X-­‐Mork  KO <cfheader  name=“X-­‐Mork”  value=“nanu-­‐nanu”> <%php  header(“X-­‐Mork:  shazbot”)  %> Apache (requires mod_header) ColdFusion PHP
  6. 6. HTTP Response HTTP/1.1  200  OK
 Date:  Tue,  7  Apr  2015  21:22:23  GMT
 Server:  Apache   X-­‐Mork:  nanu-­‐nanu
 Content-­‐Type:  text/html  
 
 <html>
  …   </html>
  7. 7. X-Content-Type-Options • Protect against MIME type confusion attacks • Internet Explorer 9+, 
 Chrome, & Safari Internet Explorer Chrome text/css text/css text/ecmascript text/ecmascript text/javascript text/javascript text/jscript text/jscript application/ecmascript application/ecmascript application/javascript application/javascript application/x-javascript application/x-javascript text/vbs text/javascript1.1 text/vbscript text/javascript1.2 text/x-javascript text/javascript1.3 text/livescript X-­‐Content-­‐Type-­‐Options:  nosniff
  8. 8. X-XSS-Protection • Configures user-agent's built in reflective XSS protection • Internet Explorer 8+ and Chrome Value Meaning 0 Disable XSS protection 1 Enable XSS protection 1; mode=block Enable XSS protection & block content 1; report=URL Report potential XSS to URL (Chrome/Webkit only) X-­‐XSS-­‐Protection:  1;  mode=block
  9. 9. X-Frame-Options • Indicates if browser should be allowed to render content in <frame> or <iframe> • Clickjack/UI Redress attack Value Meaning DENY Prevents any domain from framing the content SAMEORIGIN Only allows sites on same domain to frame the content ALLOW-FROM URL Whitelist of URLs that are allowed to frame the content
  10. 10. X-Frame-Options • Browser support varies based on value Browser DENY/SAMEORIGIN ALLOW-FROM Chrome 4.1 not supported Firefox 3.6.9 18.0 Internet Explorer 8 9 Opera 10.50 Safari 4 not supported X-­‐Frame-­‐Options:  SAMEORIGIN
  11. 11. Cookies • Important directives on cookies • HTTPOnly • cookie is not accessible to Javascript • Secure • sends cookie over HTTPS Set-­‐Cookie:  
 JSESSIONID=4B4BE61DB23C8858560A7BC35804507F;   Path=/;  Secure;  HttpOnly
  12. 12. DEMO
  13. 13. HTTP Strict Transport Security (HSTS) • Instructs the browser to always use HTTPS protocol instead of HTTP • Helps prevent • Network Attacks • Mixed Content Vulnerabilities • HSTS does not allow a user to override the invalid certificate message
  14. 14. Certificate Error w/o HSTS
  15. 15. Certificate Error w/ HSTS
  16. 16. HSTS Directives • max-­‐age tells user-agent how long to cache the STS setting in seconds • includeSubDomains tells user-agent to include any subdomains
  17. 17. HSTS Examples Require HTTPS for 60 seconds on domain ! Require HTTPS for 365 days on domain and all subdomains ! Remove HSTS Policy (including subdomains) Strict-­‐Transport-­‐Security:  max-­‐age=60 Strict-­‐Transport-­‐Security:  max-­‐age=31536000;  includeSubDomains Strict-­‐Transport-­‐Security:  max-­‐age=0
  18. 18. Handling Requests • HTTP Requests • Should respond with HTTP Status Code 301 and redirect to HTTPS • Strict-­‐Transport-­‐Security header must not be included on HTTP • HTTPS Requests • Should always respond with Strict-­‐ Transport-­‐Security header
  19. 19. HSTS Preloading • Not part of official specification • Chrome maintains list of sites that always use HTTPS • Used by Firefox and Safari as well • Need to submit site to be included in preload list • https://hstspreload.appspot.com/
 
 
 Strict-­‐Transport-­‐Security:  
 max-­‐age=10886400;  includeSubDomains;  preload
  20. 20. HSTS Browser Support http://caniuse.com/#feat=stricttransportsecurity
  21. 21. DEMO
  22. 22. W3C Content Security Policy (CSP) • Provides whitelist to browser for loading resources • Developed by Mozilla and 1st implemented in Firefox 4 • Experimental Headers • X-­‐Content-­‐Security-­‐Policy   • X-­‐WebKit-­‐CSP   • Content Security Policy 1.0
 W3C Candidate Recommendation
 November 15, 2012 • HTTP Header:
 Content-­‐Security-­‐Policy Content-­‐Security-­‐Policy-­‐Report-­‐Only
  23. 23. CSP 1.0 Directives Value Meaning default-­‐src default source, used for any directives that are not defined script-­‐src sources for Javascript object-­‐src sources for <object>, <embed>, and <applet> style-­‐src sources for CSS stylesheets img-­‐src sources for images media-­‐src sources for HTML5 <video>, <audio>, <source>, and <track> frame-­‐src sources for <frame> and <iframe> font-­‐src sources for web fonts connect-­‐src sources for XMLHttpRequest, Websockets, and EventSource report-­‐uri location to send violation reports sandbox specifies sandbox policy
  24. 24. CSP Source Expressions Value Meaning * wildcard, allows all origins ‘self’ allow same origin ‘none’ deny all access www.example.com allow specific domain *.example.com allow all subdomains on a domain https://www.example.com specific URL https: require https data: allow data uri schemes (base64)
  25. 25. Special Sources • unsafe-­‐inline   • Allows inline content for script-­‐src and style-­‐src • unsafe-­‐eval   • Allows for unsafe dynamic evaluation of code such as Javascript eval() in script-­‐src
  26. 26. CSP Examples Allow everything from same origin Content-­‐Security-­‐Policy:  default-­‐src  ‘self’ Content-­‐Security-­‐Policy:
 default-­‐src  ‘self’;  object-­‐src  ‘none’;
 script-­‐src  ‘self’  https://cdn.com;
 style-­‐src  ‘self’  https://cdn.com Relatively secure
  27. 27. CSP Examples Unsafe Content-­‐Security-­‐Policy:
 default-­‐src  *;
 script-­‐src  *  ‘unsafe-­‐inline’  ‘unsafe-­‐eval’;
 style-­‐src  *  ‘unsafe-­‐inline’
  28. 28. CSP Examples Twitter Content-­‐Security-­‐Policy:
 default-­‐src  https:;  connect-­‐src  https:;  font-­‐ src  https:  data:;  frame-­‐src  https:  twitter:;   img-­‐src  https:  data:;  media-­‐src  https:;  object-­‐ src  https:;  script-­‐src  'unsafe-­‐inline'  'nonce-­‐ hz5M+L2F+QfMRn8NOtP4jQ=='  'unsafe-­‐eval'  https:;   style-­‐src  'unsafe-­‐inline'  https:;  report-­‐uri   https://twitter.com/i/csp_report? a=NVQWGYLXFVZXO2LGOQ%3D%3D%3D%3D%3D %3D&ro=false;
  29. 29. CSP 1.0 Browser Support http://caniuse.com/#feat=contentsecuritypolicy
  30. 30. DEMO
  31. 31. CSP 1.1 and beyond • CSP 1.1 (Level 2) W3C Candidate Recommendation February 19, 2015 • added nonce and hash to script-­‐src and style-­‐src • added new directives • base-­‐uri,  child-­‐src,  form-­‐action,   frame-­‐ancestors,  plugin-­‐types   • additional fields added to violation report • limited browser support
  32. 32. • Blog: http://www.dcepler.net • Email: depler@aboutweb.com • Twitter: @dcepler Q&A - Thanks
  33. 33. Resources • HTTP Headers • MIME-Handling Changes in Internet Explorer • http://blogs.msdn.com/b/ie/archive/2010/10/26/mime-handling-changes-in- internet-explorer.aspx • Controlling the XSS Filter • http://blogs.msdn.com/b/ieinternals/archive/2011/01/31/controlling-the-internet- explorer-xss-filter-with-the-x-xss-protection-http-header.aspx • OWASP: Clickjacking Defense Cheat Sheet • https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet • OWASP: Cookie HTTPOnly • https://www.owasp.org/index.php/HttpOnly • OWASP: Cookie Secure • https://www.owasp.org/index.php/SecureFlag • Veracode: Guidelines for Security Headers • https://www.veracode.com/blog/2014/03/guidelines-for-setting-security-headers
  34. 34. Resources • HTTP Strict Transport Security • Specification • https://tools.ietf.org/html/rfc6797 • OWASP HTTP Strict Transport Security • https://www.owasp.org/index.php/HTTP_Strict_Transport_Security • Mozilla Developer Network • https://developer.mozilla.org/en-US/docs/Web/Security/ HTTP_strict_transport_security • HSTS Preload • https://hstspreload.appspot.com/ • IIS Module • http://hstsiis.codeplex.com/

  35. 35. Resources • Content Security Policy • CSP 1.0 Candidate Recommendation • http://www.w3.org/TR/2012/CR-CSP-20121115/ • CSP 1.1 Candidate Recommendation • http://www.w3.org/TR/2015/CR-CSP2-20150219/ • OWASP Content Security Policy • https://www.owasp.org/index.php/Content_Security_Policy • An Introduction to Content Security Policy • http://www.html5rocks.com/en/tutorials/security/content-security-policy/ • Content Security Policy Reference • http://content-security-policy.com/ • CSP Playground • http://www.cspplayground.com/

×