SlideShare a Scribd company logo

Analysis of HTTP Security Headers in Turkey

Download as PPTX, PDF
Dr. Emin İslam Tatlı
Dr. Emin İslam Tatlı

Analysis of HTTP Security Headers in Turkey

Software
1 of 36
Analysis of HTTP Security Headers in Turkey K. Emre KISA & Dr. Emin İslam TATLI ISC Turkey, 25-26 October 2016
|| Outline  01 Web Browsers & Same-Origin Policy  02 OWASP Top 10  03 HTTP Security Headers CSP 1.0 – 2.0 & Demo X-XSS Protection X-Frame-Options & Demo Strict-Transport-Security Set-Cookie X-Content-Type-Options X-Download-Options X-Permitted-Cross-Domain-Policies Public-Key-Pins  04 Situation in Turkey – Alexa TR Top 500  05 Further Information  06 Questions HTTP Security Headers I 2
|| Web Browsers 01 & Same-origin policy Http Security Headers I 3
| The Hypertext Transfer Protocol (HTTP) is a stateless application- level protocol for distributed, collaborative, hypertext information systems Hyper Text Transfer Protocol Http Security Headers I 4
| HTTP (Cont.) Http Security Headers I 5 HTTP Request HTTP Processing HTTP Response
| • Scripts contained in a first web page are allowed to access data in a second web page, but only if both web pages have the same origin • Same origin : Same protocol + same host + same port Same-Origin Policy Http Security Headers I 6
|| OWASP TOP 10 02 Http Security Headers I 7
| OWASP Top 10 Http Security Headers I 8
|| Http Security Headers I 9 HTTP Security Headers 03
| • Content Security Policy declarative policy that lets the authors (or server administrators) of a web application inform the client from where the application expects to load resources. Content-Security-Policy 1.0 Http Security Headers I 10 Content-Security-Policy : W3C recommended header supported by; • Chrome version 25+, • Firefox version 23+, • Opera version 19+ • Safari version 7+ • Microsoft Edge 12 build 10240+ X-Content-Security-Policy : Supported by Internet Explorer. • Internet Explorer 10+, • Firefox Until version 23 X-WebKit-CSP : Old header used by Chrome • Chrome version 14-25, • Safari 6+
| • Supported directives – default-src :If not specified explicitly in the policy, the directives listed below will use the default sources. (fallback), – script-src : restricts which scripts the protected resource can execute. – object-src : restricts from where the protected resource can load plugins (<object>, <embed> or <applet>) – style-src :restricts which CSS styles the user applies to the protected resource, – img-src : restricts from where the protected resource can load images, – media-src : restricts from where the protected resource can load video and audio (<audio>, <video>) – frame-src: restricts from where the protected resource can embed frames, – font-src : restricts from where the protected resource can load fonts, – connect-src: restricts which URIs the protected resource can load using script interfaces, (XHR, Websocket, EventSource) – sandbox : specifies an HTML sandbox policy that the user agent applies to the protected resource (same-origin policy uygulanması, prevent pop-ups, plugin & script blocking) – plugin-types: Defines valid MIME types for plugins invoked via <object> and <embed>, – report-uri :Instructs the browser to POST a reports of policy failures to this URI. Content-Security-Policy 1.0 (cont.) Http Security Headers I 11
| CSPHeader Sample; Content-Security-Policy: // By setting the default resource to «none», we minimize the chance of any mis-configuration related risks default-src none; // «self» we allow scripts loaded from our domain only // We also allow «Inline javascripts», javascript Eval() function and Google analytics script-src self unsafe-inline unsafe-eval https://ssl.google-analytics.com; // We allow plugins from our domain only object-src self; // We allow style sheets loaded from our domain only style-src self; // We allow images to be loaded from our domain only img-src self; // We allow Form actions to be directed only towards our domain form-action self; // We allow audio and video files from our domain onlu media-src self; // We only allow Ajax XmlHTTPRequests to our domain only connect-src self; // We only allow PDF and Flash plugins to be loaded plugin-types application/pdf application/x-shockwave-flash; Content-Security-Policy 1.0 (cont.) Http Security Headers I 12
| Content-Security-Policy 1.0 (cont.) Http Security Headers I 13 Reference: http://caniuse.com
| CSP 1.0 did not allow us to hand pick individual scripts that are safe to be run. Thus we either had to allow a domain completely or do not run scripts from that domain at all. Content-Security-Policy 2.0 Http Security Headers I 14 Implementing a CSP 2.0 Nonce; Content-Security-Policy: default-src 'self'; script-src 'self' https://example.com 'nonce-$RANDOM' Sample; Content-Security-Policy: default-src 'self'; script-src 'self' https://example.com 'nonce-Nc3n83cnSAd3wc3Sasdfn939hc3' <script> alert("Blocked because the policy doesn’t have 'unsafe-inline'.") </script> <script nonce="EDNnf03nceIOfn39fn3e9h3sdfa"> alert("Still blocked because nonce is wrong.") </script> <script nonce="Nc3n83cnSAd3wc3Sasdfn939hc3"> alert("Allowed because nonce is valid.") </script> <script src="https://example.com/allowed-because-of-src.js"></script> <script nonce="EDNnf03nceIOfn39fn3e9h3sdfa" src="https://elsewhere.com/blocked-because-nonce-is-wrong.js"></script> <script nonce="Nc3n83cnSAd3wc3Sasdfn939hc3" src="https://elsewhere.com/allowed-because-nonce-is-valid.js"></script>
| Content-Security-Policy 2.0 Http Security Headers I 15
| Content-Security-Policy 2.0 Http Security Headers I 16 Reference: http://caniuse.com
| • Enables Web Browser’s self XSS (Cross-site-scripting) attack protection mechanism • Aims to prevent Reflected XSS attacks. Browser uses pattern matching in Request and the Response to be able to detect and prevent XSS payloads. • x-xss-protection 1 mode=block Whenever an XSS payload is detected by the browser, default mode only stops individual script to be run. However, in block mode every script in the page is stopped. • Web Browser support; – Internet Explorer 8+ (Active by default in Internet, Trusted and Restricted trust zones. Must be manually activated for web pages in Local Intranet trust zone. –Available by default on Chrome version 4+ X-XSS-Protection Http Security Headers I 17
| • Provides protection against Clickjacking / UI Redress attacks. • Click + Hijacking = Clickjacking X-Frame-Options Http Security Headers I 18 • Same origin : Allow if only iFrame and the web page is on the same domain. • Deny : Prevents the web page from being displayed in frames on every domain. • Allow from : Only given domains are allowed to display our website in frames.
| X-Frame-Options : DENY Http Security Headers I 19
| X-Frame-Options : Web Browser Support Http Security Headers I 20
| HSTS addresses the following threats: • User bookmarks or manually types http://example.com and is subject to a man-in-the-middle attacker –HSTS automatically redirects HTTP requests to HTTPS for the target domain • Web application that is intended to be purely HTTPS inadvertently contains HTTP links or serves content over HTTP –HSTS automatically redirects HTTP requests to HTTPS for the target domain • A man-in-the-middle attacker attempts to intercept traffic from a victim user using an invalid certificate and hopes the user will accept the bad certificate –HSTS does not allow a user to override the invalid certificate message HTTP Strict-Transport-Security (HSTS) Http Security Headers I 21 Sample; Strict-Transport-Security: max-age=3153600 Simplest use case Strict-Transport-Security: max-age=3153600; includeSubDomains HSTS also works on sub-domains Strict-Transport-Security: max-age=3153600; includeSubDomains; preload Uses the «Preload» list
| • «Preload» list is hardcoded in web browsers. List is maintained by Chrome. (https://hstspreload.appspot.com) HTTP Strict-Transport-Security (cont.) Http Security Headers I 22 Submission Requirements; 1.Hava a valid certificate 2.Redirect all HTTP Trafic to HTTPS 3.Make all sub-domains HTTPS, (If present in DNS records including the www subdomain) 4.Serve the HSTS header: • The max-age must be at least eighteen weeks (10886400 seconds). • The includeSubDomains directive must be specified. • The preload directive must be specified. • If you are serving an additional redirect from your HTTPS site, that redirect must still have the HSTS header (rather than the page it redirects to).
| Web Browser Support HTTP Strict-Transport-Security (cont.) Http Security Headers I 23
| • Set-cookie $RANDOM; – Mainly used to identify the user • Set-cookie $RANDOM; HttpOnly; – Only allows Cookie value to be accessed by HTTP methods. –Javascript, Flash etc. are not allowed to access the cookie value. –Cookie value becomes harder to be stolen • Set-cookie $RANDOM; HttpOnly; Secure; –Only allows submission of Cookie value over Secure HTTPS channel. Set-Cookie Http Security Headers I 24
| • Used to prevent MIME content-sniffing attacks. • Content Sniffing : In the absence of a MIME type, or in some other cases where a client believes they are incorrectly set, browsers may conduct MIME sniffing, which is guessing the correct MIME type by looking at the resource. • Can be exploited when you are allowed to upload an image, a document etc. to a server and others can access it. • Attack scenario; –An attacker injects HTML code into a GIF file, uploading it to the server by passing upload limitations. –Victim browsers trying to display the GIF decides to make «content sniffing» because of the MIME- type and file content mismatch. – Web Browser concludes that the file is an HTML file, serving malicious HTML content to the victim. • Sample: X-Content-Type-Options: nosniff X-Content-Type-Options Http Security Headers I 25
| • If you download an HTML file from a web page and chooses to "Open" it in browser, it will execute in the context of the web site. That means that any scripts in that file will also execute with the origin of the web site. • «X-Download-Options: noopen» forces browser to download rather than execution of the file contents. • HTML files that you «open» instead of «save» can accesss web site cookie value. X-Download-Options X-Download-Options: noopen Http Security Headers I 26
| Sample; – X-Permitted-Cross-Domain-Policies : none Cross-domain access is not allowed. – X-Permitted-Cross-Domain-Policies : master-only Only our domain is allowed to read cross-domain.xml X-Permitted-Cross-Domain-Policies Http Security Headers I 27
| • Certificate Pinning is a security mechanism which allows HTTPS websites to resist impersonation by attackers using mis-issued or otherwise fraudulent certificates • The HTTPS web server serves a list of public key hashes, and on subsequent connections clients expect that server to use one or more of those public keys in its certificate chain. • = Base64 (sha256(certificate)) • Public-Key-Pins: max-age=3000; pin-sha256="d6qzRu9zOECb90Uez27xWltNsj0e1Md7GkYYkVoZWmM="; • Browser support Public-Key-Pins FootNote Http Security Headers I 28
|| Situation in Turkey 04 Http Security Headers I 29
| Http Security Headers I 30 370 (*) of Alexa Turkey Top 500 (*) 130 of popular global websites have been filtered out, unless Turkey is one of their top 5 visitors according to Alexa. (Facebook.com, Google.com etc. are filtered out)
| Http Security Headers I 31
| Http Security Headers I 32
|| Further Information 05 Http Security Headers I 33
| https://securityheaders.io/ Grade Your Website Http Security Headers I 34
| https://github.com/ttemrekisa/securityheaderchecker SecurityHeaderChecker on Github Http Security Headers I 35
|| Thank you Http Security Headers I 36 Questions?

Recommended

Http security response headers
Http security response headers Http security response headers
Http security response headers mohammadhosseinrouha
 
List of useful security related http headers
List of useful security related http headersList of useful security related http headers
List of useful security related http headers한익 주
 
HTTP Security Headers
HTTP Security HeadersHTTP Security Headers
HTTP Security HeadersIsmael Goncalves
 
Security HTTP Headers
Security HTTP HeadersSecurity HTTP Headers
Security HTTP HeadersChang Yu-Sheng
 
Why Traditional Web Security Technologies no Longer Suffice to Keep You Safe
Why Traditional Web Security Technologies no Longer Suffice to Keep You SafeWhy Traditional Web Security Technologies no Longer Suffice to Keep You Safe
Why Traditional Web Security Technologies no Longer Suffice to Keep You SafePhilippe De Ryck
 
Security Vulnerabilities
Security VulnerabilitiesSecurity Vulnerabilities
Security VulnerabilitiesMarius Vorster
 
Browser Wars 2019 - Implementing a Content Security Policy
Browser Wars 2019 - Implementing a Content Security PolicyBrowser Wars 2019 - Implementing a Content Security Policy
Browser Wars 2019 - Implementing a Content Security PolicyGeorge Boobyer
 
Security and Privacy on the Web in 2015
Security and Privacy on the Web in 2015Security and Privacy on the Web in 2015
Security and Privacy on the Web in 2015Francois Marier
 

Recommended

Http security response headers
Http security response headers Http security response headers
Http security response headers mohammadhosseinrouha
 
List of useful security related http headers
List of useful security related http headersList of useful security related http headers
List of useful security related http headers한익 주
 
HTTP Security Headers
HTTP Security HeadersHTTP Security Headers
HTTP Security HeadersIsmael Goncalves
 
Security HTTP Headers
Security HTTP HeadersSecurity HTTP Headers
Security HTTP HeadersChang Yu-Sheng
 
Why Traditional Web Security Technologies no Longer Suffice to Keep You Safe
Why Traditional Web Security Technologies no Longer Suffice to Keep You SafeWhy Traditional Web Security Technologies no Longer Suffice to Keep You Safe
Why Traditional Web Security Technologies no Longer Suffice to Keep You SafePhilippe De Ryck
 
Security Vulnerabilities
Security VulnerabilitiesSecurity Vulnerabilities
Security VulnerabilitiesMarius Vorster
 
Browser Wars 2019 - Implementing a Content Security Policy
Browser Wars 2019 - Implementing a Content Security PolicyBrowser Wars 2019 - Implementing a Content Security Policy
Browser Wars 2019 - Implementing a Content Security PolicyGeorge Boobyer
 
Security and Privacy on the Web in 2015
Security and Privacy on the Web in 2015Security and Privacy on the Web in 2015
Security and Privacy on the Web in 2015Francois Marier
 
Rails and Content Security Policies
Rails and Content Security PoliciesRails and Content Security Policies
Rails and Content Security PoliciesMatias Korhonen
 
security report
security reportsecurity report
security reportjitendra sharma
 
Péhápkaři v Pecce: Jak na bezpečnostní hlavičky – Marek Humpolík – 23. 1. 2019
Péhápkaři v Pecce: Jak na bezpečnostní hlavičky – Marek Humpolík – 23. 1. 2019Péhápkaři v Pecce: Jak na bezpečnostní hlavičky – Marek Humpolík – 23. 1. 2019
Péhápkaři v Pecce: Jak na bezpečnostní hlavičky – Marek Humpolík – 23. 1. 2019PeckaDesign.cz
 
QA: Базовое тестирование защищенности веб-приложений в рамках QA
QA: Базовое тестирование защищенности веб-приложений в рамках QAQA: Базовое тестирование защищенности веб-приложений в рамках QA
QA: Базовое тестирование защищенности веб-приложений в рамках QACodeFest
 
Brute force
Brute forceBrute force
Brute forcePrajwal Panchmahalkar
 
Building Client-Side Attacks with HTML5 Features
Building Client-Side Attacks with HTML5 FeaturesBuilding Client-Side Attacks with HTML5 Features
Building Client-Side Attacks with HTML5 FeaturesConviso Application Security
 
Inception framework
Inception frameworkInception framework
Inception framework한익 주
 
Csp and http headers
Csp and http headersCsp and http headers
Csp and http headersColdFusionConference
 
Chrome extensions threat analysis and countermeasures
Chrome extensions threat analysis and countermeasuresChrome extensions threat analysis and countermeasures
Chrome extensions threat analysis and countermeasuresRoel Palmaers
 
VoxxedDays Luxembourg - Abuse web browsers for fun & profits - Dominique Righ...
VoxxedDays Luxembourg - Abuse web browsers for fun & profits - Dominique Righ...VoxxedDays Luxembourg - Abuse web browsers for fun & profits - Dominique Righ...
VoxxedDays Luxembourg - Abuse web browsers for fun & profits - Dominique Righ...YaJUG
 
Cross Domain Hijacking - File Upload Vulnerability
Cross Domain Hijacking - File Upload VulnerabilityCross Domain Hijacking - File Upload Vulnerability
Cross Domain Hijacking - File Upload VulnerabilityRonan Dunne, CEH, SSCP
 
Penetration Testing Report
Penetration Testing ReportPenetration Testing Report
Penetration Testing ReportAman Srivastava
 
2010: A Web Hacking Odyssey - Top Ten Hacks of the Year
2010: A Web Hacking Odyssey - Top Ten Hacks of the Year2010: A Web Hacking Odyssey - Top Ten Hacks of the Year
2010: A Web Hacking Odyssey - Top Ten Hacks of the YearJeremiah Grossman
 
BSides Columbus: Active Defense - Helping threat actors hack themselves!
BSides Columbus: Active Defense - Helping threat actors hack themselves!BSides Columbus: Active Defense - Helping threat actors hack themselves!
BSides Columbus: Active Defense - Helping threat actors hack themselves!CiNPA Security SIG
 
PASSWORD SECURITY BASED ON HONEYWORD
PASSWORD SECURITY BASED ON HONEYWORDPASSWORD SECURITY BASED ON HONEYWORD
PASSWORD SECURITY BASED ON HONEYWORDDevyani Chaudhari
 
Non-Invasive Elimination of Logical Access Control Vulnerabilities in Web A...
Non-Invasive Elimination of Logical Access Control Vulnerabilities in Web A...Non-Invasive Elimination of Logical Access Control Vulnerabilities in Web A...
Non-Invasive Elimination of Logical Access Control Vulnerabilities in Web A...Denis Kolegov
 
Cm2 secure code_training_1day_data_protection
Cm2 secure code_training_1day_data_protectionCm2 secure code_training_1day_data_protection
Cm2 secure code_training_1day_data_protectiondcervigni
 
Joomla! security jday2015
Joomla! security jday2015Joomla! security jday2015
Joomla! security jday2015Shaiffulnizam Mohamad
 
Layer 7 ddos
Layer 7 ddosLayer 7 ddos
Layer 7 ddosfangjiafu
 
Password Patterns- An Analysis
Password Patterns- An AnalysisPassword Patterns- An Analysis
Password Patterns- An AnalysisDr. Emin İslam Tatlı
 
Chapter 9 03
Chapter 9 03Chapter 9 03
Chapter 9 03Nur Afiqah
 
DOCTOR BOVE PROJECT - BARCELONA - MARCH 2017
DOCTOR BOVE PROJECT - BARCELONA - MARCH 2017 DOCTOR BOVE PROJECT - BARCELONA - MARCH 2017
DOCTOR BOVE PROJECT - BARCELONA - MARCH 2017 Carolina Ruiz Amo
 

More Related Content

What's hot

Rails and Content Security Policies
Rails and Content Security PoliciesRails and Content Security Policies
Rails and Content Security PoliciesMatias Korhonen
 
Péhápkaři v Pecce: Jak na bezpečnostní hlavičky – Marek Humpolík – 23. 1. 2019
Péhápkaři v Pecce: Jak na bezpečnostní hlavičky – Marek Humpolík – 23. 1. 2019Péhápkaři v Pecce: Jak na bezpečnostní hlavičky – Marek Humpolík – 23. 1. 2019
Péhápkaři v Pecce: Jak na bezpečnostní hlavičky – Marek Humpolík – 23. 1. 2019PeckaDesign.cz
 
QA: Базовое тестирование защищенности веб-приложений в рамках QA
QA: Базовое тестирование защищенности веб-приложений в рамках QAQA: Базовое тестирование защищенности веб-приложений в рамках QA
QA: Базовое тестирование защищенности веб-приложений в рамках QACodeFest
 
Inception framework
Inception frameworkInception framework
Inception framework한익 주
 
Chrome extensions threat analysis and countermeasures
Chrome extensions threat analysis and countermeasuresChrome extensions threat analysis and countermeasures
Chrome extensions threat analysis and countermeasuresRoel Palmaers
 
VoxxedDays Luxembourg - Abuse web browsers for fun & profits - Dominique Righ...
VoxxedDays Luxembourg - Abuse web browsers for fun & profits - Dominique Righ...VoxxedDays Luxembourg - Abuse web browsers for fun & profits - Dominique Righ...
VoxxedDays Luxembourg - Abuse web browsers for fun & profits - Dominique Righ...YaJUG
 
Cross Domain Hijacking - File Upload Vulnerability
Cross Domain Hijacking - File Upload VulnerabilityCross Domain Hijacking - File Upload Vulnerability
Cross Domain Hijacking - File Upload VulnerabilityRonan Dunne, CEH, SSCP
 
Penetration Testing Report
Penetration Testing ReportPenetration Testing Report
Penetration Testing ReportAman Srivastava
 
2010: A Web Hacking Odyssey - Top Ten Hacks of the Year
2010: A Web Hacking Odyssey - Top Ten Hacks of the Year2010: A Web Hacking Odyssey - Top Ten Hacks of the Year
2010: A Web Hacking Odyssey - Top Ten Hacks of the YearJeremiah Grossman
 
BSides Columbus: Active Defense - Helping threat actors hack themselves!
BSides Columbus: Active Defense - Helping threat actors hack themselves!BSides Columbus: Active Defense - Helping threat actors hack themselves!
BSides Columbus: Active Defense - Helping threat actors hack themselves!CiNPA Security SIG
 
PASSWORD SECURITY BASED ON HONEYWORD
PASSWORD SECURITY BASED ON HONEYWORDPASSWORD SECURITY BASED ON HONEYWORD
PASSWORD SECURITY BASED ON HONEYWORDDevyani Chaudhari
 
Non-Invasive Elimination of Logical Access Control Vulnerabilities in Web A...
Non-Invasive Elimination of Logical Access Control Vulnerabilities in Web A...Non-Invasive Elimination of Logical Access Control Vulnerabilities in Web A...
Non-Invasive Elimination of Logical Access Control Vulnerabilities in Web A...Denis Kolegov
 
Cm2 secure code_training_1day_data_protection
Cm2 secure code_training_1day_data_protectionCm2 secure code_training_1day_data_protection
Cm2 secure code_training_1day_data_protectiondcervigni
 
Layer 7 ddos
Layer 7 ddosLayer 7 ddos
Layer 7 ddosfangjiafu
 

What's hot (19)

Rails and Content Security Policies
Rails and Content Security PoliciesRails and Content Security Policies
Rails and Content Security Policies
 
security report
security reportsecurity report
security report
 
Péhápkaři v Pecce: Jak na bezpečnostní hlavičky – Marek Humpolík – 23. 1. 2019
Péhápkaři v Pecce: Jak na bezpečnostní hlavičky – Marek Humpolík – 23. 1. 2019Péhápkaři v Pecce: Jak na bezpečnostní hlavičky – Marek Humpolík – 23. 1. 2019
Péhápkaři v Pecce: Jak na bezpečnostní hlavičky – Marek Humpolík – 23. 1. 2019
 
QA: Базовое тестирование защищенности веб-приложений в рамках QA
QA: Базовое тестирование защищенности веб-приложений в рамках QAQA: Базовое тестирование защищенности веб-приложений в рамках QA
QA: Базовое тестирование защищенности веб-приложений в рамках QA
 
Brute force
Brute forceBrute force
Brute force
 
Building Client-Side Attacks with HTML5 Features
Building Client-Side Attacks with HTML5 FeaturesBuilding Client-Side Attacks with HTML5 Features
Building Client-Side Attacks with HTML5 Features
 
Inception framework
Inception frameworkInception framework
Inception framework
 
Csp and http headers
Csp and http headersCsp and http headers
Csp and http headers
 
Chrome extensions threat analysis and countermeasures
Chrome extensions threat analysis and countermeasuresChrome extensions threat analysis and countermeasures
Chrome extensions threat analysis and countermeasures
 
VoxxedDays Luxembourg - Abuse web browsers for fun & profits - Dominique Righ...
VoxxedDays Luxembourg - Abuse web browsers for fun & profits - Dominique Righ...VoxxedDays Luxembourg - Abuse web browsers for fun & profits - Dominique Righ...
VoxxedDays Luxembourg - Abuse web browsers for fun & profits - Dominique Righ...
 
Cross Domain Hijacking - File Upload Vulnerability
Cross Domain Hijacking - File Upload VulnerabilityCross Domain Hijacking - File Upload Vulnerability
Cross Domain Hijacking - File Upload Vulnerability
 
Penetration Testing Report
Penetration Testing ReportPenetration Testing Report
Penetration Testing Report
 
2010: A Web Hacking Odyssey - Top Ten Hacks of the Year
2010: A Web Hacking Odyssey - Top Ten Hacks of the Year2010: A Web Hacking Odyssey - Top Ten Hacks of the Year
2010: A Web Hacking Odyssey - Top Ten Hacks of the Year
 
BSides Columbus: Active Defense - Helping threat actors hack themselves!
BSides Columbus: Active Defense - Helping threat actors hack themselves!BSides Columbus: Active Defense - Helping threat actors hack themselves!
BSides Columbus: Active Defense - Helping threat actors hack themselves!
 
PASSWORD SECURITY BASED ON HONEYWORD
PASSWORD SECURITY BASED ON HONEYWORDPASSWORD SECURITY BASED ON HONEYWORD
PASSWORD SECURITY BASED ON HONEYWORD
 
Non-Invasive Elimination of Logical Access Control Vulnerabilities in Web A...
Non-Invasive Elimination of Logical Access Control Vulnerabilities in Web A...Non-Invasive Elimination of Logical Access Control Vulnerabilities in Web A...
Non-Invasive Elimination of Logical Access Control Vulnerabilities in Web A...
 
Cm2 secure code_training_1day_data_protection
Cm2 secure code_training_1day_data_protectionCm2 secure code_training_1day_data_protection
Cm2 secure code_training_1day_data_protection
 
Joomla! security jday2015
Joomla! security jday2015Joomla! security jday2015
Joomla! security jday2015
 
Layer 7 ddos
Layer 7 ddosLayer 7 ddos
Layer 7 ddos
 

Viewers also liked

DOCTOR BOVE PROJECT - BARCELONA - MARCH 2017
DOCTOR BOVE PROJECT - BARCELONA - MARCH 2017 DOCTOR BOVE PROJECT - BARCELONA - MARCH 2017
DOCTOR BOVE PROJECT - BARCELONA - MARCH 2017 Carolina Ruiz Amo
 
[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security Headers[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security HeadersOWASP
 
Csp and http headers
Csp and http headersCsp and http headers
Csp and http headersdevObjective
 
Secure HTTP Headers c0c0n 2011 Akash Mahajan
Secure HTTP Headers c0c0n 2011 Akash MahajanSecure HTTP Headers c0c0n 2011 Akash Mahajan
Secure HTTP Headers c0c0n 2011 Akash MahajanAkash Mahajan
 
HTTP Strict Transport Security (HSTS), English version
HTTP Strict Transport Security (HSTS), English versionHTTP Strict Transport Security (HSTS), English version
HTTP Strict Transport Security (HSTS), English versionMichal Špaček
 
Estrategias de Marketing Inmobiliario
Estrategias de Marketing Inmobiliario Estrategias de Marketing Inmobiliario
Estrategias de Marketing InmobiliarioCarolina Ruiz Amo
 
Securing your web application through HTTP headers
Securing your web application through HTTP headersSecuring your web application through HTTP headers
Securing your web application through HTTP headersAndre N. Klingsheim
 
HTTP Security Headers Every Java Developer Must Know
HTTP Security Headers Every Java Developer Must KnowHTTP Security Headers Every Java Developer Must Know
HTTP Security Headers Every Java Developer Must KnowAyoma Wijethunga
 
Lineas de transmision elementos constituyentes
Lineas de transmision elementos constituyentesLineas de transmision elementos constituyentes
Lineas de transmision elementos constituyentesnorenelson
 
Security "for free" through HTTP headers
Security "for free" through HTTP headersSecurity "for free" through HTTP headers
Security "for free" through HTTP headersAndre N. Klingsheim
 
Հայաստանի ձկնատեսակներ
Հայաստանի ձկնատեսակներՀայաստանի ձկնատեսակներ
Հայաստանի ձկնատեսակներgexarvest
 
Trasmision caracteristicas de las estructuras
Trasmision caracteristicas de las estructurasTrasmision caracteristicas de las estructuras
Trasmision caracteristicas de las estructurasnorenelson
 
How to secure your web applications with NGINX
How to secure your web applications with NGINXHow to secure your web applications with NGINX
How to secure your web applications with NGINXWallarm
 
Caderno do aluno professoradegeografia 1a vol2
Caderno do aluno professoradegeografia 1a vol2Caderno do aluno professoradegeografia 1a vol2
Caderno do aluno professoradegeografia 1a vol2professora de geografia
 
Nükleer Reaktörler Tipleri, Yakıt Çevrimi ve Kullanılmış Yakıtlar, Ülkemizdek...
Nükleer Reaktörler Tipleri, Yakıt Çevrimi ve Kullanılmış Yakıtlar, Ülkemizdek...Nükleer Reaktörler Tipleri, Yakıt Çevrimi ve Kullanılmış Yakıtlar, Ülkemizdek...
Nükleer Reaktörler Tipleri, Yakıt Çevrimi ve Kullanılmış Yakıtlar, Ülkemizdek...Prof.Dr. İbrahim USLU
 
Pictures to feature on billboard
Pictures to feature on billboardPictures to feature on billboard
Pictures to feature on billboardEve Mitchell
 

Viewers also liked (20)

Password Patterns- An Analysis
Password Patterns- An AnalysisPassword Patterns- An Analysis
Password Patterns- An Analysis
 
Chapter 9 03
Chapter 9 03Chapter 9 03
Chapter 9 03
 
DOCTOR BOVE PROJECT - BARCELONA - MARCH 2017
DOCTOR BOVE PROJECT - BARCELONA - MARCH 2017 DOCTOR BOVE PROJECT - BARCELONA - MARCH 2017
DOCTOR BOVE PROJECT - BARCELONA - MARCH 2017
 
[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security Headers[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security Headers
 
Csp and http headers
Csp and http headersCsp and http headers
Csp and http headers
 
Secure HTTP Headers c0c0n 2011 Akash Mahajan
Secure HTTP Headers c0c0n 2011 Akash MahajanSecure HTTP Headers c0c0n 2011 Akash Mahajan
Secure HTTP Headers c0c0n 2011 Akash Mahajan
 
HTTP Strict Transport Security (HSTS), English version
HTTP Strict Transport Security (HSTS), English versionHTTP Strict Transport Security (HSTS), English version
HTTP Strict Transport Security (HSTS), English version
 
Estrategias de Marketing Inmobiliario
Estrategias de Marketing Inmobiliario Estrategias de Marketing Inmobiliario
Estrategias de Marketing Inmobiliario
 
Securing your web application through HTTP headers
Securing your web application through HTTP headersSecuring your web application through HTTP headers
Securing your web application through HTTP headers
 
HTTP Security Headers Every Java Developer Must Know
HTTP Security Headers Every Java Developer Must KnowHTTP Security Headers Every Java Developer Must Know
HTTP Security Headers Every Java Developer Must Know
 
Lineas de transmision elementos constituyentes
Lineas de transmision elementos constituyentesLineas de transmision elementos constituyentes
Lineas de transmision elementos constituyentes
 
Security "for free" through HTTP headers
Security "for free" through HTTP headersSecurity "for free" through HTTP headers
Security "for free" through HTTP headers
 
Հայաստանի ձկնատեսակներ
Հայաստանի ձկնատեսակներՀայաստանի ձկնատեսակներ
Հայաստանի ձկնատեսակներ
 
Trasmision caracteristicas de las estructuras
Trasmision caracteristicas de las estructurasTrasmision caracteristicas de las estructuras
Trasmision caracteristicas de las estructuras
 
Que es un proceso
Que es un procesoQue es un proceso
Que es un proceso
 
How to secure your web applications with NGINX
How to secure your web applications with NGINXHow to secure your web applications with NGINX
How to secure your web applications with NGINX
 
Caderno do aluno professoradegeografia 1a vol2
Caderno do aluno professoradegeografia 1a vol2Caderno do aluno professoradegeografia 1a vol2
Caderno do aluno professoradegeografia 1a vol2
 
Nükleer Reaktörler Tipleri, Yakıt Çevrimi ve Kullanılmış Yakıtlar, Ülkemizdek...
Nükleer Reaktörler Tipleri, Yakıt Çevrimi ve Kullanılmış Yakıtlar, Ülkemizdek...Nükleer Reaktörler Tipleri, Yakıt Çevrimi ve Kullanılmış Yakıtlar, Ülkemizdek...
Nükleer Reaktörler Tipleri, Yakıt Çevrimi ve Kullanılmış Yakıtlar, Ülkemizdek...
 
Pictures to feature on billboard
Pictures to feature on billboardPictures to feature on billboard
Pictures to feature on billboard
 
Intro 2016
Intro 2016Intro 2016
Intro 2016
 

Similar to Analysis of HTTP Security Headers in Turkey

HTTP_Header_Security.pdf
HTTP_Header_Security.pdfHTTP_Header_Security.pdf
HTTP_Header_Security.pdfksudhakarreddy5
 
Tsc summit #2 - HTTP Header Security
Tsc summit #2 - HTTP Header SecurityTsc summit #2 - HTTP Header Security
Tsc summit #2 - HTTP Header SecurityMikal Villa
 
QA Fest 2016. Per Thorsheim. Website security 101
QA Fest 2016. Per Thorsheim. Website security 101QA Fest 2016. Per Thorsheim. Website security 101
QA Fest 2016. Per Thorsheim. Website security 101QAFest
 
http security response headers for web security
http security response headers for web securityhttp security response headers for web security
http security response headers for web securityOlatunji Adetunji
 
Protecting Web App users in today’s hostile environment
Protecting Web App users in today’s hostile environmentProtecting Web App users in today’s hostile environment
Protecting Web App users in today’s hostile environmentajitdhumale
 
Content Security Policy
Content Security PolicyContent Security Policy
Content Security PolicyAustin Gil
 
Content Security Policy (CSP)
Content Security Policy (CSP)Content Security Policy (CSP)
Content Security Policy (CSP)Arun Kumar
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesBrad Hill
 
Content Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at YahooContent Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at YahooBinu Ramakrishnan
 
Top 10 Web Hacks 2012
Top 10 Web Hacks 2012Top 10 Web Hacks 2012
Top 10 Web Hacks 2012Matt Johansen
 
Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012Jeremiah Grossman
 
Ignite content security policy
Ignite content security policyIgnite content security policy
Ignite content security policyjstack
 
Rails security: above and beyond the defaults
Rails security: above and beyond the defaultsRails security: above and beyond the defaults
Rails security: above and beyond the defaultsMatias Korhonen
 
MITM Attacks on HTTPS: Another Perspective
MITM Attacks on HTTPS: Another PerspectiveMITM Attacks on HTTPS: Another Perspective
MITM Attacks on HTTPS: Another PerspectiveGreenD0g
 
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...Divyanshu
 
Html5 Application Security
Html5 Application SecurityHtml5 Application Security
Html5 Application Securitychuckbt
 

Similar to Analysis of HTTP Security Headers in Turkey (20)

Content security policy
Content security policyContent security policy
Content security policy
 
HTTP_Header_Security.pdf
HTTP_Header_Security.pdfHTTP_Header_Security.pdf
HTTP_Header_Security.pdf
 
Tsc summit #2 - HTTP Header Security
Tsc summit #2 - HTTP Header SecurityTsc summit #2 - HTTP Header Security
Tsc summit #2 - HTTP Header Security
 
QA Fest 2016. Per Thorsheim. Website security 101
QA Fest 2016. Per Thorsheim. Website security 101QA Fest 2016. Per Thorsheim. Website security 101
QA Fest 2016. Per Thorsheim. Website security 101
 
http security response headers for web security
http security response headers for web securityhttp security response headers for web security
http security response headers for web security
 
Protecting Web App users in today’s hostile environment
Protecting Web App users in today’s hostile environmentProtecting Web App users in today’s hostile environment
Protecting Web App users in today’s hostile environment
 
Content Security Policy
Content Security PolicyContent Security Policy
Content Security Policy
 
Content Security Policy (CSP)
Content Security Policy (CSP)Content Security Policy (CSP)
Content Security Policy (CSP)
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realities
 
Content Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at YahooContent Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at Yahoo
 
Top 10 Web Hacks 2012
Top 10 Web Hacks 2012Top 10 Web Hacks 2012
Top 10 Web Hacks 2012
 
Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012
 
Ignite content security policy
Ignite content security policyIgnite content security policy
Ignite content security policy
 
Web Security - CSP & Web Cryptography
Web Security - CSP & Web CryptographyWeb Security - CSP & Web Cryptography
Web Security - CSP & Web Cryptography
 
Rails security: above and beyond the defaults
Rails security: above and beyond the defaultsRails security: above and beyond the defaults
Rails security: above and beyond the defaults
 
Browser Security
Browser SecurityBrowser Security
Browser Security
 
MITM Attacks on HTTPS: Another Perspective
MITM Attacks on HTTPS: Another PerspectiveMITM Attacks on HTTPS: Another Perspective
MITM Attacks on HTTPS: Another Perspective
 
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
 
HTML5 - The Promise & The Peril
HTML5 - The Promise & The PerilHTML5 - The Promise & The Peril
HTML5 - The Promise & The Peril
 
Html5 Application Security
Html5 Application SecurityHtml5 Application Security
Html5 Application Security
 

Recently uploaded

(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...gurkirankumar98700
 
Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Andreas Granig
 
Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Velvetech LLC
 
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...OnePlan Solutions
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideChristina Lin
 
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataBradBedford3
 
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte GermanySuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte GermanyChristoph Pohl
 
Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)Hr365.us smith
 
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio, Inc.
 
The Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdfThe Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdfPower Karaoke
 
What are the key points to focus on before starting to learn ETL Development....
What are the key points to focus on before starting to learn ETL Development....What are the key points to focus on before starting to learn ETL Development....
What are the key points to focus on before starting to learn ETL Development....kzayra69
 
Asset Management Software - Infographic
Asset Management Software - InfographicAsset Management Software - Infographic
Asset Management Software - InfographicHr365.us smith
 
EY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityEY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityNeo4j
 
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxKnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxTier1 app
 
Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantAxelRicardoTrocheRiq
 
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024StefanoLambiase
 
Intelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalmIntelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalmSujith Sukumaran
 
Cloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEECloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEEVICTOR MAESTRE RAMIREZ
 
chapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptchapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptkotipi9215
 

Recently uploaded (20)

(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
 
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort ServiceHot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
 
Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024
 
Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...
 
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
 
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
 
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte GermanySuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
 
Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)
 
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
 
The Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdfThe Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdf
 
What are the key points to focus on before starting to learn ETL Development....
What are the key points to focus on before starting to learn ETL Development....What are the key points to focus on before starting to learn ETL Development....
What are the key points to focus on before starting to learn ETL Development....
 
Asset Management Software - Infographic
Asset Management Software - InfographicAsset Management Software - Infographic
Asset Management Software - Infographic
 
EY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityEY_Graph Database Powered Sustainability
EY_Graph Database Powered Sustainability
 
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxKnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
 
Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service Consultant
 
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
 
Intelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalmIntelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalm
 
Cloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEECloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEE
 
chapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptchapter--4-software-project-planning.ppt
chapter--4-software-project-planning.ppt
 

Analysis of HTTP Security Headers in Turkey

  • 1. Analysis of HTTP Security Headers in Turkey K. Emre KISA & Dr. Emin İslam TATLI ISC Turkey, 25-26 October 2016
  • 2. || Outline  01 Web Browsers & Same-Origin Policy  02 OWASP Top 10  03 HTTP Security Headers CSP 1.0 – 2.0 & Demo X-XSS Protection X-Frame-Options & Demo Strict-Transport-Security Set-Cookie X-Content-Type-Options X-Download-Options X-Permitted-Cross-Domain-Policies Public-Key-Pins  04 Situation in Turkey – Alexa TR Top 500  05 Further Information  06 Questions HTTP Security Headers I 2
  • 4. | The Hypertext Transfer Protocol (HTTP) is a stateless application- level protocol for distributed, collaborative, hypertext information systems Hyper Text Transfer Protocol Http Security Headers I 4
  • 5. | HTTP (Cont.) Http Security Headers I 5 HTTP Request HTTP Processing HTTP Response
  • 6. | • Scripts contained in a first web page are allowed to access data in a second web page, but only if both web pages have the same origin • Same origin : Same protocol + same host + same port Same-Origin Policy Http Security Headers I 6
  • 7. || OWASP TOP 10 02 Http Security Headers I 7
  • 8. | OWASP Top 10 Http Security Headers I 8
  • 9. || Http Security Headers I 9 HTTP Security Headers 03
  • 10. | • Content Security Policy declarative policy that lets the authors (or server administrators) of a web application inform the client from where the application expects to load resources. Content-Security-Policy 1.0 Http Security Headers I 10 Content-Security-Policy : W3C recommended header supported by; • Chrome version 25+, • Firefox version 23+, • Opera version 19+ • Safari version 7+ • Microsoft Edge 12 build 10240+ X-Content-Security-Policy : Supported by Internet Explorer. • Internet Explorer 10+, • Firefox Until version 23 X-WebKit-CSP : Old header used by Chrome • Chrome version 14-25, • Safari 6+
  • 11. | • Supported directives – default-src :If not specified explicitly in the policy, the directives listed below will use the default sources. (fallback), – script-src : restricts which scripts the protected resource can execute. – object-src : restricts from where the protected resource can load plugins (<object>, <embed> or <applet>) – style-src :restricts which CSS styles the user applies to the protected resource, – img-src : restricts from where the protected resource can load images, – media-src : restricts from where the protected resource can load video and audio (<audio>, <video>) – frame-src: restricts from where the protected resource can embed frames, – font-src : restricts from where the protected resource can load fonts, – connect-src: restricts which URIs the protected resource can load using script interfaces, (XHR, Websocket, EventSource) – sandbox : specifies an HTML sandbox policy that the user agent applies to the protected resource (same-origin policy uygulanması, prevent pop-ups, plugin & script blocking) – plugin-types: Defines valid MIME types for plugins invoked via <object> and <embed>, – report-uri :Instructs the browser to POST a reports of policy failures to this URI. Content-Security-Policy 1.0 (cont.) Http Security Headers I 11
  • 12. | CSPHeader Sample; Content-Security-Policy: // By setting the default resource to «none», we minimize the chance of any mis-configuration related risks default-src none; // «self» we allow scripts loaded from our domain only // We also allow «Inline javascripts», javascript Eval() function and Google analytics script-src self unsafe-inline unsafe-eval https://ssl.google-analytics.com; // We allow plugins from our domain only object-src self; // We allow style sheets loaded from our domain only style-src self; // We allow images to be loaded from our domain only img-src self; // We allow Form actions to be directed only towards our domain form-action self; // We allow audio and video files from our domain onlu media-src self; // We only allow Ajax XmlHTTPRequests to our domain only connect-src self; // We only allow PDF and Flash plugins to be loaded plugin-types application/pdf application/x-shockwave-flash; Content-Security-Policy 1.0 (cont.) Http Security Headers I 12
  • 13. | Content-Security-Policy 1.0 (cont.) Http Security Headers I 13 Reference: http://caniuse.com
  • 14. | CSP 1.0 did not allow us to hand pick individual scripts that are safe to be run. Thus we either had to allow a domain completely or do not run scripts from that domain at all. Content-Security-Policy 2.0 Http Security Headers I 14 Implementing a CSP 2.0 Nonce; Content-Security-Policy: default-src 'self'; script-src 'self' https://example.com 'nonce-$RANDOM' Sample; Content-Security-Policy: default-src 'self'; script-src 'self' https://example.com 'nonce-Nc3n83cnSAd3wc3Sasdfn939hc3' <script> alert("Blocked because the policy doesn’t have 'unsafe-inline'.") </script> <script nonce="EDNnf03nceIOfn39fn3e9h3sdfa"> alert("Still blocked because nonce is wrong.") </script> <script nonce="Nc3n83cnSAd3wc3Sasdfn939hc3"> alert("Allowed because nonce is valid.") </script> <script src="https://example.com/allowed-because-of-src.js"></script> <script nonce="EDNnf03nceIOfn39fn3e9h3sdfa" src="https://elsewhere.com/blocked-because-nonce-is-wrong.js"></script> <script nonce="Nc3n83cnSAd3wc3Sasdfn939hc3" src="https://elsewhere.com/allowed-because-nonce-is-valid.js"></script>
  • 16. | Content-Security-Policy 2.0 Http Security Headers I 16 Reference: http://caniuse.com
  • 17. | • Enables Web Browser’s self XSS (Cross-site-scripting) attack protection mechanism • Aims to prevent Reflected XSS attacks. Browser uses pattern matching in Request and the Response to be able to detect and prevent XSS payloads. • x-xss-protection 1 mode=block Whenever an XSS payload is detected by the browser, default mode only stops individual script to be run. However, in block mode every script in the page is stopped. • Web Browser support; – Internet Explorer 8+ (Active by default in Internet, Trusted and Restricted trust zones. Must be manually activated for web pages in Local Intranet trust zone. –Available by default on Chrome version 4+ X-XSS-Protection Http Security Headers I 17
  • 18. | • Provides protection against Clickjacking / UI Redress attacks. • Click + Hijacking = Clickjacking X-Frame-Options Http Security Headers I 18 • Same origin : Allow if only iFrame and the web page is on the same domain. • Deny : Prevents the web page from being displayed in frames on every domain. • Allow from : Only given domains are allowed to display our website in frames.
  • 19. | X-Frame-Options : DENY Http Security Headers I 19
  • 20. | X-Frame-Options : Web Browser Support Http Security Headers I 20
  • 21. | HSTS addresses the following threats: • User bookmarks or manually types http://example.com and is subject to a man-in-the-middle attacker –HSTS automatically redirects HTTP requests to HTTPS for the target domain • Web application that is intended to be purely HTTPS inadvertently contains HTTP links or serves content over HTTP –HSTS automatically redirects HTTP requests to HTTPS for the target domain • A man-in-the-middle attacker attempts to intercept traffic from a victim user using an invalid certificate and hopes the user will accept the bad certificate –HSTS does not allow a user to override the invalid certificate message HTTP Strict-Transport-Security (HSTS) Http Security Headers I 21 Sample; Strict-Transport-Security: max-age=3153600 Simplest use case Strict-Transport-Security: max-age=3153600; includeSubDomains HSTS also works on sub-domains Strict-Transport-Security: max-age=3153600; includeSubDomains; preload Uses the «Preload» list
  • 22. | • «Preload» list is hardcoded in web browsers. List is maintained by Chrome. (https://hstspreload.appspot.com) HTTP Strict-Transport-Security (cont.) Http Security Headers I 22 Submission Requirements; 1.Hava a valid certificate 2.Redirect all HTTP Trafic to HTTPS 3.Make all sub-domains HTTPS, (If present in DNS records including the www subdomain) 4.Serve the HSTS header: • The max-age must be at least eighteen weeks (10886400 seconds). • The includeSubDomains directive must be specified. • The preload directive must be specified. • If you are serving an additional redirect from your HTTPS site, that redirect must still have the HSTS header (rather than the page it redirects to).
  • 23. | Web Browser Support HTTP Strict-Transport-Security (cont.) Http Security Headers I 23
  • 24. | • Set-cookie $RANDOM; – Mainly used to identify the user • Set-cookie $RANDOM; HttpOnly; – Only allows Cookie value to be accessed by HTTP methods. –Javascript, Flash etc. are not allowed to access the cookie value. –Cookie value becomes harder to be stolen • Set-cookie $RANDOM; HttpOnly; Secure; –Only allows submission of Cookie value over Secure HTTPS channel. Set-Cookie Http Security Headers I 24
  • 25. | • Used to prevent MIME content-sniffing attacks. • Content Sniffing : In the absence of a MIME type, or in some other cases where a client believes they are incorrectly set, browsers may conduct MIME sniffing, which is guessing the correct MIME type by looking at the resource. • Can be exploited when you are allowed to upload an image, a document etc. to a server and others can access it. • Attack scenario; –An attacker injects HTML code into a GIF file, uploading it to the server by passing upload limitations. –Victim browsers trying to display the GIF decides to make «content sniffing» because of the MIME- type and file content mismatch. – Web Browser concludes that the file is an HTML file, serving malicious HTML content to the victim. • Sample: X-Content-Type-Options: nosniff X-Content-Type-Options Http Security Headers I 25
  • 26. | • If you download an HTML file from a web page and chooses to "Open" it in browser, it will execute in the context of the web site. That means that any scripts in that file will also execute with the origin of the web site. • «X-Download-Options: noopen» forces browser to download rather than execution of the file contents. • HTML files that you «open» instead of «save» can accesss web site cookie value. X-Download-Options X-Download-Options: noopen Http Security Headers I 26
  • 27. | Sample; – X-Permitted-Cross-Domain-Policies : none Cross-domain access is not allowed. – X-Permitted-Cross-Domain-Policies : master-only Only our domain is allowed to read cross-domain.xml X-Permitted-Cross-Domain-Policies Http Security Headers I 27
  • 28. | • Certificate Pinning is a security mechanism which allows HTTPS websites to resist impersonation by attackers using mis-issued or otherwise fraudulent certificates • The HTTPS web server serves a list of public key hashes, and on subsequent connections clients expect that server to use one or more of those public keys in its certificate chain. • = Base64 (sha256(certificate)) • Public-Key-Pins: max-age=3000; pin-sha256="d6qzRu9zOECb90Uez27xWltNsj0e1Md7GkYYkVoZWmM="; • Browser support Public-Key-Pins FootNote Http Security Headers I 28
  • 29. || Situation in Turkey 04 Http Security Headers I 29
  • 30. | Http Security Headers I 30 370 (*) of Alexa Turkey Top 500 (*) 130 of popular global websites have been filtered out, unless Turkey is one of their top 5 visitors according to Alexa. (Facebook.com, Google.com etc. are filtered out)
  • 31. | Http Security Headers I 31
  • 32. | Http Security Headers I 32
  • 36. || Thank you Http Security Headers I 36 Questions?