SECURITY HEADERS

Pete Freitag, Foundeo Inc.





ABOUT ME


  • 16 Years Web Development
  • Owner Foundeo Inc. Consulting & Products company.
  • Blog: petefreitag.com
  • Twitter: @pfreitag

Agenda

    • The Basics - What is a HTTP Header
    • HTTP Strict Transport Security (HSTS)
    • X-Frame-Options
    • Content-Security-Policy
    • Cookies

HTTP Basics

HTTP Request
GET / HTTP/1.1
Host: foundeo.com
User-Agent: My Browser
Cookie: oreo=yum;

HTTP Response
HTTP/1.1 200 OK
Date: Tue, 1 Apr 2014 19:58:49 GMT
Server: Apache
Content-Type: text/plain
Hello World.

HTTP Response Headers in CFML

     CFML:
 <cfheader name="X-Cow" value="moo">

     Yields a HTTP Response such as:
HTTP/1.1 200 OK
Date: Tue, 1 Apr 2014 19:58:49 GMT
X-Cow: moo
Server: Apache
Content-Type: text/plain
Hello World.




HTTP Strict Transport Security

(HSTS)


Strict-Transport-Security HTTP Response Header

Instructs the browser to always request a domain using the HTTPS protocol instead of HTTP.


Why Use HSTS?


  • Passive Network Attacks - man in the middle attacks, HTTPS stripping attacks. 

  • Active Network Attacks - compromised DNS, evil twin domains, etc.
  • Mixed Content Vulnerabilities - loading of an insecure resource over a secure request (eg swf)
  • Performance - removes unnecessary redirects to HTTPS from http.
  • Because no one types https:// in the address bar.

    Why HSTS?

    HSTS Directives


      • max-age - number of seconds policy should be kept for.
      • includeSubDomains  - apply this policy to all subdomains of the requested host. Omit to apply policy only to current domain.

    HSTS Examples


    Require HTTPS for 60 seconds on current domain:
     Strict-Transport-Security: max-age=60

    Require HTTPS for 365 days on all subdomains:
     Strict-Transport-Security: max-age=31536000; includeSubDomains

    Remove HSTS Policy (including subdomains):
     Strict-Transport-Security: max-age=0

    How to handle HTTP Requests


    • Requests Over HTTP (Non Secure)

      • Should respond with a 301 redirect to the secure url.
      • Must NOT respond with Strict-Transport-Security header on non-secure HTTP requests.

    • Requests Over HTTPS

      • Should always respond with a Strict-Transport-Security header.

    HSTS Browser Support



    See: caniuse.com/stricttransportsecurity for more info.

    HSTS Preloading


    Chrome has a pre-loaded list of domains that have opted in to always use HTTPS, for examples include PayPal, Twitter, etc.

    You can request to be pre-loaded.

    HSTS Resources


    X-Frame-Options


    Allows the server to specify if the response content should be part of a frame, and if so from what origin.

    Clickjacking


      • AKA UI Redressing
      • Attacker tricks the user into clicking on something that performs an unintended action.

    Clickjacking Demo

    X-Frame-Options Directives


      • DENY - Specifies that the requested resource should never be embedded in a frame.
      • SAMEORIGIN - Only pages on the same domain may frame the requested resource.
      • ALLOW-FROM origin - Allow a whitelisted origin to frame the requested content.

    X-Frame-Options Browser Support


      • IE: 8+ (ALLOW-FROM 9+)
      • FF: 3.6.9 (ALLOW-FROM 18+)
      • Chrome: 4.1 (ALLOW-FROM not supported)
      • Safari: 4+ (ALLOW-FROM not supported)

    X-Frame-Options Resources

    Content-Security-Policy (CSP)



    HTTP Response header, allows server to control how resources are loaded. 

    Why Content-Security-Policy?


    • Greatly reduces success of Cross Site Scripting (XSS) attacks.
      • Report / log xss attack attempts

      CSP Demo

      CSP Directives

      default-src 
        script-src 
      style-src
      img-src 
      connect-src
      font-src
      object-src
      media-src
      frame-src
      sandbox
      report-uri

      CSP Source Expressions

      Source Value Meaning
      * Wildcard, allows all origins.
      'self' Allow same origin.
      'none' Don't allow any resources of this type to load.
      domain.example.com Allow a domain
      *.example.com Allow all subdomains on a domain.
      https://example.com Scheme specific.
      https: Require https.
      data: Allow data uri schemes.

      unsafe-inline


      • When script-src or style-src
         are enabled inline style
         or script
         tags are disabled.  
          • You can add 'unsafe-inline' to allow it, but defeats much of CSP's purpose.

      unsafe-eval


      • CSP also disables unsafe dynamic code evaluation, such as the JavaScript eval() function.
        • You can add 'unsafe-eval' to a script-src directive to disable this.

      CSP Reports


      • Specify a report-uri to receive JSON violation reports
      • Report only: Content-Security-Policy-Report-Only

      CSP 1.1


        • Updated version of the CSP spec is now in Editors Draft
        • Adds nonce and hash
        • Adds referrer directive

      CSP Browser Support


      • Chrome: 25+
      • FireFox: 23+
      • Safari: 7+
      • IE: Not Supported Yet
          • IE 10 supports the sandbox directive only via X-Content-Security-Policy
      • Vendor prefixes, such as X-Content-Security-Policy and X-Webkit-CSP

      CSP Resources


      X-XSS-Protection


        • X-XSS-Protection: 0 (ignore)
        • X-XSS-Protection: 1 (fliter)
        • X-XSS-Protection: 1; mode=block (block)
        • CSP 1.1 Adds a directive reflected-xss to control this.

      Cookies


      Two important cookie directives:

        • HTTPOnly
        • Secure


      Cross Origin Resource Sharing (CORS)


      CORS allows you to make XMLHttpRequests cross-domain

      CORS


      • Browser makes the cross origin request if method is GET, HEAD or POST and sends an Origin  request header.
      • Request responds with a Access-Control-Allow-Origin  HTTP response header.

      CORS Preflight Request


      • If you need to make a cross origin request that is not GET, HEAD or POST, sends credentials, custom headers or a request body.
          • The browser will send a preflight request, using the OPTIONS HTTP request method.

      CORS Request Headers


      • Origin - the origin of the preflight request
      • Access-Control-Request-Method - The HTTP request method that the request would send.
      • Access-Control-Request-Headers - A comma separated list of header names that the request will use.

      CORS Preflight Response Headers

      • Access-Control-Allow-Origin - An Origin, "*", or "none"
      • Access-Control-Allow-Credentials - When true the request can include credentials.
      • Access-Control-Allow-Headers - tells which request headers can be sent.
      • Access-Control-Allow-Methods  - tells which HTTP methods can be used for the request.
      • Access-Control-Expose-Headers - tells which response headers are available to JavaScript.
      • Access-Control-Max-Age - max seconds to cache preflight response 

      Security Headers

      By Pete Freitag

      Security Headers

      • 8,603