ØxOPOSɆC Mɇɇtuᵽ - [0x31] - The Meet
Renato Rodrigues - @SiMpS0N- 01-03-2016
GET / HTTP/1.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8,fr;q=0.6
Cache-Control: no-cache
Pragma: no-cache
User-Agent: () { :;}; /bin/bash -c "whoami"
Host: 0xOPOSEC
Security Headers
HTTP/1.1 200 ok
Headers
In Real Life...
HTTP HEADERS
In Short
HTTP message headers are used to precisely describe the resource being fetched or the behavior of the server or the client. Custom proprietary headers can be added using the 'X-' prefix; others are listed in an IANA registry, whose original content was defined in RFC 4229.
HTTP headers are the core part of HTTP requests and responses, and they carry information about the browser, the requested content, the server and much more.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers
HEADERS
Headers Description from
https://securityheaders.io/
X-Xss-Protection
Sets the configuration for the cross-site scripting filters built into most browsers. The best configuration is "X-XSS-Protection: 1; mode=block".
X-XSS-Protection 1; mode=block
X-Frame-Options
Tells the browser whether you want to allow your site to be framed or not. By preventing a browser from framing your site you can defend against attacks like clickjacking.
X-Frame-Options SAMEORIGIN
X-Content-Type-Options
Stops a browser from trying to MIME-sniff the content type and forces it to stick with the declared content-type. This helps to reduce the danger of drive-by downloads. The only valid value for this header is "X-Content-Type-Options: nosniff".
X-Content-Type-Options nosniff
Strict-Transport-Security
Is an excellent feature to support on your site and strengthens your implementation of TLS by getting the User Agent to enforce the use of HTTPS.
Strict-Transport-Security max-age=31536000; includeSubdomains; preload
Content-Security-PolicY
Is an effective measure to protect your site from several attacks. By whitelisting sources of approved content, you can prevent the browser from loading malicious assets.
Content-Security-Policy default-src 'self'; script-src 'self' ...
https://report-uri.io/home/generate
CSP Builder (Helper):
Public-Key-Pins
Protects your site from MiTM attacks using rogue X.509 certificates. By whitelisting only the identities that the browser should trust, your users are protected in the event a certificate authority is compromised.
Public-Key-Pins pin-sha256="t/OMbK...JM="; max-age=600; report-uri="..."
In real Life
Apache
Header set X-Frame-Options SAMEORIGIN
Header set X-XSS-Protection 1;mode=block
Header set X-Content-Type-Options nosniff
Header set Strict-Transport-Security max-age=31536000; includeSubDomains
Header set Content-Security-Policy default-src 'self'
Edit $(APACHE-DIR)/
sites-enabled/website.conf or /httpd.conf
NGINX
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header Content-Security-Policy "default-src 'self'
#Inside Server SSL Config
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
Edit $(NGINX-DIR)/nginx.conf
https://gist.github.com/plentz/6737338
?
THANK YOU!
Security Headers
By Renato Rodrigues
Security Headers
Enhance the security of a website by properly setup some HTTP Headers. - 10Min Talk for 0xOPOSEC Meetup
- 3,088