Frontend security

Craig Loftus

OWASP

  1. Injection
  2. Broken Authentication
  3. Sensitive Data Exposure
  4. XML External Entities
  5. Broken Access Control
  6. Security Misconfiguration
  7. Cross-Site Scripting
  8. Insecure Deserialization
  9. Using Components with Known Vulnerabilities
  10. Insufficient Logging & Monitoring

Server

Django

TLS

Security headers

TLS

ssllabs.com/ssltest/

ssl-config.mozilla.org

HSTS & Preloading

hstspreload.org

CAA

Certification Authority Authorization

example.org. CAA 128 issue "letsencrypt.org"

Not a hard technical control

CT

Certificate Transparency

developers.facebook.com/tools/ct/

OCSP Stapling

Tries to fix certificate revocation...

Enforce with Must-Staple

Django

By default

securityheaders.com

Batteries included

$ ./manage.py check --deploy
X_FRAME_OPTIONS = 'DENY'
CSRF_COOKIE_SECURE = True
SESSION_COOKIE_SECURE = True
SECURE_SSL_REDIRECT = True
SECURE_BROWSER_XSS_FILTER = True
SECURE_CONTENT_TYPE_NOSNIFF = True
CSP_DEFAULT_SRC = ("'self'",)
CSP_SCRIPT_SRC = ("'self'", "static.example.com")
CSP_IMG_SRC = ("*",)

Content-Security-Policy

$ pip install django-csp
csp.middleware.CSPMiddleware

Mitigate cross site scripting attacks by blocking resources

CSP Wizard

CSP_DEFAULT_SRC = ("'none'",)
CSP_REPORT_ONLY = True
CSP_REPORT_URI = "{wizard url}"

Migrating existing be daunting

report-uri.com

CSP extra

CSP_UPGRADE_INSECURE_REQUESTS = True
CSP_BLOCK_ALL_MIXED_CONTENT = True

CSP don'ts

'unsafe-inline'

'unsafe-eval'

Don't be Mozilla

Referrer-Policy

REFERRER_POLICY = "same-origin"
$ pip install django-referrer-policy
django_referrer_policy.middleware.ReferrerPolicyMiddleware

How and when to send the Referer header

Feature-Policy

FEATURE_POLICY = {
    'geolocation': 'none',
    'usb': 'none',
}
$ pip install django-feature-policy
django_feature_policy.FeaturePolicyMiddleware

Lets you turn off browser features

All good now?

Any questions?

slides.com/craigloftus/security/

Made with Slides.com