Securing your web application and protecting your users are 2 of the most important things to a developer nowadays. We all know about the dangers of cross site scripting and sql injection, but did you know that you can also make the browser do its share? In this presentation we'll dive into the world of the HTTP security headers, which will make the browser help protect your users.
38. CONTENT SECURITYPOLICY
CSP header limits what can run on your page
default-src img-src style-src font-src
script-src media-src connect-src frame-src
worker-src child-src manifest-src object-src
40. CONTENT SECURITYPOLICY
Also supports report-uri directive
Fails silently! Only visible in the dev console.
Has a “Report-Only” variant:
Content-Security-Policy-Report-Only
41. CSP TAKE AWAYS
Good to have, hard to master
Run it in “Report-Only” mode for a while
Keep monitoring the reports
HTTP no longer considered secure
HTTPS is cheap (letsencrypt) and faster (HTTP/2)
Enables HSTS for 1 year
Refreshed every time the browser sees it
Should be fine for most usecases (exception e.g. taxonweb)
Include subdomains for HTTPS
Careful though -> all subdomains might possibly break internal stuff (e.g. old printer with an http only management interface on printer.example.com)
Allow preloading
Preloading is an end goal. Removal from the list is a manual process, which will take time.
Site is eligible when
It has a valid certificate
Redirects to https
Serves al subdomains on https
HSTS max-age at least 1 year
HSTS preload active
HSTS includesubdomains active
Browser validates the certificate.
169 roots configured, your browser trusts all of them.
CAs have to publish certificate info in logs
Site admin should monitor those logs
Careful, these logs are public!
Enforce -> actually enforce the header.
Report-uri -> sends a report of non-compliance to an endpoint of your choice e.g. reporturi.io
Without enforce -> only reporting.