ØxOPOSɆC Mɇɇtuᵽ - [0x31] - The Meet

Renato Rodrigues - @SiMpS0N- 01-03-2016

GET / HTTP/1.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8,fr;q=0.6
Cache-Control: no-cache
Pragma: no-cache
User-Agent: () { :;}; /bin/bash -c "whoami"


Host: 0xOPOSEC
Security Headers

HTTP/1.1 200 ok
Headers
In Real Life...

HTTP HEADERS

In Short

HTTP message headers are used to precisely describe the resource being fetched or the behavior of the server or the client. Custom proprietary headers can be added using the 'X-' prefix; others are listed in an IANA registry, whose original content was defined in RFC 4229. 

HTTP headers are the core part of HTTP requests and responses, and they carry information about the browser, the requested content, the server and much more.

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers

HEADERS

Headers Description from

https://securityheaders.io/

X-Xss-Protection

 Sets the configuration for the cross-site scripting filters built into most browsers. The best configuration is "X-XSS-Protection: 1; mode=block".

X-XSS-Protection 1; mode=block

X-Frame-Options

Tells the browser whether you want to allow your site to be framed or not. By preventing a browser from framing your site you can defend against attacks like clickjacking.

X-Frame-Options SAMEORIGIN

X-Content-Type-Options

Stops a browser from trying to MIME-sniff the content type and forces it to stick with the declared content-type. This helps to reduce the danger of drive-by downloads. The only valid value for this header is "X-Content-Type-Options: nosniff".

X-Content-Type-Options nosniff

Strict-Transport-Security

Is an excellent feature to support on your site and strengthens your implementation of TLS by getting the User Agent to enforce the use of HTTPS.

Strict-Transport-Security max-age=31536000; includeSubdomains; preload

Content-Security-PolicY

Is an effective measure to protect your site from several attacks. By whitelisting sources of approved content, you can prevent the browser from loading malicious assets.

Content-Security-Policy default-src 'self'; script-src 'self' ...
https://report-uri.io/home/generate

CSP Builder (Helper): 

Public-Key-Pins

Protects your site from MiTM attacks using rogue X.509 certificates. By whitelisting only the identities that the browser should trust, your users are protected in the event a certificate authority is compromised.

Public-Key-Pins pin-sha256="t/OMbK...JM="; max-age=600; report-uri="..."

In real Life

 

Apache

Header set X-Frame-Options SAMEORIGIN
Header set X-XSS-Protection 1;mode=block
Header set X-Content-Type-Options nosniff
Header set Strict-Transport-Security max-age=31536000; includeSubDomains
Header set Content-Security-Policy default-src 'self'

Edit $(APACHE-DIR)/
sites-enabled/website.conf or /httpd.conf

NGINX

add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header Content-Security-Policy "default-src 'self'
#Inside Server SSL Config
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";

Edit $(NGINX-DIR)/nginx.conf

https://gist.github.com/plentz/6737338

?

THANK YOU!

Security Headers

By Renato Rodrigues

Security Headers

Enhance the security of a website by properly setup some HTTP Headers. - 10Min Talk for 0xOPOSEC Meetup

  • 3,088