SECURITY HEADERS
Pete Freitag, Foundeo Inc.
ABOUT ME
- 16 Years Web Development
- Owner Foundeo Inc. Consulting & Products company.
- Blog: petefreitag.com
- Twitter: @pfreitag
Agenda
- The Basics - What is a HTTP Header
- HTTP Strict Transport Security (HSTS)
- X-Frame-Options
- Content-Security-Policy
- Cookies
HTTP Basics
HTTP Request
GET / HTTP/1.1
Host: foundeo.com
User-Agent: My Browser
Cookie: oreo=yum;
HTTP Response
HTTP/1.1 200 OK Date: Tue, 1 Apr 2014 19:58:49 GMT Server: Apache Content-Type: text/plain
Hello World.
HTTP Response Headers in CFML
CFML:
<cfheader name="X-Cow" value="moo">
Yields a HTTP Response such as:
HTTP/1.1 200 OK Date: Tue, 1 Apr 2014 19:58:49 GMT X-Cow: moo Server: Apache Content-Type: text/plain
Hello World.
HTTP Strict Transport Security
(HSTS)
Strict-Transport-Security HTTP Response Header
Instructs the browser to always request a domain using the HTTPS protocol instead of HTTP.
Why Use HSTS?
-
Passive Network Attacks - man in the middle attacks, HTTPS stripping attacks.
-
Active Network Attacks - compromised DNS, evil twin domains, etc.
-
Mixed Content Vulnerabilities - loading of an insecure resource over a secure request (eg swf)
-
Performance - removes unnecessary redirects to HTTPS from http.
- Because no one types https:// in the address bar.
Why HSTS?
HSTS Directives
- max-age - number of seconds policy should be kept for.
-
includeSubDomains - apply this policy to all subdomains of the requested host. Omit to apply policy only to current domain.
HSTS Examples
Require HTTPS for 60 seconds on current domain:
Strict-Transport-Security: max-age=60
Require HTTPS for 365 days on all subdomains:
Strict-Transport-Security: max-age=31536000; includeSubDomains
Remove HSTS Policy (including subdomains):
Strict-Transport-Security: max-age=0
How to handle HTTP Requests
- Requests Over HTTP (Non Secure)
- Should respond with a 301 redirect to the secure url.
-
Must NOT respond with Strict-Transport-Security header on non-secure HTTP requests.
- Requests Over HTTPS
- Should always respond with a Strict-Transport-Security header.
HSTS Browser Support
- Chrome: 4+
- Firefox: 4+
- Safari: 7+
- IE: In Development
See: caniuse.com/stricttransportsecurity for more info.
HSTS Preloading
Chrome has a pre-loaded list of domains that have opted in to always use HTTPS, for examples include PayPal, Twitter, etc.
You can request to be pre-loaded.
HSTS Resources
- HSTS Specification: https://tools.ietf.org/html/rfc6797
- OWASP: https://www.owasp.org/index.php/HTTP_Strict_Transport_Security
- IIS Module: http://hstsiis.codeplex.com/
X-Frame-Options
Allows the server to specify if the response content should be part of a frame, and if so from what origin.
Clickjacking
- AKA UI Redressing
- Attacker tricks the user into clicking on something that performs an unintended action.
Clickjacking Demo
X-Frame-Options Directives
- DENY - Specifies that the requested resource should never be embedded in a frame.
- SAMEORIGIN - Only pages on the same domain may frame the requested resource.
- ALLOW-FROM origin - Allow a whitelisted origin to frame the requested content.
X-Frame-Options Browser Support
- IE: 8+ (ALLOW-FROM 9+)
- FF: 3.6.9 (ALLOW-FROM 18+)
- Chrome: 4.1 (ALLOW-FROM not supported)
- Safari: 4+ (ALLOW-FROM not supported)
X-Frame-Options Resources
Content-Security-Policy (CSP)
HTTP Response header, allows server to control how resources are loaded.
Why Content-Security-Policy?
- Greatly reduces success of Cross Site Scripting (XSS) attacks.
- Report / log xss attack attempts
CSP Demo
CSP Directives
default-src
script-src
style-src
img-src
connect-src
font-src
object-src
media-src
frame-src
sandbox
report-uri
CSP Source Expressions
Source Value | Meaning |
---|---|
*
|
Wildcard, allows all origins. |
'self'
|
Allow same origin. |
'none'
|
Don't allow any resources of this type to load. |
domain.example.com
|
Allow a domain |
*.example.com
|
Allow all subdomains on a domain. |
https://example.com
|
Scheme specific. |
https:
|
Require https. |
data:
|
Allow data uri schemes. |
unsafe-inline
- When script-src or style-src
are enabled inline style
or script
tags are disabled. - You can add 'unsafe-inline' to allow it, but defeats much of CSP's purpose.
unsafe-eval
- CSP also disables unsafe dynamic code evaluation, such as the JavaScript eval() function.
- You can add 'unsafe-eval' to a script-src directive to disable this.
CSP Reports
- Specify a report-uri to receive JSON violation reports
- Report only: Content-Security-Policy-Report-Only
CSP 1.1
- Updated version of the CSP spec is now in Editors Draft
- Adds nonce and hash
- Adds referrer directive
CSP Browser Support
-
Chrome: 25+
- FireFox: 23+
- Safari: 7+
- IE: Not Supported Yet
- IE 10 supports the sandbox directive only via X-Content-Security-Policy
- Vendor prefixes, such as X-Content-Security-Policy and X-Webkit-CSP
CSP Resources
- content-security-policy.com - quick reference
-
www.w3.org/TR/CSP/ - CSP 1.0 Spec W3C Candidate Recommendation
-
www.w3.org/TR/CSP11/ - CSP 1.1 Working Draft
-
www.w3.org/2011/webappsec/ - W3C WebAppSec Working Group
X-XSS-Protection
- X-XSS-Protection: 0 (ignore)
- X-XSS-Protection: 1 (fliter)
- X-XSS-Protection: 1; mode=block (block)
- CSP 1.1 Adds a directive reflected-xss to control this.
Cookies
Two important cookie directives:
- HTTPOnly
- Secure
Cross Origin Resource Sharing (CORS)
CORS allows you to make XMLHttpRequests cross-domain
CORS
- Browser makes the cross origin request if method is GET, HEAD or POST and sends an Origin request header.
- Request responds with a Access-Control-Allow-Origin HTTP response header.
CORS Preflight Request
- If you need to make a cross origin request that is not GET, HEAD or POST, sends credentials, custom headers or a request body.
- The browser will send a preflight request, using the OPTIONS HTTP request method.
CORS Request Headers
- Origin - the origin of the preflight request
- Access-Control-Request-Method - The HTTP request method that the request would send.
- Access-Control-Request-Headers - A comma separated list of header names that the request will use.
CORS Preflight Response Headers
- Access-Control-Allow-Origin - An Origin, "*", or "none"
-
Access-Control-Allow-Credentials - When true the request can include credentials.
- Access-Control-Allow-Headers - tells which request headers can be sent.
- Access-Control-Allow-Methods - tells which HTTP methods can be used for the request.
- Access-Control-Expose-Headers - tells which response headers are available to JavaScript.
- Access-Control-Max-Age - max seconds to cache preflight response
Security Headers
By Pete Freitag
Security Headers
- 8,603