SlideShare a Scribd company logo

Cabeçalhos de Segurança HTTP

I
Ismael Goncalves

Estes slides fazem parte da minha apresentação na conferência Confraria0day em Marçod de 2017. É uma introdução aos vários cabeçalhos de segurança HTTP. Cobre HSTS, HPKP, X-Frame-Options, Content Security Policy, X-XSS-Protection, X-Content-Type-Options, Referrer-Policy e Set-Cookie options.

Software
1 of 43
Cabeçalhos de Segurança HTTP Ismael Gonçalves Mar/2017 https://sharingsec.blogspot.com
Agenda • Quem sou eu • Cabeçalhos de Segurança HTTP • HTTP Strict Transport Security (HSTS) • HTTP Public Key Pins (HPKP) • X-Frame-Options • X-XSS-Protection • Content Security Policy (CSP) • Set-Cookie Options • X-Content-Type-Options • Referrer-Policy • Conclusão • Referências
Quem sou eu • Consultor Sênior de Segurança • 10 anos de trabalhos voltados à segurança de aplicações (codificação, defesa, ataque) • Contribuidor OWASP (Capítulo Brasília, Top Ten Cheatsheet, OWASP Testing Guide) • Praticante da revelação de vulnerabilidades de forma responsável • Voluntário ISC2 para questões do CISSP • Pesquisador independente
Cabeçalhos de Segurança HTTP • Evolução modelo de segurança • Proteção do canal de comunicação • Segurança do lado do cliente • Aplicação de políticas de segurança no navegador
Requisição típica HTTP GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Linux; Android 6.0; Nexus 5 Build/MRA58N) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.110 Mobile Safari/537.36 Host: www.exemplo.com Accept: */* HTTP/1.1 200 OK Date: Fri, 17 Mar 2017 07:45:30 GMT Server: Apache/2.2.8 (Ubuntu) DAV/2 X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 891 Content-Type: text/html
Requisição típica HTTP GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Linux; Android 6.0; Nexus 5 Build/MRA58N) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.110 Mobile Safari/537.36 Host: www.exemplo.com Accept: */* HTTP/1.1 200 OK Date: Fri, 17 Mar 2017 07:45:30 GMT Server: Apache/2.2.8 (Ubuntu) DAV/2 X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 891 Content-Type: text/html X-Frame-Options: DENY Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
HTTP Strict Transport Security (HSTS) Strict-Transport-Security: max-age=<expire-time> Strict-Transport-Security: max-age=<expire-time>; includeSubDomains Strict-Transport-Security: max-age=<expire-time>; preload
Tráfego típico sítio com HTTP/HTTPS http://www.exemplo.com GET / HTTP/1.0 Host: www.exemplo.com 301 Moved Permantenly Content-Length: 0 Location: https://www.exemplo.com https://www.exemplo.com GET / HTTP/1.0 Host: www.exemplo.com
SSLStrip GET https://www.exemplo.comGET http://www.exemplo.com Resposta HTMLResposta HTML modificada e em texto claro
Suporte HSTS http://caniuse.com/#feat=stricttransportsecurity
HSTS – debaixo dos panos
HSTS - Considerações - Aplicável para sites que suportam todo seu conteúdo via HTTPS - Dificuldade de implantação L7 routing - Lista preload SEMPRE inclui subdomínios - Remoção pode demorar meses, via atualização do browser - Mitiga ataques SSLStrip e potencialmente, SSLStrip2 com preload + subdomains - Proteção contra ataques MITM com Certificados inválidos
HTTP Public Key Pins (HPKP) Public-Key-Pins: pin-sha256=<base64==>; max-age=<expireTime>; Public-Key-Pins: pin-sha256=<base64==>; max-age=<expireTime>; includeSubDomains Public-Key-Pins: pin-sha256=<base64==>; max-age=<expireTime>; report-uri=<reportURI>
Resposta válida cabeçalhos HPKP HTTP/1.1 200 OK Server: GitHub.com Status: 200 OK Strict-Transport-Security: max-age=31536000; includeSubdomains; preload Public-Key-Pins: max-age=5184000; pin- sha256="WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18="; pin- sha256="RRM1dGqnDFsCJXBTHky16vi1obOlCgFFn/yOhI/y+ho="; pin- sha256="k2v657xBsOVe1PQRwOsHsw3bsGT2VzIqz5K+59sNQws="; pin- sha256="K87oWBWM9UZfyddvDfoxL+8lpNyoUB2ptGtn0fv6G2Q="; pin- sha256="IQBnNBEiFuhj+8x6X8XLgh01V9Ic5/V3IRQLNFFc7v4="; pin- sha256="iie1VXtL7HzAMF+/PVPR9xzT80kQxdZeJ+zduCB3uj0="; pin- sha256="LvRiGEjRqfzurezaWuj8Wie2gyHMrW5Q06LspMnox7A="; includeSubDomains Vary: Accept-Encoding X-Served-By: d41662224d8c44f09604b862e979767a X-GitHub-Request-Id: B36F2320:987D:E88A2AC:5741D913
Suporte Public Key Pins http://caniuse.com/#feat=publickeypinning
HTTP Public Key Pins - Considerações - Requer maturidade - Modo report-only (Public-Key-Pins-Report-Only)? - Mitiga MITM? - CA interna? - Suporte Chrome/Firefox (até o momento)
Curiosidades (HSTS, HPKP, Pinning estático) - Pinning estatícos (Chromium.org) - https://cs.chromium.org/chromium/src/net/http/transport_security_state_st atic.json - Google, Facebook, Twitter, Dropbox, Yahoo, Tor - +23k domínios utilizando HSTS pre-load - 180 domínios .br
X-Frame-Options X-Frame-Options: DENY X-Frame-Options: SAMEORIGIN X-Frame-Options: ALLOW-FROM https://example.com/
Clickjacking Attack https://www.owasp.org/index.php/Testing_for_Clickjacking_(OTG-CLIENT-009)
Suporte X-Frame-Options http://caniuse.com/#feat=publickeypinning
X-Frame-Options - Considerações - Seu site necessita ser aberto por outro em um frame? - Não suporta mais de um domínio em allow-from - CSP 2 frame-ancestor - Mitiga clickjacking
X-XSS-Protection X-XSS-Protection: 0 X-XSS-Protection: 1 X-XSS-Protection: 1; mode=block
Cross-Site-Scritping (XSS) Attack
Suporte X-XSS-Protection https://developer.mozilla.org/pt-BR/docs/Web/HTTP/Headers/X-XSS-Protection
X-XSS-Protection - Considerações - Proteção apenas contra XSS Refletido - Não suportado pelo Firefox - Problemas com o filtro XSS
Content Security Policy (CSP) Content-Security-Policy: <policy>; <policy>
Content Security Policy (CSP) https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
Exemplo CSP Resposta https://twitter.com/ Content-Security-Policy: script-src 'nonce-7tS2MKRWrGdmy1/R72jiDQ==' https://connect.facebook.net https://cm.g.doubleclick.net https://ssl.google-analytics.com https://graph.facebook.com https://twitter.com 'unsafe-eval' https://*.twimg.com https://api.twitter.com https://analytics.twitter.com https://publish.twitter.com https://ton.twitter.com https://syndication.twitter.com https://www.google.com https://t.tellapart.com https://platform.twitter.com https://www.google- analytics.com 'self'; frame-ancestors 'self'; font-src https://twitter.com https://*.twimg.com data: https://ton.twitter.com https://fonts.gstatic.com https://maxcdn.bootstrapcdn.com https://netdna.bootstrapcdn.com 'self'; media-src https://twitter.com https://*.twimg.com https://ton.twitter.com blob: 'self'; connect-src https://graph.facebook.com https://*.giphy.com https://*.twimg.com https://api.twitter.com https://pay.twitter.com https://analytics.twitter.com https://*.twprobe.net https://media.riffsy.com https://embed.periscope.tv https://upload.twitter.com 'self'; style-src https://fonts.googleapis.com https://twitter.com https://*.twimg.com https://translate.googleapis.com https://ton.twitter.com 'unsafe-inline' https://platform.twitter.com https://maxcdn.bootstrapcdn.com https://netdna.bootstrapcdn.com 'self'; object-src https://twitter.com https://pbs.twimg.com; default-src 'self'; frame-src https://staticxx.facebook.com https://twitter.com https://*.twimg.com https://5415703.fls.doubleclick.net https://player.vimeo.com https://pay.twitter.com https://www.facebook.com https://ton.twitter.com https://syndication.twitter.com https://vine.co twitter: https://www.youtube.com https://platform.twitter.com https://upload.twitter.com https://s-static.ak.facebook.com https://4337974.fls.doubleclick.net 'self' https://donate.twitter.com; img-src https://graph.facebook.com https://*.giphy.com https://twitter.com https://*.twimg.com https://ad.doubleclick.net data: https://lumiere-a.akamaihd.net https://fbcdn-profile-a.akamaihd.net https://www.facebook.com https://ton.twitter.com https://*.fbcdn.net https://syndication.twitter.com https://media.riffsy.com https://www.google.com https://stats.g.doubleclick.net https://api.mapbox.com https://www.google-analytics.com blob: 'self'; report-uri https://twitter.com/i/csp_report?a=NVQWGYLXFVZXO2LGOQ%3D%3D%3D%3D%3D%3D&ro=false; Set-Cookie: fm=0; Expires=Tue, 28 Mar 2017 11:35:01 UTC; Path=/; Domain=.twitter.com; Secure; HTTPOnly Strict-Transport-Security: max-age=631138519 X-Frame-Options: SAMEORIGIN X-XSS-Protection: 1; mode=block
Suporte Content Security Policy (CSP) http://caniuse.com/#feat=contentsecuritypolicy2
Content Security Policy (CSP) - considerações - Dificuldade de implementação, remoção de scripts in line <html> <head> <script>var msg = ‘javascript inline’; alert(msg);</script> </head> <body>Ola!</body></html> - Unsafe-inline, Unsafe-eval pode minar o esforço - Proteção contra XSS (Reflected/Stored), mas definitiva? - Proteção contra clickjacking - Não suportado por todos os browsers
Set-Cookie (cookie options) Set-Cookie: <key>=<value>; Expires=<expiryDate>; Secure; HttpOnly; SameSite=<strict/lax>
Set-Cookie (cookie options) HttpOnly – Cookie não acessível via Javascript Secure – Evita envio de cookie em canal não criptografado SameSite – Previne envio do cookie em requisições cross-site
CSRF
Set-Cookie (cookie options) - considerações - Secure and HttpOnly - Proteção contra captura de cookies em texto claro - Possível redução de impacto XSS – roubo de sessão - SameSite – Suportado apenas pelo Chrome - Ainda em draft - Fornece uma boa proteção contra CSRF/XSSI - Lax – utilizado com métodos HTTP “seguros” - Pode prejudicar navegação?
X-Content-Type-Options X-Content-Type-Options: nosniff;
X-Content-Type-Options - considerações - Suportado por todos os browsers populares, exceto Safari - Mitiga ataques de MIME confusion - Servidor web deve retornar MIME corretos para uso do cabeçalho
Referrer-Policy Referrer-Policy: <diretiva> Referrer-Policy: no-referrer Referrer-Policy: no-referrer-when-downgrade Referrer-Policy: origin Referrer-Policy: origin-when-cross-origin Referrer-Policy: same-origin Referrer-Policy: strict-origin Referrer-Policy: strict-origin-when-cross-origin Referrer-Policy: unsafe-url
Referrer-Policy Policy Document Navigation to Referrer no-referrer https://example.com/page.html any domain or path no referrer no-referrer-when-downgrade https://example.com/page.html https://example.com/otherpage.html https://example.com/page.html no-referrer-when-downgrade https://example.com/page.html https://mozilla.org https://example.com/page.html no-referrer-when-downgrade https://example.com/page.html http://example.org no referrer origin https://example.com/page.html any domain or path https://example.com/ origin-when-cross-origin https://example.com/page.html https://example.com/otherpage.html https://example.com/page.html origin-when-cross-origin https://example.com/page.html https://mozilla.org https://example.com/ origin-when-cross-origin https://example.com/page.html http://example.com/page.html https://example.com/ same-origin https://example.com/page.html https://example.com/otherpage.html https://example.com/page.html same-origin https://example.com/page.html https://mozilla.org no referrer strict-origin https://example.com/page.html https://mozilla.org https://example.com/ strict-origin https://example.com/page.html http://example.org no referrer strict-origin http://example.com/page.html any domain or path http://example.com/ strict-origin-when-cross-origin https://example.com/page.html https://example.com/otherpage.html https://example.com/page.html strict-origin-when-cross-origin https://example.com/page.html https://mozilla.org https://example.com/ strict-origin-when-cross-origin https://example.com/page.html http://example.org no referrer unsafe-url https://example.com/page.html any domain or path https://example.com/page.html https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
Suporte Referrer-Policy https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
Referrer-Policy - considerações - Ainda em desenvolvimento - Suporte ainda limitado (Firefox e algumas funcionalidades Chrome) - Lida com questões de privacidade Referer: https://github.com/irgoncalves/jwtbf
Ferramenta para testes dos cabeçalhos https://observatory.mozilla.org/ https://securityheaders.io https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#t ab=Technical_Resources
Conclusões - Cabeçalhos de segurança podem melhorar a segurança e privacidade de seus usuários - Fazem parte de estratégia de defesa em camadas - Alguns apresentam armadilhas e requerem maturidade - Requerem controles adicionais - Níveis de suporte diferente entre navegadores
Referências - https://tools.ietf.org/html/rfc6797 - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers - https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF) - https://www.owasp.org/index.php/Clickjacking - https://www.owasp.org/index.php/Cross-site_Scripting_(XSS) - https://scotthelme.co.uk/ - https://www.wired.com/2016/03/https-adoption-google-report/ - http://www.html5rocks.com/en/tutorials/security/content-security-policy/ - https://www.bettercap.org/blog/sslstripping-and-hsts-bypass/ - https://static.googleusercontent.com/media/research.google.com/en//pubs/archive/45542.pdf - https://technet.microsoft.com/library/security/2524375 - https://csp.withgoogle.com/docs/index.html - The Tagled Web - A Guide to Security Modern Web Applications, Michael Zalewski

Recommended

HTTP Security Headers Every Java Developer Must Know
HTTP Security Headers Every Java Developer Must KnowHTTP Security Headers Every Java Developer Must Know
HTTP Security Headers Every Java Developer Must KnowAyoma Wijethunga
 
Csp vortrag
Csp vortragCsp vortrag
Csp vortragAndrás Ottó
 
Honing headers for highly hardened highspeed hypertext
Honing headers for highly hardened highspeed hypertextHoning headers for highly hardened highspeed hypertext
Honing headers for highly hardened highspeed hypertextFastly
 
WordPress Security: Defend yourself against digital invaders
WordPress Security: Defend yourself against digital invadersWordPress Security: Defend yourself against digital invaders
WordPress Security: Defend yourself against digital invadersVladimír Smitka
 
Mehr Performance für WordPress - WordCamp Köln
Mehr Performance für WordPress - WordCamp KölnMehr Performance für WordPress - WordCamp Köln
Mehr Performance für WordPress - WordCamp KölnWalter Ebert
 
VolgaCTF 2018 - Neatly bypassing CSP
VolgaCTF 2018 - Neatly bypassing CSPVolgaCTF 2018 - Neatly bypassing CSP
VolgaCTF 2018 - Neatly bypassing CSPДмитрий Бумов
 
Story of http headers
Story of http headersStory of http headers
Story of http headersVandana Verma
 
Be ef presentation-securitybyte2011-michele_orru
Be ef presentation-securitybyte2011-michele_orruBe ef presentation-securitybyte2011-michele_orru
Be ef presentation-securitybyte2011-michele_orruMichele Orru
 

Recommended

HTTP Security Headers Every Java Developer Must Know
HTTP Security Headers Every Java Developer Must KnowHTTP Security Headers Every Java Developer Must Know
HTTP Security Headers Every Java Developer Must KnowAyoma Wijethunga
 
Csp vortrag
Csp vortragCsp vortrag
Csp vortragAndrás Ottó
 
Honing headers for highly hardened highspeed hypertext
Honing headers for highly hardened highspeed hypertextHoning headers for highly hardened highspeed hypertext
Honing headers for highly hardened highspeed hypertextFastly
 
WordPress Security: Defend yourself against digital invaders
WordPress Security: Defend yourself against digital invadersWordPress Security: Defend yourself against digital invaders
WordPress Security: Defend yourself against digital invadersVladimír Smitka
 
Mehr Performance für WordPress - WordCamp Köln
Mehr Performance für WordPress - WordCamp KölnMehr Performance für WordPress - WordCamp Köln
Mehr Performance für WordPress - WordCamp KölnWalter Ebert
 
VolgaCTF 2018 - Neatly bypassing CSP
VolgaCTF 2018 - Neatly bypassing CSPVolgaCTF 2018 - Neatly bypassing CSP
VolgaCTF 2018 - Neatly bypassing CSPДмитрий Бумов
 
Story of http headers
Story of http headersStory of http headers
Story of http headersVandana Verma
 
Be ef presentation-securitybyte2011-michele_orru
Be ef presentation-securitybyte2011-michele_orruBe ef presentation-securitybyte2011-michele_orru
Be ef presentation-securitybyte2011-michele_orruMichele Orru
 
HTTP Security Headers
HTTP Security HeadersHTTP Security Headers
HTTP Security HeadersIsmael Goncalves
 
セキュアアプリケーションのためのHTTP設定
セキュアアプリケーションのためのHTTP設定セキュアアプリケーションのためのHTTP設定
セキュアアプリケーションのためのHTTP設定ryusukekumita1
 
Rails security: above and beyond the defaults
Rails security: above and beyond the defaultsRails security: above and beyond the defaults
Rails security: above and beyond the defaultsMatias Korhonen
 
Mitigate Maliciousness -- jQuery Europe 2013
Mitigate Maliciousness -- jQuery Europe 2013Mitigate Maliciousness -- jQuery Europe 2013
Mitigate Maliciousness -- jQuery Europe 2013Mike West
 
HTTP_Header_Security.pdf
HTTP_Header_Security.pdfHTTP_Header_Security.pdf
HTTP_Header_Security.pdfksudhakarreddy5
 
Let's go HTTPS-only! - More Than Buying a Certificate
Let's go HTTPS-only! - More Than Buying a CertificateLet's go HTTPS-only! - More Than Buying a Certificate
Let's go HTTPS-only! - More Than Buying a CertificateSteffen Gebert
 
Csp and http headers
Csp and http headersCsp and http headers
Csp and http headersColdFusionConference
 
Csp and http headers
Csp and http headersCsp and http headers
Csp and http headersdevObjective
 
Content-Security-Policy 2018.0
Content-Security-Policy 2018.0Content-Security-Policy 2018.0
Content-Security-Policy 2018.0Philippe Gamache
 
Web Security - CSP & Web Cryptography
Web Security - CSP & Web CryptographyWeb Security - CSP & Web Cryptography
Web Security - CSP & Web CryptographySamsung Open Source Group
 
Configuring SSL on NGNINX and less tricky servers
Configuring SSL on NGNINX and less tricky serversConfiguring SSL on NGNINX and less tricky servers
Configuring SSL on NGNINX and less tricky serversAxilis
 
Defeating Cross-Site Scripting with Content Security Policy (updated)
Defeating Cross-Site Scripting with Content Security Policy (updated)Defeating Cross-Site Scripting with Content Security Policy (updated)
Defeating Cross-Site Scripting with Content Security Policy (updated)Francois Marier
 
Modern Web Application Defense
Modern Web Application DefenseModern Web Application Defense
Modern Web Application DefenseFrank Kim
 
Honing headers for highly hardened highspeed hypertext
Honing headers for highly hardened highspeed hypertextHoning headers for highly hardened highspeed hypertext
Honing headers for highly hardened highspeed hypertextFastly
 
Creating Secure Web Apps: What Every Developer Needs to Know About HTTPS Today
Creating Secure Web Apps: What Every Developer Needs to Know About HTTPS TodayCreating Secure Web Apps: What Every Developer Needs to Know About HTTPS Today
Creating Secure Web Apps: What Every Developer Needs to Know About HTTPS TodayHeroku
 
JS Fest 2019. Andrew Betts. Headers for hackers
JS Fest 2019. Andrew Betts. Headers for hackersJS Fest 2019. Andrew Betts. Headers for hackers
JS Fest 2019. Andrew Betts. Headers for hackersJSFestUA
 
Integrity protection for third-party JavaScript
Integrity protection for third-party JavaScriptIntegrity protection for third-party JavaScript
Integrity protection for third-party JavaScriptFrancois Marier
 
Protecting Web App users in today’s hostile environment
Protecting Web App users in today’s hostile environmentProtecting Web App users in today’s hostile environment
Protecting Web App users in today’s hostile environmentajitdhumale
 
Content Security Policies: A whole new way of securing your website that no o...
Content Security Policies: A whole new way of securing your website that no o...Content Security Policies: A whole new way of securing your website that no o...
Content Security Policies: A whole new way of securing your website that no o...Miriam Schwab
 
Content Security Policies: A whole new way of securing your website that no o...
Content Security Policies: A whole new way of securing your website that no o...Content Security Policies: A whole new way of securing your website that no o...
Content Security Policies: A whole new way of securing your website that no o...Miriam Schwab
 
software engineering Chapter 5 System modeling.pptx
software engineering Chapter 5 System modeling.pptxsoftware engineering Chapter 5 System modeling.pptx
software engineering Chapter 5 System modeling.pptxnada99848
 
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024StefanoLambiase
 

More Related Content

Similar to Cabeçalhos de Segurança HTTP

セキュアアプリケーションのためのHTTP設定
セキュアアプリケーションのためのHTTP設定セキュアアプリケーションのためのHTTP設定
セキュアアプリケーションのためのHTTP設定ryusukekumita1
 
Rails security: above and beyond the defaults
Rails security: above and beyond the defaultsRails security: above and beyond the defaults
Rails security: above and beyond the defaultsMatias Korhonen
 
Mitigate Maliciousness -- jQuery Europe 2013
Mitigate Maliciousness -- jQuery Europe 2013Mitigate Maliciousness -- jQuery Europe 2013
Mitigate Maliciousness -- jQuery Europe 2013Mike West
 
HTTP_Header_Security.pdf
HTTP_Header_Security.pdfHTTP_Header_Security.pdf
HTTP_Header_Security.pdfksudhakarreddy5
 
Let's go HTTPS-only! - More Than Buying a Certificate
Let's go HTTPS-only! - More Than Buying a CertificateLet's go HTTPS-only! - More Than Buying a Certificate
Let's go HTTPS-only! - More Than Buying a CertificateSteffen Gebert
 
Csp and http headers
Csp and http headersCsp and http headers
Csp and http headersdevObjective
 
Content-Security-Policy 2018.0
Content-Security-Policy 2018.0Content-Security-Policy 2018.0
Content-Security-Policy 2018.0Philippe Gamache
 
Configuring SSL on NGNINX and less tricky servers
Configuring SSL on NGNINX and less tricky serversConfiguring SSL on NGNINX and less tricky servers
Configuring SSL on NGNINX and less tricky serversAxilis
 
Defeating Cross-Site Scripting with Content Security Policy (updated)
Defeating Cross-Site Scripting with Content Security Policy (updated)Defeating Cross-Site Scripting with Content Security Policy (updated)
Defeating Cross-Site Scripting with Content Security Policy (updated)Francois Marier
 
Modern Web Application Defense
Modern Web Application DefenseModern Web Application Defense
Modern Web Application DefenseFrank Kim
 
Honing headers for highly hardened highspeed hypertext
Honing headers for highly hardened highspeed hypertextHoning headers for highly hardened highspeed hypertext
Honing headers for highly hardened highspeed hypertextFastly
 
Creating Secure Web Apps: What Every Developer Needs to Know About HTTPS Today
Creating Secure Web Apps: What Every Developer Needs to Know About HTTPS TodayCreating Secure Web Apps: What Every Developer Needs to Know About HTTPS Today
Creating Secure Web Apps: What Every Developer Needs to Know About HTTPS TodayHeroku
 
JS Fest 2019. Andrew Betts. Headers for hackers
JS Fest 2019. Andrew Betts. Headers for hackersJS Fest 2019. Andrew Betts. Headers for hackers
JS Fest 2019. Andrew Betts. Headers for hackersJSFestUA
 
Integrity protection for third-party JavaScript
Integrity protection for third-party JavaScriptIntegrity protection for third-party JavaScript
Integrity protection for third-party JavaScriptFrancois Marier
 
Protecting Web App users in today’s hostile environment
Protecting Web App users in today’s hostile environmentProtecting Web App users in today’s hostile environment
Protecting Web App users in today’s hostile environmentajitdhumale
 
Content Security Policies: A whole new way of securing your website that no o...
Content Security Policies: A whole new way of securing your website that no o...Content Security Policies: A whole new way of securing your website that no o...
Content Security Policies: A whole new way of securing your website that no o...Miriam Schwab
 
Content Security Policies: A whole new way of securing your website that no o...
Content Security Policies: A whole new way of securing your website that no o...Content Security Policies: A whole new way of securing your website that no o...
Content Security Policies: A whole new way of securing your website that no o...Miriam Schwab
 

Similar to Cabeçalhos de Segurança HTTP (20)

HTTP Security Headers
HTTP Security HeadersHTTP Security Headers
HTTP Security Headers
 
セキュアアプリケーションのためのHTTP設定
セキュアアプリケーションのためのHTTP設定セキュアアプリケーションのためのHTTP設定
セキュアアプリケーションのためのHTTP設定
 
Rails security: above and beyond the defaults
Rails security: above and beyond the defaultsRails security: above and beyond the defaults
Rails security: above and beyond the defaults
 
Mitigate Maliciousness -- jQuery Europe 2013
Mitigate Maliciousness -- jQuery Europe 2013Mitigate Maliciousness -- jQuery Europe 2013
Mitigate Maliciousness -- jQuery Europe 2013
 
HTTP_Header_Security.pdf
HTTP_Header_Security.pdfHTTP_Header_Security.pdf
HTTP_Header_Security.pdf
 
Let's go HTTPS-only! - More Than Buying a Certificate
Let's go HTTPS-only! - More Than Buying a CertificateLet's go HTTPS-only! - More Than Buying a Certificate
Let's go HTTPS-only! - More Than Buying a Certificate
 
Csp and http headers
Csp and http headersCsp and http headers
Csp and http headers
 
Csp and http headers
Csp and http headersCsp and http headers
Csp and http headers
 
Content-Security-Policy 2018.0
Content-Security-Policy 2018.0Content-Security-Policy 2018.0
Content-Security-Policy 2018.0
 
Web Security - CSP & Web Cryptography
Web Security - CSP & Web CryptographyWeb Security - CSP & Web Cryptography
Web Security - CSP & Web Cryptography
 
Configuring SSL on NGNINX and less tricky servers
Configuring SSL on NGNINX and less tricky serversConfiguring SSL on NGNINX and less tricky servers
Configuring SSL on NGNINX and less tricky servers
 
Defeating Cross-Site Scripting with Content Security Policy (updated)
Defeating Cross-Site Scripting with Content Security Policy (updated)Defeating Cross-Site Scripting with Content Security Policy (updated)
Defeating Cross-Site Scripting with Content Security Policy (updated)
 
Modern Web Application Defense
Modern Web Application DefenseModern Web Application Defense
Modern Web Application Defense
 
Honing headers for highly hardened highspeed hypertext
Honing headers for highly hardened highspeed hypertextHoning headers for highly hardened highspeed hypertext
Honing headers for highly hardened highspeed hypertext
 
Creating Secure Web Apps: What Every Developer Needs to Know About HTTPS Today
Creating Secure Web Apps: What Every Developer Needs to Know About HTTPS TodayCreating Secure Web Apps: What Every Developer Needs to Know About HTTPS Today
Creating Secure Web Apps: What Every Developer Needs to Know About HTTPS Today
 
JS Fest 2019. Andrew Betts. Headers for hackers
JS Fest 2019. Andrew Betts. Headers for hackersJS Fest 2019. Andrew Betts. Headers for hackers
JS Fest 2019. Andrew Betts. Headers for hackers
 
Integrity protection for third-party JavaScript
Integrity protection for third-party JavaScriptIntegrity protection for third-party JavaScript
Integrity protection for third-party JavaScript
 
Protecting Web App users in today’s hostile environment
Protecting Web App users in today’s hostile environmentProtecting Web App users in today’s hostile environment
Protecting Web App users in today’s hostile environment
 
Content Security Policies: A whole new way of securing your website that no o...
Content Security Policies: A whole new way of securing your website that no o...Content Security Policies: A whole new way of securing your website that no o...
Content Security Policies: A whole new way of securing your website that no o...
 
Content Security Policies: A whole new way of securing your website that no o...
Content Security Policies: A whole new way of securing your website that no o...Content Security Policies: A whole new way of securing your website that no o...
Content Security Policies: A whole new way of securing your website that no o...
 

Recently uploaded

software engineering Chapter 5 System modeling.pptx
software engineering Chapter 5 System modeling.pptxsoftware engineering Chapter 5 System modeling.pptx
software engineering Chapter 5 System modeling.pptxnada99848
 
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024StefanoLambiase
 
Unveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsUnveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsAhmed Mohamed
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideChristina Lin
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...gurkirankumar98700
 
EY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityEY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityNeo4j
 
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfGOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfAlina Yurenko
 
Intelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalmIntelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalmSujith Sukumaran
 
Asset Management Software - Infographic
Asset Management Software - InfographicAsset Management Software - Infographic
Asset Management Software - InfographicHr365.us smith
 
Cloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEECloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEEVICTOR MAESTRE RAMIREZ
 
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxKnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxTier1 app
 
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio, Inc.
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...MyIntelliSource, Inc.
 
MYjobs Presentation Django-based project
MYjobs Presentation Django-based projectMYjobs Presentation Django-based project
MYjobs Presentation Django-based projectAnoyGreter
 
What is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWhat is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWave PLM
 
React Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaReact Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaHanief Utama
 
chapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptchapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptkotipi9215
 
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackVICTOR MAESTRE RAMIREZ
 
The Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdfThe Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdfPower Karaoke
 
Folding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesFolding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesPhilip Schwarz
 

Recently uploaded (20)

software engineering Chapter 5 System modeling.pptx
software engineering Chapter 5 System modeling.pptxsoftware engineering Chapter 5 System modeling.pptx
software engineering Chapter 5 System modeling.pptx
 
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
 
Unveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsUnveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML Diagrams
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
 
EY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityEY_Graph Database Powered Sustainability
EY_Graph Database Powered Sustainability
 
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfGOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
 
Intelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalmIntelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalm
 
Asset Management Software - Infographic
Asset Management Software - InfographicAsset Management Software - Infographic
Asset Management Software - Infographic
 
Cloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEECloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEE
 
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxKnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
 
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
 
MYjobs Presentation Django-based project
MYjobs Presentation Django-based projectMYjobs Presentation Django-based project
MYjobs Presentation Django-based project
 
What is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWhat is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need It
 
React Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaReact Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief Utama
 
chapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptchapter--4-software-project-planning.ppt
chapter--4-software-project-planning.ppt
 
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStack
 
The Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdfThe Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdf
 
Folding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesFolding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a series
 

Cabeçalhos de Segurança HTTP

  • 1. Cabeçalhos de Segurança HTTP Ismael Gonçalves Mar/2017 https://sharingsec.blogspot.com
  • 2. Agenda • Quem sou eu • Cabeçalhos de Segurança HTTP • HTTP Strict Transport Security (HSTS) • HTTP Public Key Pins (HPKP) • X-Frame-Options • X-XSS-Protection • Content Security Policy (CSP) • Set-Cookie Options • X-Content-Type-Options • Referrer-Policy • Conclusão • Referências
  • 3. Quem sou eu • Consultor Sênior de Segurança • 10 anos de trabalhos voltados à segurança de aplicações (codificação, defesa, ataque) • Contribuidor OWASP (Capítulo Brasília, Top Ten Cheatsheet, OWASP Testing Guide) • Praticante da revelação de vulnerabilidades de forma responsável • Voluntário ISC2 para questões do CISSP • Pesquisador independente
  • 4. Cabeçalhos de Segurança HTTP • Evolução modelo de segurança • Proteção do canal de comunicação • Segurança do lado do cliente • Aplicação de políticas de segurança no navegador
  • 5. Requisição típica HTTP GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Linux; Android 6.0; Nexus 5 Build/MRA58N) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.110 Mobile Safari/537.36 Host: www.exemplo.com Accept: */* HTTP/1.1 200 OK Date: Fri, 17 Mar 2017 07:45:30 GMT Server: Apache/2.2.8 (Ubuntu) DAV/2 X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 891 Content-Type: text/html
  • 6. Requisição típica HTTP GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Linux; Android 6.0; Nexus 5 Build/MRA58N) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.110 Mobile Safari/537.36 Host: www.exemplo.com Accept: */* HTTP/1.1 200 OK Date: Fri, 17 Mar 2017 07:45:30 GMT Server: Apache/2.2.8 (Ubuntu) DAV/2 X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 891 Content-Type: text/html X-Frame-Options: DENY Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
  • 7. HTTP Strict Transport Security (HSTS) Strict-Transport-Security: max-age=<expire-time> Strict-Transport-Security: max-age=<expire-time>; includeSubDomains Strict-Transport-Security: max-age=<expire-time>; preload
  • 8. Tráfego típico sítio com HTTP/HTTPS http://www.exemplo.com GET / HTTP/1.0 Host: www.exemplo.com 301 Moved Permantenly Content-Length: 0 Location: https://www.exemplo.com https://www.exemplo.com GET / HTTP/1.0 Host: www.exemplo.com
  • 9. SSLStrip GET https://www.exemplo.comGET http://www.exemplo.com Resposta HTMLResposta HTML modificada e em texto claro
  • 11. HSTS – debaixo dos panos
  • 12. HSTS - Considerações - Aplicável para sites que suportam todo seu conteúdo via HTTPS - Dificuldade de implantação L7 routing - Lista preload SEMPRE inclui subdomínios - Remoção pode demorar meses, via atualização do browser - Mitiga ataques SSLStrip e potencialmente, SSLStrip2 com preload + subdomains - Proteção contra ataques MITM com Certificados inválidos
  • 13. HTTP Public Key Pins (HPKP) Public-Key-Pins: pin-sha256=<base64==>; max-age=<expireTime>; Public-Key-Pins: pin-sha256=<base64==>; max-age=<expireTime>; includeSubDomains Public-Key-Pins: pin-sha256=<base64==>; max-age=<expireTime>; report-uri=<reportURI>
  • 14. Resposta válida cabeçalhos HPKP HTTP/1.1 200 OK Server: GitHub.com Status: 200 OK Strict-Transport-Security: max-age=31536000; includeSubdomains; preload Public-Key-Pins: max-age=5184000; pin- sha256="WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18="; pin- sha256="RRM1dGqnDFsCJXBTHky16vi1obOlCgFFn/yOhI/y+ho="; pin- sha256="k2v657xBsOVe1PQRwOsHsw3bsGT2VzIqz5K+59sNQws="; pin- sha256="K87oWBWM9UZfyddvDfoxL+8lpNyoUB2ptGtn0fv6G2Q="; pin- sha256="IQBnNBEiFuhj+8x6X8XLgh01V9Ic5/V3IRQLNFFc7v4="; pin- sha256="iie1VXtL7HzAMF+/PVPR9xzT80kQxdZeJ+zduCB3uj0="; pin- sha256="LvRiGEjRqfzurezaWuj8Wie2gyHMrW5Q06LspMnox7A="; includeSubDomains Vary: Accept-Encoding X-Served-By: d41662224d8c44f09604b862e979767a X-GitHub-Request-Id: B36F2320:987D:E88A2AC:5741D913
  • 15. Suporte Public Key Pins http://caniuse.com/#feat=publickeypinning
  • 16. HTTP Public Key Pins - Considerações - Requer maturidade - Modo report-only (Public-Key-Pins-Report-Only)? - Mitiga MITM? - CA interna? - Suporte Chrome/Firefox (até o momento)
  • 17. Curiosidades (HSTS, HPKP, Pinning estático) - Pinning estatícos (Chromium.org) - https://cs.chromium.org/chromium/src/net/http/transport_security_state_st atic.json - Google, Facebook, Twitter, Dropbox, Yahoo, Tor - +23k domínios utilizando HSTS pre-load - 180 domínios .br
  • 21. X-Frame-Options - Considerações - Seu site necessita ser aberto por outro em um frame? - Não suporta mais de um domínio em allow-from - CSP 2 frame-ancestor - Mitiga clickjacking
  • 25. X-XSS-Protection - Considerações - Proteção apenas contra XSS Refletido - Não suportado pelo Firefox - Problemas com o filtro XSS
  • 26. Content Security Policy (CSP) Content-Security-Policy: <policy>; <policy>
  • 27. Content Security Policy (CSP) https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
  • 28. Exemplo CSP Resposta https://twitter.com/ Content-Security-Policy: script-src 'nonce-7tS2MKRWrGdmy1/R72jiDQ==' https://connect.facebook.net https://cm.g.doubleclick.net https://ssl.google-analytics.com https://graph.facebook.com https://twitter.com 'unsafe-eval' https://*.twimg.com https://api.twitter.com https://analytics.twitter.com https://publish.twitter.com https://ton.twitter.com https://syndication.twitter.com https://www.google.com https://t.tellapart.com https://platform.twitter.com https://www.google- analytics.com 'self'; frame-ancestors 'self'; font-src https://twitter.com https://*.twimg.com data: https://ton.twitter.com https://fonts.gstatic.com https://maxcdn.bootstrapcdn.com https://netdna.bootstrapcdn.com 'self'; media-src https://twitter.com https://*.twimg.com https://ton.twitter.com blob: 'self'; connect-src https://graph.facebook.com https://*.giphy.com https://*.twimg.com https://api.twitter.com https://pay.twitter.com https://analytics.twitter.com https://*.twprobe.net https://media.riffsy.com https://embed.periscope.tv https://upload.twitter.com 'self'; style-src https://fonts.googleapis.com https://twitter.com https://*.twimg.com https://translate.googleapis.com https://ton.twitter.com 'unsafe-inline' https://platform.twitter.com https://maxcdn.bootstrapcdn.com https://netdna.bootstrapcdn.com 'self'; object-src https://twitter.com https://pbs.twimg.com; default-src 'self'; frame-src https://staticxx.facebook.com https://twitter.com https://*.twimg.com https://5415703.fls.doubleclick.net https://player.vimeo.com https://pay.twitter.com https://www.facebook.com https://ton.twitter.com https://syndication.twitter.com https://vine.co twitter: https://www.youtube.com https://platform.twitter.com https://upload.twitter.com https://s-static.ak.facebook.com https://4337974.fls.doubleclick.net 'self' https://donate.twitter.com; img-src https://graph.facebook.com https://*.giphy.com https://twitter.com https://*.twimg.com https://ad.doubleclick.net data: https://lumiere-a.akamaihd.net https://fbcdn-profile-a.akamaihd.net https://www.facebook.com https://ton.twitter.com https://*.fbcdn.net https://syndication.twitter.com https://media.riffsy.com https://www.google.com https://stats.g.doubleclick.net https://api.mapbox.com https://www.google-analytics.com blob: 'self'; report-uri https://twitter.com/i/csp_report?a=NVQWGYLXFVZXO2LGOQ%3D%3D%3D%3D%3D%3D&ro=false; Set-Cookie: fm=0; Expires=Tue, 28 Mar 2017 11:35:01 UTC; Path=/; Domain=.twitter.com; Secure; HTTPOnly Strict-Transport-Security: max-age=631138519 X-Frame-Options: SAMEORIGIN X-XSS-Protection: 1; mode=block
  • 29. Suporte Content Security Policy (CSP) http://caniuse.com/#feat=contentsecuritypolicy2
  • 30. Content Security Policy (CSP) - considerações - Dificuldade de implementação, remoção de scripts in line <html> <head> <script>var msg = ‘javascript inline’; alert(msg);</script> </head> <body>Ola!</body></html> - Unsafe-inline, Unsafe-eval pode minar o esforço - Proteção contra XSS (Reflected/Stored), mas definitiva? - Proteção contra clickjacking - Não suportado por todos os browsers
  • 31. Set-Cookie (cookie options) Set-Cookie: <key>=<value>; Expires=<expiryDate>; Secure; HttpOnly; SameSite=<strict/lax>
  • 32. Set-Cookie (cookie options) HttpOnly – Cookie não acessível via Javascript Secure – Evita envio de cookie em canal não criptografado SameSite – Previne envio do cookie em requisições cross-site
  • 33. CSRF
  • 34. Set-Cookie (cookie options) - considerações - Secure and HttpOnly - Proteção contra captura de cookies em texto claro - Possível redução de impacto XSS – roubo de sessão - SameSite – Suportado apenas pelo Chrome - Ainda em draft - Fornece uma boa proteção contra CSRF/XSSI - Lax – utilizado com métodos HTTP “seguros” - Pode prejudicar navegação?
  • 36. X-Content-Type-Options - considerações - Suportado por todos os browsers populares, exceto Safari - Mitiga ataques de MIME confusion - Servidor web deve retornar MIME corretos para uso do cabeçalho
  • 37. Referrer-Policy Referrer-Policy: <diretiva> Referrer-Policy: no-referrer Referrer-Policy: no-referrer-when-downgrade Referrer-Policy: origin Referrer-Policy: origin-when-cross-origin Referrer-Policy: same-origin Referrer-Policy: strict-origin Referrer-Policy: strict-origin-when-cross-origin Referrer-Policy: unsafe-url
  • 38. Referrer-Policy Policy Document Navigation to Referrer no-referrer https://example.com/page.html any domain or path no referrer no-referrer-when-downgrade https://example.com/page.html https://example.com/otherpage.html https://example.com/page.html no-referrer-when-downgrade https://example.com/page.html https://mozilla.org https://example.com/page.html no-referrer-when-downgrade https://example.com/page.html http://example.org no referrer origin https://example.com/page.html any domain or path https://example.com/ origin-when-cross-origin https://example.com/page.html https://example.com/otherpage.html https://example.com/page.html origin-when-cross-origin https://example.com/page.html https://mozilla.org https://example.com/ origin-when-cross-origin https://example.com/page.html http://example.com/page.html https://example.com/ same-origin https://example.com/page.html https://example.com/otherpage.html https://example.com/page.html same-origin https://example.com/page.html https://mozilla.org no referrer strict-origin https://example.com/page.html https://mozilla.org https://example.com/ strict-origin https://example.com/page.html http://example.org no referrer strict-origin http://example.com/page.html any domain or path http://example.com/ strict-origin-when-cross-origin https://example.com/page.html https://example.com/otherpage.html https://example.com/page.html strict-origin-when-cross-origin https://example.com/page.html https://mozilla.org https://example.com/ strict-origin-when-cross-origin https://example.com/page.html http://example.org no referrer unsafe-url https://example.com/page.html any domain or path https://example.com/page.html https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
  • 40. Referrer-Policy - considerações - Ainda em desenvolvimento - Suporte ainda limitado (Firefox e algumas funcionalidades Chrome) - Lida com questões de privacidade Referer: https://github.com/irgoncalves/jwtbf
  • 41. Ferramenta para testes dos cabeçalhos https://observatory.mozilla.org/ https://securityheaders.io https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#t ab=Technical_Resources
  • 42. Conclusões - Cabeçalhos de segurança podem melhorar a segurança e privacidade de seus usuários - Fazem parte de estratégia de defesa em camadas - Alguns apresentam armadilhas e requerem maturidade - Requerem controles adicionais - Níveis de suporte diferente entre navegadores
  • 43. Referências - https://tools.ietf.org/html/rfc6797 - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers - https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF) - https://www.owasp.org/index.php/Clickjacking - https://www.owasp.org/index.php/Cross-site_Scripting_(XSS) - https://scotthelme.co.uk/ - https://www.wired.com/2016/03/https-adoption-google-report/ - http://www.html5rocks.com/en/tutorials/security/content-security-policy/ - https://www.bettercap.org/blog/sslstripping-and-hsts-bypass/ - https://static.googleusercontent.com/media/research.google.com/en//pubs/archive/45542.pdf - https://technet.microsoft.com/library/security/2524375 - https://csp.withgoogle.com/docs/index.html - The Tagled Web - A Guide to Security Modern Web Applications, Michael Zalewski