Security Tip #1

Security HTTP Headers

lightning talk at #parisrb by @DorianLupu

slides available online : slides.com/kundigo

June 7th 2016

X-Frame-Options

Protection against clickjacking by specifying which website can include your app in an iframe

* SAME-ORIGIN  (default value in Rails)

* DENY 

* ALLOW-FROM https://example.com/

X-XSS-Protection

This turns on the Reflective XSS protection in browsers.

Reflective XSS is a string containing HTML/JavaScript that the user entered on one page and is repeated on the next page, for example after submitting a form.

• 0 - Disable  
• 1 - Enable (sanitize) 
• 1; mode=block - Enables (block) (default Value in Rails)
• 1; report=http://site.com/report - Enable and Report

X-Content-Type-Options

• nosniff - prevent browsers from MIME-sniffing a response away from the declared content-type (default Value in Rails)

Strict-Transport-Security

HTTP Strict Transport Security (HSTS) ensures the browser never visits the HTTP version of a website.

   Strict-Transport-Security: max-age=31536000

 This mitigates man-in-the-middle attacks where TLS can be stripped out.

 Content-Security-Policy

Primarily, CSP is a set of rules to tell the browser to whitelist all asset sources that are alloswed.

 This will reduce the number of Cross-Site Scripting (XSS) vectors by, for example, allowing only scripts from your domain or disallowing inline scripts

More about that in the next  talk Security Tip #2

Useful links & tools

* securityheaders.io - check your security headers

* twitter/secureheaders gem

* rorsecurity.info - website dedicated to RoR security

Questions ?

Thank you

talk at #parisrb by @DorianLupu

slides available online : slides.com/kundigo