セキュアアプリケーションのためのHTTP設定

T P
PHP
WEB SEO
NLP blockchain
H T P
@reus_k95

SSL
HTTPS SEO 2014
HTTPS P Google H H
https://webmaster-ja.googleblog.com/2014/08/https-as-ranking-signal.html
HTTPS UX 2018
HTTP T

Today’s Topics
1. XSS
Content Security Policy /
2. SSL
HTTP Public Key Pinning / Certificate
Transparency / HTTP Strict Transport
Security
3.
ReportURI

CSP
https://csp.com
script.comimage.com csp.com
unknown.com
…
script.com OK
image.com OK
…
CSP

CSP
• C
• C
• C
• P Script T
• Content-Security-Policy-Report-Only T
H S

CSP H
• HTML
• WEB conf C
• C
C

CSP nc?HTML if g h
• if j
<meta http-equiv="Content-Security-Policy" content=”...”>
• lmC H
:: - - - / / - =- . - : - :
- : a C H
TP S b ed?

CSP WEB
• Nginx Apache
add_header Content-Security-Policy “...”;
•
C H
C

CSP C
• PHP header
header(“Content-Security-Policy: ...”);
•
C

CSP
default-src 'self’; upgrade-insecure-requests; report-uri endpoint;
•
• Fetch
• Reporting H
• etc…
C

Fetch
default-src ‘self’; script-src ‘A.com’; style-src ‘B.com’; frame-src ’none’;
• S H
• A.com T B.com C
‘self’ frame
•
• S H
P

FetchH
• default-src T
• script-src JavaScript
• style-src
• img-src
• connect-src JavaScript URL
• font-src @font-face
• frame-src <frame> <iframe>
• manifest-src P
• media-src <audio> <video> <track> H
• object-src <object> <embed> <applet>
• prefetch-src fetch T
• webrtc-src WebRTC S
• child-src web workers <frame>/<iframe>
• worker-src Worker, SharedWorker, ServiceWorker T
C T S

Reporting H
• S
• report-to report-uri H
• report-uri T CSP Level3 deprecated
• report-to
• H report-to
C P S

report-to
Report-To: {“group”: “csp-report”, ”include-subdomains”: false, “max-
age”: 86400, endpoints: {“url”: “...”}}
Content-Security-Policy: ...; report-to csp-report;
• Report-To
•
• P report-uri
C H

report-uri
Content-Security-Policy: ...; report-uri: endpoint;
• JSON C
{
"csp-report": {
"document-uri": "https://myblog.jp/entries/12",
"blocked-uri": "ms-browser-extension",
"violated-directive": "default-src 'self' https://asset.myblog.jp ...",
"original-policy": "default-src 'self' https://asset.myblog.jp ...",
"effective-directive": "img-src",
"status-code": 0
}
}

report-uri
• blocked-uri URI
• document-uri URI
• violated-directive C

H
• Mixed Content H
• HTTPS S HTTP T
• upgrade-insecure-requests
http https C
• block-all-mixed-content
http T
C P

CSP GitHub
Content-Security-Policy: default-src 'none'; base-uri
'self'; block-all-mixed-content; connect-src 'self'
uploads.github.com githubstatus.com
collector.githubapp.com api.github.com www.google-
analytics.com github-cloud.s3.amazonaws.com github-
production-repository-file-5c1aeb.s3.amazonaws.com
github-production-upload-manifest-file-
7fdce7.s3.amazonaws.com github-production-user-asset-
6210df.s3.amazonaws.com wss://live.github.com; font-src
github.githubassets.com; form-action 'self' github.com
gist.github.com; frame-ancestors 'none'; frame-src
render.githubusercontent.com; img-src 'self' data:
github.githubassets.com identicons.github.com
collector.githubapp.com github-cloud.s3.amazonaws.com
*.githubusercontent.com; manifest-src 'self'; media-src
'none'; script-src github.githubassets.com; style-src
'unsafe-inline' github.githubassets.com

CSP Twitter
content-security-policy: script-src https://ssl.google-analytics.com 'nonce-oTPLYVAFzPwnlPVafnQbGQ==' https://twitter.com 'unsafe-eval'
https://*.twimg.com https://api.twitter.com https://analytics.twitter.com https://publish.twitter.com https://ton.twitter.com
https://syndication.twitter.com https://www.google.com https://platform.twitter.com https://www.google-analytics.com blob: 'self';
frame-ancestors 'self'; font-src https://twitter.com https://*.twimg.com data: https://ton.twitter.com 'self'; media-src
https://rmpdhdsnappytv-vh.akamaihd.net https://prod-video-eu-central-1.pscp.tv https://prod-video-ap-south-1.pscp.tv
https://v.cdn.vine.co https://dwo3ckksxlb0v.cloudfront.net https://twitter.com https://prod-video-us-east-2.pscp.tv https://prod-video-
cn-north-1.pscp.tv https://amp.twimg.com https://smmdhdsnappytv-vh.akamaihd.net https://*.twimg.com https://prod-video-eu-west-
1.pscp.tv https://*.video.pscp.tv https://rmmdhdsnappytv-vh.akamaihd.net https://clips-media-assets.twitch.tv https://prod-video-ap-
northeast-2.pscp.tv https://prod-video-us-west-2.pscp.tv https://prod-video-us-west-1.pscp.tv https://prod-video-ap-northeast-1.pscp.tv
https://smdhdsnappytv-vh.akamaihd.net https://ton.twitter.com https://prod-video-eu-west-3.pscp.tv https://rmdhdsnappytv-
vh.akamaihd.net https://mmdhdsnappytv-vh.akamaihd.net https://prod-video-ca-central-1.pscp.tv https://smpdhdsnappytv-vh.akamaihd.net
https://prod-video-sa-east-1.pscp.tv https://mdhdsnappytv-vh.akamaihd.net https://prod-video-ap-southeast-2.pscp.tv
https://mtc.cdn.vine.co https://prod-video-cn-northwest-1.pscp.tv https://prod-video-eu-west-2.pscp.tv https://canary-video-us-east-
1.pscp.tv https://dev-video-us-west-2.pscp.tv https://prod-video-us-east-1.pscp.tv blob: 'self' https://prod-video-ap-northeast-
3.pscp.tv https://prod-video-ap-southeast-1.pscp.tv https://mpdhdsnappytv-vh.akamaihd.net https://dev-video-eu-west-1.pscp.tv; connect-
src https://rmpdhdsnappytv-vh.akamaihd.net https://prod-video-eu-central-1.pscp.tv https://prod-video-ap-south-1.pscp.tv
https://*.giphy.com https://dwo3ckksxlb0v.cloudfront.net https://prod-video-us-east-2.pscp.tv https://prod-video-cn-north-1.pscp.tv
https://vmaprel.snappytv.com https://smmdhdsnappytv-vh.akamaihd.net https://*.twimg.com https://embed.pscp.tv https://api.twitter.com
https://prod-video-eu-west-1.pscp.tv https://*.video.pscp.tv https://rmmdhdsnappytv-vh.akamaihd.net https://clips-media-
assets.twitch.tv https://prod-video-ap-northeast-2.pscp.tv https://prod-video-us-west-2.pscp.tv https://pay.twitter.com https://prod-
video-us-west-1.pscp.tv https://analytics.twitter.com https://vmap.snappytv.com https://*.twprobe.net https://prod-video-ap-northeast-
1.pscp.tv https://smdhdsnappytv-vh.akamaihd.net https://prod-video-eu-west-3.pscp.tv https://syndication.twitter.com https://sentry.io
https://rmdhdsnappytv-vh.akamaihd.net https://media.riffsy.com https://mmdhdsnappytv-vh.akamaihd.net https://prod-video-ca-central-
1.pscp.tv https://embed.periscope.tv https://smpdhdsnappytv-vh.akamaihd.net https://prod-video-sa-east-1.pscp.tv
https://vmapstage.snappytv.com https://upload.twitter.com https://proxsee.pscp.tv https://mdhdsnappytv-vh.akamaihd.net https://prod-
video-ap-southeast-2.pscp.tv https://prod-video-cn-northwest-1.pscp.tv https://prod-video-eu-west-2.pscp.tv https://canary-video-us-
east-1.pscp.tv https://dev-video-us-west-2.pscp.tv https://prod-video-us-east-1.pscp.tv blob: 'self' https://prod-video-ap-northeast-
3.pscp.tv https://vmap.grabyo.com https://prod-video-ap-southeast-1.pscp.tv https://mpdhdsnappytv-vh.akamaihd.net https://dev-video-eu-
west-1.pscp.tv; style-src https://fonts.googleapis.com https://twitter.com https://*.twimg.com https://translate.googleapis.com
https://ton.twitter.com 'unsafe-inline' https://platform.twitter.com 'self'; object-src https://twitter.com https://pbs.twimg.com;
default-src 'self' blob:; frame-src https://twitter.com https://*.twimg.com https://player.vimeo.com https://pay.twitter.com
https://ton.twitter.com https://syndication.twitter.com https://vine.co twitter: https://www.youtube.com https://platform.twitter.com
https://upload.twitter.com 'self'; img-src https://*.giphy.com https://*.pscp.tv https://twitter.com https://*.twimg.com data:
https://clips-media-assets.twitch.tv https://lumiere-a.akamaihd.net https://ton.twitter.com https://syndication.twitter.com
https://media.riffsy.com https://www.google.com https://platform.twitter.com https://api.mapbox.com https://www.google-analytics.com
blob: https://*.periscope.tv 'self'; report-uri https://twitter.com/i/csp_report?a=NVQWGYLXFVZXO2LGOQ%3D%3D%3D%3D%3D%3D&ro=false;

CSP
• CSP nonce / strict-dynamic
P
• H Level3
•
• script
C

script-src
• CSP
URL
• script TS
script TS
• P C H
unsafe-inline CSP
• nonce / strict-dynamic

nonce
• S T nonce
• script nonce
• script nonce
S nonce script
nonce H
CCP

nonce
• HTTP
script-src: 'nonce-43f23r98’
•
<script src="..." nonce="43f23r98"></script>

nonce PTS
• script nonce
• H script
• strict-dynamic
C

nonce + strict-dynamic
• PS nonce T
• scriptDOM P
• HTTPC
script-src: 'nonce-43f23r98' 'strict-dynamic’
•
<script nonce="43f23r98">...</script>
H

nonce + strict-dynamic
• strictCSP
https://csp.withgoogle.com/docs/strict-csp.html
• script
• T T C
• S
• T
H PT

CSP
• Report-Only S
• H
• T
C 20 CSP
• T C
P

X-XSS-Protection
X-XSS-Protection: 0 or 1; [mode=block;] [report=...;]
• XSS H
• mode=block
• report

X-Content-Type-Options
X-XSS-Protection: nosniff
•
• IE
H

HPKP
hpkp.com
https://hpkp.com
hpkp.com

HPKP T
• HTTP Public Key Pinning
• WEB
• 2 P
• T H
• PHP header
K

HPKP
Public-Key-Pins: pin-sha256=”base64=="; max-age=5184000;
[includeSubDomains;] [report-uri=”...”;]
• Base64 P
• max-age T
• includeSubDomains
• report-uri H
KH

HPKP
hpkp.com
K H
P
https://hpkp.com
hpkp.com
KK
HPKP H
max-age

HPKP H K
hpkp.com
H
https://hpkp.com
hpkp.com
HH

HPKP P T
• max-age ≦ T H
• K T
HPKP
K T
max-age

HPKP
•
• T
•
• Chrome 67 P
• CT
H K

CT
https://ct.com
ct.comC
CT
…
ct.com
…
C

CT
• Certificate Transparency T
• C SCT Signed
Certificate Timestamp
• SCT
• Let’s Encrypt Amazon Certificate Manager
• Expect-CT
H P

Expect-CT H
Expect-CT: max-age=86400, [enforce,] [report-uri=”...”]
• max-age
• enforce C report-only
• report-uri

CT
• HPKP
• HPKP CT
• T
C H P

HTTP Strict Transport Security

HSTS
hsts.com
HTTPS
http://hpkp.com
hsts.com
https://hpkp.com

HSTS S
• HTTP Strict Transport Security
• HTTPS H
• HTTPS H
• PHP header P

HSTS
Strict-Transport-Security: max-age=31536000; [includeSubDomains;]
[preload;]
• max-age
• includeSubDomains
• preload

• S HTTPS P
https://hstspreload.org/
• T
H

• HTTP report
•
H
• ReportURIT
P

ReportURI
•
• 10,000 report / month $100 1000,000 report /month
• H H CSP Except-CT
H P
•
• T
H

セキュアアプリケーションのためのHTTP設定

Recommended

Recommended

More Related Content

Similar to セキュアアプリケーションのためのHTTP設定

Similar to セキュアアプリケーションのためのHTTP設定 (20)

Recently uploaded

Recently uploaded (20)

セキュアアプリケーションのためのHTTP設定