TeamStation AI System Report LATAM IT Salaries 2024
Csp and http headers
1. W3C Content Security Policy
and HTTP Headers for Security
David Epler
Security Architect
depler@aboutweb.com
2. About Me
• Application Developer originally
• Contributor to Learn CF In a Week
• OWASP Individual Member
• OWASP Zed Attack Proxy (ZAP)
Evangelist
• Security Certifications - CEH, GWAPT
3. About the Session
• What will be covered
• HTTP Header Basics
• HTTP Headers for Security
• X-Content-Type-Options
• X-XSS-Protection
• X-Frame-Options
• Cookies
• HTTP Strict Transport Security (HSTS)
• W3C Content Security Policy (CSP)
5. HTTP Response Headers
• Can be set by web server, web application, or
anything that interacts with HTTP response
Header
always
set
X-‐Mork
KO
<cfheader
name=“X-‐Mork”
value=“nanu-‐nanu”>
<%php
header(“X-‐Mork:
shazbot”)
%>
Apache (requires mod_header)
ColdFusion
PHP
7. X-Content-Type-Options
• Protect against MIME type confusion
attacks
• Internet Explorer 9+,
Chrome, & Safari
Internet Explorer Chrome
text/css text/css
text/ecmascript text/ecmascript
text/javascript text/javascript
text/jscript text/jscript
application/ecmascript application/ecmascript
application/javascript application/javascript
application/x-javascript application/x-javascript
text/vbs text/javascript1.1
text/vbscript text/javascript1.2
text/x-javascript text/javascript1.3
text/livescript
X-‐Content-‐Type-‐Options:
nosniff
8. X-XSS-Protection
• Configures user-agent's built in reflective
XSS protection
• Internet Explorer 8+ and Chrome
Value Meaning
0 Disable XSS protection
1 Enable XSS protection
1; mode=block Enable XSS protection & block content
1; report=URL Report potential XSS to URL (Chrome/Webkit only)
X-‐XSS-‐Protection:
1;
mode=block
9. X-Frame-Options
• Indicates if browser should be allowed to
render content in <frame> or <iframe>
• Clickjack/UI Redress attack
Value Meaning
DENY Prevents any domain from framing the content
SAMEORIGIN Only allows sites on same domain to frame the content
ALLOW-FROM URL Whitelist of URLs that are allowed to frame the content
10. X-Frame-Options
• Browser support varies based on value
Browser DENY/SAMEORIGIN ALLOW-FROM
Chrome 4.1 not supported
Firefox 3.6.9 18.0
Internet Explorer 8 9
Opera 10.50
Safari 4 not supported
X-‐Frame-‐Options:
SAMEORIGIN
11. Cookies
• Important directives on cookies
• HTTPOnly
• cookie is not accessible to Javascript
• Secure
• sends cookie over HTTPS
Set-‐Cookie:
JSESSIONID=4B4BE61DB23C8858560A7BC35804507F;
Path=/;
Secure;
HttpOnly
13. HTTP Strict Transport
Security (HSTS)
• Instructs the browser to always use
HTTPS protocol instead of HTTP
• Helps prevent
• Network Attacks
• Mixed Content Vulnerabilities
• HSTS does not allow a user to
override the invalid certificate
message
16. HSTS Directives
• max-‐age tells user-agent how long to
cache the STS setting in seconds
• includeSubDomains tells user-agent to
include any subdomains
17. HSTS Examples
Require HTTPS for 60 seconds on domain
!
Require HTTPS for 365 days on domain and all subdomains
!
Remove HSTS Policy (including subdomains)
Strict-‐Transport-‐Security:
max-‐age=60
Strict-‐Transport-‐Security:
max-‐age=31536000;
includeSubDomains
Strict-‐Transport-‐Security:
max-‐age=0
18. Handling Requests
• HTTP Requests
• Should respond with HTTP Status
Code 301 and redirect to HTTPS
• Strict-‐Transport-‐Security header
must not be included on HTTP
• HTTPS Requests
• Should always respond with Strict-‐
Transport-‐Security header
19. HSTS Preloading
• Not part of official specification
• Chrome maintains list of sites that always use
HTTPS
• Used by Firefox and Safari as well
• Need to submit site to be included in preload list
• https://hstspreload.appspot.com/
Strict-‐Transport-‐Security:
max-‐age=10886400;
includeSubDomains;
preload
22. W3C Content Security
Policy (CSP)
• Provides whitelist to browser for loading resources
• Developed by Mozilla and 1st implemented in Firefox 4
• Experimental Headers
• X-‐Content-‐Security-‐Policy
• X-‐WebKit-‐CSP
• Content Security Policy 1.0
W3C Candidate Recommendation
November 15, 2012
• HTTP Header:
Content-‐Security-‐Policy
Content-‐Security-‐Policy-‐Report-‐Only
23. CSP 1.0 Directives
Value Meaning
default-‐src default source, used for any directives that are not defined
script-‐src sources for Javascript
object-‐src sources for <object>, <embed>, and <applet>
style-‐src sources for CSS stylesheets
img-‐src sources for images
media-‐src sources for HTML5 <video>, <audio>, <source>, and <track>
frame-‐src sources for <frame> and <iframe>
font-‐src sources for web fonts
connect-‐src sources for XMLHttpRequest, Websockets, and EventSource
report-‐uri location to send violation reports
sandbox specifies sandbox policy
24. CSP Source Expressions
Value Meaning
* wildcard, allows all origins
‘self’ allow same origin
‘none’ deny all access
www.example.com allow specific domain
*.example.com allow all subdomains on a domain
https://www.example.com specific URL
https: require https
data: allow data uri schemes (base64)
25. Special Sources
• unsafe-‐inline
• Allows inline content for script-‐src
and style-‐src
• unsafe-‐eval
• Allows for unsafe dynamic evaluation
of code such as Javascript eval() in
script-‐src