Security Tip #1
Security HTTP Headers
June 7th 2016
X-Frame-Options
Protection against clickjacking by specifying which website can include your app in an iframe
* SAME-ORIGIN (default value in Rails)
* DENY
* ALLOW-FROM https://example.com/
X-XSS-Protection
This turns on the Reflective XSS protection in browsers.
Reflective XSS is a string containing HTML/JavaScript that the user entered on one page and is repeated on the next page, for example after submitting a form.
- 0 - Disable
- 1 - Enable (sanitize)
- 1; mode=block - Enables (block) (default Value in Rails)
- 1; report=http://site.com/report - Enable and Report
X-Content-Type-Options
- nosniff - prevent browsers from MIME-sniffing a response away from the declared content-type (default Value in Rails)
Strict-Transport-Security
HTTP Strict Transport Security (HSTS) ensures the browser never visits the HTTP version of a website.
Strict-Transport-Security: max-age=31536000
This mitigates man-in-the-middle attacks where TLS can be stripped out.
Content-Security-Policy
Primarily, CSP is a set of rules to tell the browser to whitelist all asset sources that are alloswed.
This will reduce the number of Cross-Site Scripting (XSS) vectors by, for example, allowing only scripts from your domain or disallowing inline scripts
More about that in the next talk Security Tip #2
Useful links & tools
* securityheaders.io - check your security headers
* twitter/secureheaders gem
* rorsecurity.info - website dedicated to RoR security
Questions ?
Thank you
talk at #parisrb by @DorianLupu
slides available online : slides.com/kundigo