SlideShare ist ein Scribd-Unternehmen logo

Csp and http headers

ColdFusionConference
ColdFusionConference

Security

Technologie
1 von 35
Downloaden Sie, um offline zu lesen
W3C Content Security Policy
 and HTTP Headers for Security David Epler Security Architect depler@aboutweb.com
About Me • Application Developer originally • Contributor to Learn CF In a Week • OWASP Individual Member • OWASP Zed Attack Proxy (ZAP) Evangelist • Security Certifications - CEH, GWAPT
About the Session • What will be covered • HTTP Header Basics • HTTP Headers for Security • X-Content-Type-Options • X-XSS-Protection • X-Frame-Options • Cookies • HTTP Strict Transport Security (HSTS) • W3C Content Security Policy (CSP)
HTTP Basics HTTP Request GET  /  HTTP/1.1
 Host:  www.aboutweb.com HTTP Response HTTP/1.1  200  OK
 Date:  Tue,  7  Apr  2015  20:21:22  GMT
 Server:  Apache
 Content-­‐Type:  text/html  
HTTP Response Headers • Can be set by web server, web application, or anything that interacts with HTTP response Header  always  set  X-­‐Mork  KO <cfheader  name=“X-­‐Mork”  value=“nanu-­‐nanu”> <%php  header(“X-­‐Mork:  shazbot”)  %> Apache (requires mod_header) ColdFusion PHP
HTTP Response HTTP/1.1  200  OK
 Date:  Tue,  7  Apr  2015  21:22:23  GMT
 Server:  Apache   X-­‐Mork:  nanu-­‐nanu
 Content-­‐Type:  text/html  
 
 <html>
  …   </html>
X-Content-Type-Options • Protect against MIME type confusion attacks • Internet Explorer 9+, 
 Chrome, & Safari Internet Explorer Chrome text/css text/css text/ecmascript text/ecmascript text/javascript text/javascript text/jscript text/jscript application/ecmascript application/ecmascript application/javascript application/javascript application/x-javascript application/x-javascript text/vbs text/javascript1.1 text/vbscript text/javascript1.2 text/x-javascript text/javascript1.3 text/livescript X-­‐Content-­‐Type-­‐Options:  nosniff
X-XSS-Protection • Configures user-agent's built in reflective XSS protection • Internet Explorer 8+ and Chrome Value Meaning 0 Disable XSS protection 1 Enable XSS protection 1; mode=block Enable XSS protection & block content 1; report=URL Report potential XSS to URL (Chrome/Webkit only) X-­‐XSS-­‐Protection:  1;  mode=block
X-Frame-Options • Indicates if browser should be allowed to render content in <frame> or <iframe> • Clickjack/UI Redress attack Value Meaning DENY Prevents any domain from framing the content SAMEORIGIN Only allows sites on same domain to frame the content ALLOW-FROM URL Whitelist of URLs that are allowed to frame the content
X-Frame-Options • Browser support varies based on value Browser DENY/SAMEORIGIN ALLOW-FROM Chrome 4.1 not supported Firefox 3.6.9 18.0 Internet Explorer 8 9 Opera 10.50 Safari 4 not supported X-­‐Frame-­‐Options:  SAMEORIGIN
Cookies • Important directives on cookies • HTTPOnly • cookie is not accessible to Javascript • Secure • sends cookie over HTTPS Set-­‐Cookie:  
 JSESSIONID=4B4BE61DB23C8858560A7BC35804507F;   Path=/;  Secure;  HttpOnly
DEMO
HTTP Strict Transport Security (HSTS) • Instructs the browser to always use HTTPS protocol instead of HTTP • Helps prevent • Network Attacks • Mixed Content Vulnerabilities • HSTS does not allow a user to override the invalid certificate message
Certificate Error w/o HSTS
Certificate Error w/ HSTS
HSTS Directives • max-­‐age tells user-agent how long to cache the STS setting in seconds • includeSubDomains tells user-agent to include any subdomains
HSTS Examples Require HTTPS for 60 seconds on domain ! Require HTTPS for 365 days on domain and all subdomains ! Remove HSTS Policy (including subdomains) Strict-­‐Transport-­‐Security:  max-­‐age=60 Strict-­‐Transport-­‐Security:  max-­‐age=31536000;  includeSubDomains Strict-­‐Transport-­‐Security:  max-­‐age=0
Handling Requests • HTTP Requests • Should respond with HTTP Status Code 301 and redirect to HTTPS • Strict-­‐Transport-­‐Security header must not be included on HTTP • HTTPS Requests • Should always respond with Strict-­‐ Transport-­‐Security header
HSTS Preloading • Not part of official specification • Chrome maintains list of sites that always use HTTPS • Used by Firefox and Safari as well • Need to submit site to be included in preload list • https://hstspreload.appspot.com/
 
 
 Strict-­‐Transport-­‐Security:  
 max-­‐age=10886400;  includeSubDomains;  preload
HSTS Browser Support http://caniuse.com/#feat=stricttransportsecurity
DEMO
W3C Content Security Policy (CSP) • Provides whitelist to browser for loading resources • Developed by Mozilla and 1st implemented in Firefox 4 • Experimental Headers • X-­‐Content-­‐Security-­‐Policy   • X-­‐WebKit-­‐CSP   • Content Security Policy 1.0
 W3C Candidate Recommendation
 November 15, 2012 • HTTP Header:
 Content-­‐Security-­‐Policy Content-­‐Security-­‐Policy-­‐Report-­‐Only
CSP 1.0 Directives Value Meaning default-­‐src default source, used for any directives that are not defined script-­‐src sources for Javascript object-­‐src sources for <object>, <embed>, and <applet> style-­‐src sources for CSS stylesheets img-­‐src sources for images media-­‐src sources for HTML5 <video>, <audio>, <source>, and <track> frame-­‐src sources for <frame> and <iframe> font-­‐src sources for web fonts connect-­‐src sources for XMLHttpRequest, Websockets, and EventSource report-­‐uri location to send violation reports sandbox specifies sandbox policy
CSP Source Expressions Value Meaning * wildcard, allows all origins ‘self’ allow same origin ‘none’ deny all access www.example.com allow specific domain *.example.com allow all subdomains on a domain https://www.example.com specific URL https: require https data: allow data uri schemes (base64)
Special Sources • unsafe-­‐inline   • Allows inline content for script-­‐src and style-­‐src • unsafe-­‐eval   • Allows for unsafe dynamic evaluation of code such as Javascript eval() in script-­‐src
CSP Examples Allow everything from same origin Content-­‐Security-­‐Policy:  default-­‐src  ‘self’ Content-­‐Security-­‐Policy:
 default-­‐src  ‘self’;  object-­‐src  ‘none’;
 script-­‐src  ‘self’  https://cdn.com;
 style-­‐src  ‘self’  https://cdn.com Relatively secure
CSP Examples Unsafe Content-­‐Security-­‐Policy:
 default-­‐src  *;
 script-­‐src  *  ‘unsafe-­‐inline’  ‘unsafe-­‐eval’;
 style-­‐src  *  ‘unsafe-­‐inline’
CSP Examples Twitter Content-­‐Security-­‐Policy:
 default-­‐src  https:;  connect-­‐src  https:;  font-­‐ src  https:  data:;  frame-­‐src  https:  twitter:;   img-­‐src  https:  data:;  media-­‐src  https:;  object-­‐ src  https:;  script-­‐src  'unsafe-­‐inline'  'nonce-­‐ hz5M+L2F+QfMRn8NOtP4jQ=='  'unsafe-­‐eval'  https:;   style-­‐src  'unsafe-­‐inline'  https:;  report-­‐uri   https://twitter.com/i/csp_report? a=NVQWGYLXFVZXO2LGOQ%3D%3D%3D%3D%3D %3D&ro=false;
CSP 1.0 Browser Support http://caniuse.com/#feat=contentsecuritypolicy
DEMO
CSP 1.1 and beyond • CSP 1.1 (Level 2) W3C Candidate Recommendation February 19, 2015 • added nonce and hash to script-­‐src and style-­‐src • added new directives • base-­‐uri,  child-­‐src,  form-­‐action,   frame-­‐ancestors,  plugin-­‐types   • additional fields added to violation report • limited browser support
• Blog: http://www.dcepler.net • Email: depler@aboutweb.com • Twitter: @dcepler Q&A - Thanks
Resources • HTTP Headers • MIME-Handling Changes in Internet Explorer • http://blogs.msdn.com/b/ie/archive/2010/10/26/mime-handling-changes-in- internet-explorer.aspx • Controlling the XSS Filter • http://blogs.msdn.com/b/ieinternals/archive/2011/01/31/controlling-the-internet- explorer-xss-filter-with-the-x-xss-protection-http-header.aspx • OWASP: Clickjacking Defense Cheat Sheet • https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet • OWASP: Cookie HTTPOnly • https://www.owasp.org/index.php/HttpOnly • OWASP: Cookie Secure • https://www.owasp.org/index.php/SecureFlag • Veracode: Guidelines for Security Headers • https://www.veracode.com/blog/2014/03/guidelines-for-setting-security-headers
Resources • HTTP Strict Transport Security • Specification • https://tools.ietf.org/html/rfc6797 • OWASP HTTP Strict Transport Security • https://www.owasp.org/index.php/HTTP_Strict_Transport_Security • Mozilla Developer Network • https://developer.mozilla.org/en-US/docs/Web/Security/ HTTP_strict_transport_security • HSTS Preload • https://hstspreload.appspot.com/ • IIS Module • http://hstsiis.codeplex.com/

Resources • Content Security Policy • CSP 1.0 Candidate Recommendation • http://www.w3.org/TR/2012/CR-CSP-20121115/ • CSP 1.1 Candidate Recommendation • http://www.w3.org/TR/2015/CR-CSP2-20150219/ • OWASP Content Security Policy • https://www.owasp.org/index.php/Content_Security_Policy • An Introduction to Content Security Policy • http://www.html5rocks.com/en/tutorials/security/content-security-policy/ • Content Security Policy Reference • http://content-security-policy.com/ • CSP Playground • http://www.cspplayground.com/

Empfohlen

Unsafe SSL webinar
Unsafe SSL webinarUnsafe SSL webinar
Unsafe SSL webinarWolfgang Kandek
 
Security and Privacy on the Web in 2015
Security and Privacy on the Web in 2015Security and Privacy on the Web in 2015
Security and Privacy on the Web in 2015Francois Marier
 
Rails security: above and beyond the defaults
Rails security: above and beyond the defaultsRails security: above and beyond the defaults
Rails security: above and beyond the defaultsMatias Korhonen
 
Going on an HTTP Diet: Front-End Web Performance
Going on an HTTP Diet: Front-End Web PerformanceGoing on an HTTP Diet: Front-End Web Performance
Going on an HTTP Diet: Front-End Web PerformanceAdam Norwood
 
Appsec DC - wXf -2010
Appsec DC - wXf -2010Appsec DC - wXf -2010
Appsec DC - wXf -2010Chris Gates
 
LasCon 2014 DevOoops
LasCon 2014 DevOoops LasCon 2014 DevOoops
LasCon 2014 DevOoops Chris Gates
 
Lares from LOW to PWNED
Lares from LOW to PWNEDLares from LOW to PWNED
Lares from LOW to PWNEDChris Gates
 
OWASP SF - Reviewing Modern JavaScript Applications
OWASP SF - Reviewing Modern JavaScript ApplicationsOWASP SF - Reviewing Modern JavaScript Applications
OWASP SF - Reviewing Modern JavaScript ApplicationsLewis Ardern
 

Empfohlen

Unsafe SSL webinar
Unsafe SSL webinarUnsafe SSL webinar
Unsafe SSL webinarWolfgang Kandek
 
Security and Privacy on the Web in 2015
Security and Privacy on the Web in 2015Security and Privacy on the Web in 2015
Security and Privacy on the Web in 2015Francois Marier
 
Rails security: above and beyond the defaults
Rails security: above and beyond the defaultsRails security: above and beyond the defaults
Rails security: above and beyond the defaultsMatias Korhonen
 
Going on an HTTP Diet: Front-End Web Performance
Going on an HTTP Diet: Front-End Web PerformanceGoing on an HTTP Diet: Front-End Web Performance
Going on an HTTP Diet: Front-End Web PerformanceAdam Norwood
 
Appsec DC - wXf -2010
Appsec DC - wXf -2010Appsec DC - wXf -2010
Appsec DC - wXf -2010Chris Gates
 
LasCon 2014 DevOoops
LasCon 2014 DevOoops LasCon 2014 DevOoops
LasCon 2014 DevOoops Chris Gates
 
Lares from LOW to PWNED
Lares from LOW to PWNEDLares from LOW to PWNED
Lares from LOW to PWNEDChris Gates
 
OWASP SF - Reviewing Modern JavaScript Applications
OWASP SF - Reviewing Modern JavaScript ApplicationsOWASP SF - Reviewing Modern JavaScript Applications
OWASP SF - Reviewing Modern JavaScript ApplicationsLewis Ardern
 
The State of WebSockets in Django
The State of WebSockets in DjangoThe State of WebSockets in Django
The State of WebSockets in DjangoRami Sayar
 
[Wroclaw #7] AWS (in)security - the devil is in the detail
[Wroclaw #7] AWS (in)security - the devil is in the detail[Wroclaw #7] AWS (in)security - the devil is in the detail
[Wroclaw #7] AWS (in)security - the devil is in the detailOWASP
 
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015Chris Gates
 
Vulnerability intelligence with vulners.com / Кирилл Ермаков, Игорь Булатенко...
Vulnerability intelligence with vulners.com / Кирилл Ермаков, Игорь Булатенко...Vulnerability intelligence with vulners.com / Кирилл Ермаков, Игорь Булатенко...
Vulnerability intelligence with vulners.com / Кирилл Ермаков, Игорь Булатенко...Ontico
 
So you want to be a security expert
So you want to be a security expertSo you want to be a security expert
So you want to be a security expertRoyce Davis
 
Масштабируя TLS / Артём Гавриченков (Qrator Labs)
Масштабируя TLS / Артём Гавриченков (Qrator Labs)Масштабируя TLS / Артём Гавриченков (Qrator Labs)
Масштабируя TLS / Артём Гавриченков (Qrator Labs)Ontico
 
Web & Cloud Security in the real world
Web & Cloud Security in the real worldWeb & Cloud Security in the real world
Web & Cloud Security in the real worldMadhu Akula
 
[Wroclaw #7] Why So Serial?
[Wroclaw #7] Why So Serial?[Wroclaw #7] Why So Serial?
[Wroclaw #7] Why So Serial?OWASP
 
Infrastructure as code: running microservices on AWS using Docker, Terraform,...
Infrastructure as code: running microservices on AWS using Docker, Terraform,...Infrastructure as code: running microservices on AWS using Docker, Terraform,...
Infrastructure as code: running microservices on AWS using Docker, Terraform,...Yevgeniy Brikman
 
Securing your web infrastructure
Securing your web infrastructureSecuring your web infrastructure
Securing your web infrastructureWP Engine
 
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016Chris Gates
 
The Travelling Pentester: Diaries of the Shortest Path to Compromise
The Travelling Pentester: Diaries of the Shortest Path to CompromiseThe Travelling Pentester: Diaries of the Shortest Path to Compromise
The Travelling Pentester: Diaries of the Shortest Path to CompromiseWill Schroeder
 
OWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript DevelopersOWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript DevelopersLewis Ardern
 
Red Team vs Blue Team on AWS - RSA 2018
Red Team vs Blue Team on AWS - RSA 2018Red Team vs Blue Team on AWS - RSA 2018
Red Team vs Blue Team on AWS - RSA 2018Teri Radichel
 
DevOops & How I hacked you DevopsDays DC June 2015
DevOops & How I hacked you DevopsDays DC June 2015DevOops & How I hacked you DevopsDays DC June 2015
DevOops & How I hacked you DevopsDays DC June 2015Chris Gates
 
Nessus and Reporting Karma
Nessus and Reporting KarmaNessus and Reporting Karma
Nessus and Reporting Karman|u - The Open Security Community
 
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers Lewis Ardern
 
Dynamic Database Credentials: Security Contingency Planning
Dynamic Database Credentials: Security Contingency PlanningDynamic Database Credentials: Security Contingency Planning
Dynamic Database Credentials: Security Contingency PlanningSean Chittenden
 
OWASP London - So you thought you were safe using AngularJS.. Think again!
OWASP London - So you thought you were safe using AngularJS.. Think again!OWASP London - So you thought you were safe using AngularJS.. Think again!
OWASP London - So you thought you were safe using AngularJS.. Think again!Lewis Ardern
 
[Wroclaw #7] Security test automation
[Wroclaw #7] Security test automation[Wroclaw #7] Security test automation
[Wroclaw #7] Security test automationOWASP
 
IPTV Security
IPTV SecurityIPTV Security
IPTV SecurityM.Syarifudin, ST, OSCP, OSWP
 
Social Network Security & Backdooring email
Social Network Security & Backdooring emailSocial Network Security & Backdooring email
Social Network Security & Backdooring emailM.Syarifudin, ST, OSCP, OSWP
 

Weitere ähnliche Inhalte

Was ist angesagt?

The State of WebSockets in Django
The State of WebSockets in DjangoThe State of WebSockets in Django
The State of WebSockets in DjangoRami Sayar
 
[Wroclaw #7] AWS (in)security - the devil is in the detail
[Wroclaw #7] AWS (in)security - the devil is in the detail[Wroclaw #7] AWS (in)security - the devil is in the detail
[Wroclaw #7] AWS (in)security - the devil is in the detailOWASP
 
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015Chris Gates
 
Vulnerability intelligence with vulners.com / Кирилл Ермаков, Игорь Булатенко...
Vulnerability intelligence with vulners.com / Кирилл Ермаков, Игорь Булатенко...Vulnerability intelligence with vulners.com / Кирилл Ермаков, Игорь Булатенко...
Vulnerability intelligence with vulners.com / Кирилл Ермаков, Игорь Булатенко...Ontico
 
So you want to be a security expert
So you want to be a security expertSo you want to be a security expert
So you want to be a security expertRoyce Davis
 
Масштабируя TLS / Артём Гавриченков (Qrator Labs)
Масштабируя TLS / Артём Гавриченков (Qrator Labs)Масштабируя TLS / Артём Гавриченков (Qrator Labs)
Масштабируя TLS / Артём Гавриченков (Qrator Labs)Ontico
 
Web & Cloud Security in the real world
Web & Cloud Security in the real worldWeb & Cloud Security in the real world
Web & Cloud Security in the real worldMadhu Akula
 
[Wroclaw #7] Why So Serial?
[Wroclaw #7] Why So Serial?[Wroclaw #7] Why So Serial?
[Wroclaw #7] Why So Serial?OWASP
 
Infrastructure as code: running microservices on AWS using Docker, Terraform,...
Infrastructure as code: running microservices on AWS using Docker, Terraform,...Infrastructure as code: running microservices on AWS using Docker, Terraform,...
Infrastructure as code: running microservices on AWS using Docker, Terraform,...Yevgeniy Brikman
 
Securing your web infrastructure
Securing your web infrastructureSecuring your web infrastructure
Securing your web infrastructureWP Engine
 
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016Chris Gates
 
The Travelling Pentester: Diaries of the Shortest Path to Compromise
The Travelling Pentester: Diaries of the Shortest Path to CompromiseThe Travelling Pentester: Diaries of the Shortest Path to Compromise
The Travelling Pentester: Diaries of the Shortest Path to CompromiseWill Schroeder
 
OWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript DevelopersOWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript DevelopersLewis Ardern
 
Red Team vs Blue Team on AWS - RSA 2018
Red Team vs Blue Team on AWS - RSA 2018Red Team vs Blue Team on AWS - RSA 2018
Red Team vs Blue Team on AWS - RSA 2018Teri Radichel
 
DevOops & How I hacked you DevopsDays DC June 2015
DevOops & How I hacked you DevopsDays DC June 2015DevOops & How I hacked you DevopsDays DC June 2015
DevOops & How I hacked you DevopsDays DC June 2015Chris Gates
 
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers Lewis Ardern
 
Dynamic Database Credentials: Security Contingency Planning
Dynamic Database Credentials: Security Contingency PlanningDynamic Database Credentials: Security Contingency Planning
Dynamic Database Credentials: Security Contingency PlanningSean Chittenden
 
OWASP London - So you thought you were safe using AngularJS.. Think again!
OWASP London - So you thought you were safe using AngularJS.. Think again!OWASP London - So you thought you were safe using AngularJS.. Think again!
OWASP London - So you thought you were safe using AngularJS.. Think again!Lewis Ardern
 
[Wroclaw #7] Security test automation
[Wroclaw #7] Security test automation[Wroclaw #7] Security test automation
[Wroclaw #7] Security test automationOWASP
 

Was ist angesagt? (20)

The State of WebSockets in Django
The State of WebSockets in DjangoThe State of WebSockets in Django
The State of WebSockets in Django
 
[Wroclaw #7] AWS (in)security - the devil is in the detail
[Wroclaw #7] AWS (in)security - the devil is in the detail[Wroclaw #7] AWS (in)security - the devil is in the detail
[Wroclaw #7] AWS (in)security - the devil is in the detail
 
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
 
Vulnerability intelligence with vulners.com / Кирилл Ермаков, Игорь Булатенко...
Vulnerability intelligence with vulners.com / Кирилл Ермаков, Игорь Булатенко...Vulnerability intelligence with vulners.com / Кирилл Ермаков, Игорь Булатенко...
Vulnerability intelligence with vulners.com / Кирилл Ермаков, Игорь Булатенко...
 
So you want to be a security expert
So you want to be a security expertSo you want to be a security expert
So you want to be a security expert
 
Масштабируя TLS / Артём Гавриченков (Qrator Labs)
Масштабируя TLS / Артём Гавриченков (Qrator Labs)Масштабируя TLS / Артём Гавриченков (Qrator Labs)
Масштабируя TLS / Артём Гавриченков (Qrator Labs)
 
Web & Cloud Security in the real world
Web & Cloud Security in the real worldWeb & Cloud Security in the real world
Web & Cloud Security in the real world
 
[Wroclaw #7] Why So Serial?
[Wroclaw #7] Why So Serial?[Wroclaw #7] Why So Serial?
[Wroclaw #7] Why So Serial?
 
Infrastructure as code: running microservices on AWS using Docker, Terraform,...
Infrastructure as code: running microservices on AWS using Docker, Terraform,...Infrastructure as code: running microservices on AWS using Docker, Terraform,...
Infrastructure as code: running microservices on AWS using Docker, Terraform,...
 
Securing your web infrastructure
Securing your web infrastructureSecuring your web infrastructure
Securing your web infrastructure
 
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
 
The Travelling Pentester: Diaries of the Shortest Path to Compromise
The Travelling Pentester: Diaries of the Shortest Path to CompromiseThe Travelling Pentester: Diaries of the Shortest Path to Compromise
The Travelling Pentester: Diaries of the Shortest Path to Compromise
 
OWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript DevelopersOWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript Developers
 
Red Team vs Blue Team on AWS - RSA 2018
Red Team vs Blue Team on AWS - RSA 2018Red Team vs Blue Team on AWS - RSA 2018
Red Team vs Blue Team on AWS - RSA 2018
 
DevOops & How I hacked you DevopsDays DC June 2015
DevOops & How I hacked you DevopsDays DC June 2015DevOops & How I hacked you DevopsDays DC June 2015
DevOops & How I hacked you DevopsDays DC June 2015
 
Nessus and Reporting Karma
Nessus and Reporting KarmaNessus and Reporting Karma
Nessus and Reporting Karma
 
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
 
Dynamic Database Credentials: Security Contingency Planning
Dynamic Database Credentials: Security Contingency PlanningDynamic Database Credentials: Security Contingency Planning
Dynamic Database Credentials: Security Contingency Planning
 
OWASP London - So you thought you were safe using AngularJS.. Think again!
OWASP London - So you thought you were safe using AngularJS.. Think again!OWASP London - So you thought you were safe using AngularJS.. Think again!
OWASP London - So you thought you were safe using AngularJS.. Think again!
 
[Wroclaw #7] Security test automation
[Wroclaw #7] Security test automation[Wroclaw #7] Security test automation
[Wroclaw #7] Security test automation
 

Andere mochten auch

Andere mochten auch (8)

IPTV Security
IPTV SecurityIPTV Security
IPTV Security
 
Social Network Security & Backdooring email
Social Network Security & Backdooring emailSocial Network Security & Backdooring email
Social Network Security & Backdooring email
 
iCrOSS 2013_Pentest
iCrOSS 2013_PentestiCrOSS 2013_Pentest
iCrOSS 2013_Pentest
 
Information gath
Information gathInformation gath
Information gath
 
Wireless LAN Security-Bimtek Kominfo
Wireless LAN Security-Bimtek KominfoWireless LAN Security-Bimtek Kominfo
Wireless LAN Security-Bimtek Kominfo
 
Prepare Yourself to Become Infosec Professional
Prepare Yourself to Become Infosec ProfessionalPrepare Yourself to Become Infosec Professional
Prepare Yourself to Become Infosec Professional
 
Pentest with Metasploit
Pentest with MetasploitPentest with Metasploit
Pentest with Metasploit
 
My pwk & oscp journey
My pwk & oscp journeyMy pwk & oscp journey
My pwk & oscp journey
 

Ähnlich wie Csp and http headers

Rails and Content Security Policies
Rails and Content Security PoliciesRails and Content Security Policies
Rails and Content Security PoliciesMatias Korhonen
 
DefCamp 2013 - Http header analysis
DefCamp 2013 - Http header analysisDefCamp 2013 - Http header analysis
DefCamp 2013 - Http header analysisDefCamp
 
CollabSphere SC 103 : Domino on the Web : Yes, It's (Probably) Hackable
CollabSphere SC 103 : Domino on the Web : Yes, It's (Probably) HackableCollabSphere SC 103 : Domino on the Web : Yes, It's (Probably) Hackable
CollabSphere SC 103 : Domino on the Web : Yes, It's (Probably) HackableDarren Duke
 
Browser Wars 2019 - Implementing a Content Security Policy
Browser Wars 2019 - Implementing a Content Security PolicyBrowser Wars 2019 - Implementing a Content Security Policy
Browser Wars 2019 - Implementing a Content Security PolicyGeorge Boobyer
 
HTTP_Header_Security.pdf
HTTP_Header_Security.pdfHTTP_Header_Security.pdf
HTTP_Header_Security.pdfksudhakarreddy5
 
Browser Serving Your Web Application Security - NorthEast PHP 2017
Browser Serving Your Web Application Security - NorthEast PHP 2017Browser Serving Your Web Application Security - NorthEast PHP 2017
Browser Serving Your Web Application Security - NorthEast PHP 2017Philippe Gamache
 
Browser Serving Your Web Application Security - Madison PHP 2017
Browser Serving Your Web Application Security - Madison PHP 2017Browser Serving Your Web Application Security - Madison PHP 2017
Browser Serving Your Web Application Security - Madison PHP 2017Philippe Gamache
 
Browser Serving Your We Application Security - ZendCon 2017
Browser Serving Your We Application Security - ZendCon 2017Browser Serving Your We Application Security - ZendCon 2017
Browser Serving Your We Application Security - ZendCon 2017Philippe Gamache
 
[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security Headers[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security HeadersOWASP
 
Content Security Policy
Content Security PolicyContent Security Policy
Content Security PolicyAustin Gil
 
Content-Security-Policy 2018.0
Content-Security-Policy 2018.0Content-Security-Policy 2018.0
Content-Security-Policy 2018.0Philippe Gamache
 
Building Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTsBuilding Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTsrobertjd
 
Cabeçalhos de Segurança HTTP
Cabeçalhos de Segurança HTTPCabeçalhos de Segurança HTTP
Cabeçalhos de Segurança HTTPIsmael Goncalves
 
Analysis of HTTP Security Headers in Turkey
Analysis of HTTP Security Headers in TurkeyAnalysis of HTTP Security Headers in Turkey
Analysis of HTTP Security Headers in TurkeyDr. Emin İslam Tatlı
 
Hack & Fix, Hands on ColdFusion Security Training
Hack & Fix, Hands on ColdFusion Security TrainingHack & Fix, Hands on ColdFusion Security Training
Hack & Fix, Hands on ColdFusion Security TrainingColdFusionConference
 
Why Traditional Web Security Technologies no Longer Suffice to Keep You Safe
Why Traditional Web Security Technologies no Longer Suffice to Keep You SafeWhy Traditional Web Security Technologies no Longer Suffice to Keep You Safe
Why Traditional Web Security Technologies no Longer Suffice to Keep You SafePhilippe De Ryck
 
Secure Content Delivery Using Amazon CloudFront and AWS WAF
Secure Content Delivery Using Amazon CloudFront and AWS WAFSecure Content Delivery Using Amazon CloudFront and AWS WAF
Secure Content Delivery Using Amazon CloudFront and AWS WAFAmazon Web Services
 

Ähnlich wie Csp and http headers (20)

Rails and Content Security Policies
Rails and Content Security PoliciesRails and Content Security Policies
Rails and Content Security Policies
 
DefCamp 2013 - Http header analysis
DefCamp 2013 - Http header analysisDefCamp 2013 - Http header analysis
DefCamp 2013 - Http header analysis
 
CollabSphere SC 103 : Domino on the Web : Yes, It's (Probably) Hackable
CollabSphere SC 103 : Domino on the Web : Yes, It's (Probably) HackableCollabSphere SC 103 : Domino on the Web : Yes, It's (Probably) Hackable
CollabSphere SC 103 : Domino on the Web : Yes, It's (Probably) Hackable
 
Browser Wars 2019 - Implementing a Content Security Policy
Browser Wars 2019 - Implementing a Content Security PolicyBrowser Wars 2019 - Implementing a Content Security Policy
Browser Wars 2019 - Implementing a Content Security Policy
 
HTTP_Header_Security.pdf
HTTP_Header_Security.pdfHTTP_Header_Security.pdf
HTTP_Header_Security.pdf
 
Browser Serving Your Web Application Security - NorthEast PHP 2017
Browser Serving Your Web Application Security - NorthEast PHP 2017Browser Serving Your Web Application Security - NorthEast PHP 2017
Browser Serving Your Web Application Security - NorthEast PHP 2017
 
Browser Serving Your Web Application Security - Madison PHP 2017
Browser Serving Your Web Application Security - Madison PHP 2017Browser Serving Your Web Application Security - Madison PHP 2017
Browser Serving Your Web Application Security - Madison PHP 2017
 
Browser Serving Your We Application Security - ZendCon 2017
Browser Serving Your We Application Security - ZendCon 2017Browser Serving Your We Application Security - ZendCon 2017
Browser Serving Your We Application Security - ZendCon 2017
 
Web Security - CSP & Web Cryptography
Web Security - CSP & Web CryptographyWeb Security - CSP & Web Cryptography
Web Security - CSP & Web Cryptography
 
[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security Headers[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security Headers
 
Content Security Policy
Content Security PolicyContent Security Policy
Content Security Policy
 
Content-Security-Policy 2018.0
Content-Security-Policy 2018.0Content-Security-Policy 2018.0
Content-Security-Policy 2018.0
 
HTTP Security Headers
HTTP Security HeadersHTTP Security Headers
HTTP Security Headers
 
Building Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTsBuilding Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTs
 
Cabeçalhos de Segurança HTTP
Cabeçalhos de Segurança HTTPCabeçalhos de Segurança HTTP
Cabeçalhos de Segurança HTTP
 
Analysis of HTTP Security Headers in Turkey
Analysis of HTTP Security Headers in TurkeyAnalysis of HTTP Security Headers in Turkey
Analysis of HTTP Security Headers in Turkey
 
Spa Secure Coding Guide
Spa Secure Coding GuideSpa Secure Coding Guide
Spa Secure Coding Guide
 
Hack & Fix, Hands on ColdFusion Security Training
Hack & Fix, Hands on ColdFusion Security TrainingHack & Fix, Hands on ColdFusion Security Training
Hack & Fix, Hands on ColdFusion Security Training
 
Why Traditional Web Security Technologies no Longer Suffice to Keep You Safe
Why Traditional Web Security Technologies no Longer Suffice to Keep You SafeWhy Traditional Web Security Technologies no Longer Suffice to Keep You Safe
Why Traditional Web Security Technologies no Longer Suffice to Keep You Safe
 
Secure Content Delivery Using Amazon CloudFront and AWS WAF
Secure Content Delivery Using Amazon CloudFront and AWS WAFSecure Content Delivery Using Amazon CloudFront and AWS WAF
Secure Content Delivery Using Amazon CloudFront and AWS WAF
 

Mehr von ColdFusionConference

Building better SQL Server Databases
Building better SQL Server DatabasesBuilding better SQL Server Databases
Building better SQL Server DatabasesColdFusionConference
 
API Economy, Realizing the Business Value of APIs
API Economy, Realizing the Business Value of APIsAPI Economy, Realizing the Business Value of APIs
API Economy, Realizing the Business Value of APIsColdFusionConference
 
Crafting ColdFusion Applications like an Architect
Crafting ColdFusion Applications like an ArchitectCrafting ColdFusion Applications like an Architect
Crafting ColdFusion Applications like an ArchitectColdFusionConference
 
Security And Access Control For APIS using CF API Manager
Security And Access Control For APIS using CF API ManagerSecurity And Access Control For APIS using CF API Manager
Security And Access Control For APIS using CF API ManagerColdFusionConference
 
Monetizing Business Models: ColdFusion and APIS
Monetizing Business Models: ColdFusion and APISMonetizing Business Models: ColdFusion and APIS
Monetizing Business Models: ColdFusion and APISColdFusionConference
 
Become a Security Rockstar with ColdFusion 2016
Become a Security Rockstar with ColdFusion 2016Become a Security Rockstar with ColdFusion 2016
Become a Security Rockstar with ColdFusion 2016ColdFusionConference
 
Developer Insights for Application Upgrade to ColdFusion 2016
Developer Insights for Application Upgrade to ColdFusion 2016Developer Insights for Application Upgrade to ColdFusion 2016
Developer Insights for Application Upgrade to ColdFusion 2016ColdFusionConference
 
ColdFusion Keynote: Building the Agile Web Since 1995
ColdFusion Keynote: Building the Agile Web Since 1995ColdFusion Keynote: Building the Agile Web Since 1995
ColdFusion Keynote: Building the Agile Web Since 1995ColdFusionConference
 
Super Fast Application development with Mura CMS
Super Fast Application development with Mura CMSSuper Fast Application development with Mura CMS
Super Fast Application development with Mura CMSColdFusionConference
 
Build your own secure and real-time dashboard for mobile and web
Build your own secure and real-time dashboard for mobile and webBuild your own secure and real-time dashboard for mobile and web
Build your own secure and real-time dashboard for mobile and webColdFusionConference
 

Mehr von ColdFusionConference (20)

Api manager preconference
Api manager preconferenceApi manager preconference
Api manager preconference
 
Cf ppt vsr
Cf ppt vsrCf ppt vsr
Cf ppt vsr
 
Building better SQL Server Databases
Building better SQL Server DatabasesBuilding better SQL Server Databases
Building better SQL Server Databases
 
API Economy, Realizing the Business Value of APIs
API Economy, Realizing the Business Value of APIsAPI Economy, Realizing the Business Value of APIs
API Economy, Realizing the Business Value of APIs
 
Don't just pdf, Smart PDF
Don't just pdf, Smart PDFDon't just pdf, Smart PDF
Don't just pdf, Smart PDF
 
Crafting ColdFusion Applications like an Architect
Crafting ColdFusion Applications like an ArchitectCrafting ColdFusion Applications like an Architect
Crafting ColdFusion Applications like an Architect
 
Security And Access Control For APIS using CF API Manager
Security And Access Control For APIS using CF API ManagerSecurity And Access Control For APIS using CF API Manager
Security And Access Control For APIS using CF API Manager
 
Monetizing Business Models: ColdFusion and APIS
Monetizing Business Models: ColdFusion and APISMonetizing Business Models: ColdFusion and APIS
Monetizing Business Models: ColdFusion and APIS
 
Become a Security Rockstar with ColdFusion 2016
Become a Security Rockstar with ColdFusion 2016Become a Security Rockstar with ColdFusion 2016
Become a Security Rockstar with ColdFusion 2016
 
ColdFusion in Transit action
ColdFusion in Transit actionColdFusion in Transit action
ColdFusion in Transit action
 
Developer Insights for Application Upgrade to ColdFusion 2016
Developer Insights for Application Upgrade to ColdFusion 2016Developer Insights for Application Upgrade to ColdFusion 2016
Developer Insights for Application Upgrade to ColdFusion 2016
 
Where is cold fusion headed
Where is cold fusion headedWhere is cold fusion headed
Where is cold fusion headed
 
ColdFusion Keynote: Building the Agile Web Since 1995
ColdFusion Keynote: Building the Agile Web Since 1995ColdFusion Keynote: Building the Agile Web Since 1995
ColdFusion Keynote: Building the Agile Web Since 1995
 
Instant ColdFusion with Vagrant
Instant ColdFusion with VagrantInstant ColdFusion with Vagrant
Instant ColdFusion with Vagrant
 
Restful services with ColdFusion
Restful services with ColdFusionRestful services with ColdFusion
Restful services with ColdFusion
 
Super Fast Application development with Mura CMS
Super Fast Application development with Mura CMSSuper Fast Application development with Mura CMS
Super Fast Application development with Mura CMS
 
Build your own secure and real-time dashboard for mobile and web
Build your own secure and real-time dashboard for mobile and webBuild your own secure and real-time dashboard for mobile and web
Build your own secure and real-time dashboard for mobile and web
 
Why Everyone else writes bad code
Why Everyone else writes bad codeWhy Everyone else writes bad code
Why Everyone else writes bad code
 
Securing applications
Securing applicationsSecuring applications
Securing applications
 
Testing automaton
Testing automatonTesting automaton
Testing automaton
 

Kürzlich hochgeladen

DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 

Kürzlich hochgeladen (20)

DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 

Csp and http headers

  • 1. W3C Content Security Policy
 and HTTP Headers for Security David Epler Security Architect depler@aboutweb.com
  • 2. About Me • Application Developer originally • Contributor to Learn CF In a Week • OWASP Individual Member • OWASP Zed Attack Proxy (ZAP) Evangelist • Security Certifications - CEH, GWAPT
  • 3. About the Session • What will be covered • HTTP Header Basics • HTTP Headers for Security • X-Content-Type-Options • X-XSS-Protection • X-Frame-Options • Cookies • HTTP Strict Transport Security (HSTS) • W3C Content Security Policy (CSP)
  • 4. HTTP Basics HTTP Request GET  /  HTTP/1.1
 Host:  www.aboutweb.com HTTP Response HTTP/1.1  200  OK
 Date:  Tue,  7  Apr  2015  20:21:22  GMT
 Server:  Apache
 Content-­‐Type:  text/html  
  • 5. HTTP Response Headers • Can be set by web server, web application, or anything that interacts with HTTP response Header  always  set  X-­‐Mork  KO <cfheader  name=“X-­‐Mork”  value=“nanu-­‐nanu”> <%php  header(“X-­‐Mork:  shazbot”)  %> Apache (requires mod_header) ColdFusion PHP
  • 6. HTTP Response HTTP/1.1  200  OK
 Date:  Tue,  7  Apr  2015  21:22:23  GMT
 Server:  Apache   X-­‐Mork:  nanu-­‐nanu
 Content-­‐Type:  text/html  
 
 <html>
  …   </html>
  • 7. X-Content-Type-Options • Protect against MIME type confusion attacks • Internet Explorer 9+, 
 Chrome, & Safari Internet Explorer Chrome text/css text/css text/ecmascript text/ecmascript text/javascript text/javascript text/jscript text/jscript application/ecmascript application/ecmascript application/javascript application/javascript application/x-javascript application/x-javascript text/vbs text/javascript1.1 text/vbscript text/javascript1.2 text/x-javascript text/javascript1.3 text/livescript X-­‐Content-­‐Type-­‐Options:  nosniff
  • 8. X-XSS-Protection • Configures user-agent's built in reflective XSS protection • Internet Explorer 8+ and Chrome Value Meaning 0 Disable XSS protection 1 Enable XSS protection 1; mode=block Enable XSS protection & block content 1; report=URL Report potential XSS to URL (Chrome/Webkit only) X-­‐XSS-­‐Protection:  1;  mode=block
  • 9. X-Frame-Options • Indicates if browser should be allowed to render content in <frame> or <iframe> • Clickjack/UI Redress attack Value Meaning DENY Prevents any domain from framing the content SAMEORIGIN Only allows sites on same domain to frame the content ALLOW-FROM URL Whitelist of URLs that are allowed to frame the content
  • 10. X-Frame-Options • Browser support varies based on value Browser DENY/SAMEORIGIN ALLOW-FROM Chrome 4.1 not supported Firefox 3.6.9 18.0 Internet Explorer 8 9 Opera 10.50 Safari 4 not supported X-­‐Frame-­‐Options:  SAMEORIGIN
  • 11. Cookies • Important directives on cookies • HTTPOnly • cookie is not accessible to Javascript • Secure • sends cookie over HTTPS Set-­‐Cookie:  
 JSESSIONID=4B4BE61DB23C8858560A7BC35804507F;   Path=/;  Secure;  HttpOnly
  • 12. DEMO
  • 13. HTTP Strict Transport Security (HSTS) • Instructs the browser to always use HTTPS protocol instead of HTTP • Helps prevent • Network Attacks • Mixed Content Vulnerabilities • HSTS does not allow a user to override the invalid certificate message
  • 16. HSTS Directives • max-­‐age tells user-agent how long to cache the STS setting in seconds • includeSubDomains tells user-agent to include any subdomains
  • 17. HSTS Examples Require HTTPS for 60 seconds on domain ! Require HTTPS for 365 days on domain and all subdomains ! Remove HSTS Policy (including subdomains) Strict-­‐Transport-­‐Security:  max-­‐age=60 Strict-­‐Transport-­‐Security:  max-­‐age=31536000;  includeSubDomains Strict-­‐Transport-­‐Security:  max-­‐age=0
  • 18. Handling Requests • HTTP Requests • Should respond with HTTP Status Code 301 and redirect to HTTPS • Strict-­‐Transport-­‐Security header must not be included on HTTP • HTTPS Requests • Should always respond with Strict-­‐ Transport-­‐Security header
  • 19. HSTS Preloading • Not part of official specification • Chrome maintains list of sites that always use HTTPS • Used by Firefox and Safari as well • Need to submit site to be included in preload list • https://hstspreload.appspot.com/
 
 
 Strict-­‐Transport-­‐Security:  
 max-­‐age=10886400;  includeSubDomains;  preload
  • 21. DEMO
  • 22. W3C Content Security Policy (CSP) • Provides whitelist to browser for loading resources • Developed by Mozilla and 1st implemented in Firefox 4 • Experimental Headers • X-­‐Content-­‐Security-­‐Policy   • X-­‐WebKit-­‐CSP   • Content Security Policy 1.0
 W3C Candidate Recommendation
 November 15, 2012 • HTTP Header:
 Content-­‐Security-­‐Policy Content-­‐Security-­‐Policy-­‐Report-­‐Only
  • 23. CSP 1.0 Directives Value Meaning default-­‐src default source, used for any directives that are not defined script-­‐src sources for Javascript object-­‐src sources for <object>, <embed>, and <applet> style-­‐src sources for CSS stylesheets img-­‐src sources for images media-­‐src sources for HTML5 <video>, <audio>, <source>, and <track> frame-­‐src sources for <frame> and <iframe> font-­‐src sources for web fonts connect-­‐src sources for XMLHttpRequest, Websockets, and EventSource report-­‐uri location to send violation reports sandbox specifies sandbox policy
  • 24. CSP Source Expressions Value Meaning * wildcard, allows all origins ‘self’ allow same origin ‘none’ deny all access www.example.com allow specific domain *.example.com allow all subdomains on a domain https://www.example.com specific URL https: require https data: allow data uri schemes (base64)
  • 25. Special Sources • unsafe-­‐inline   • Allows inline content for script-­‐src and style-­‐src • unsafe-­‐eval   • Allows for unsafe dynamic evaluation of code such as Javascript eval() in script-­‐src
  • 26. CSP Examples Allow everything from same origin Content-­‐Security-­‐Policy:  default-­‐src  ‘self’ Content-­‐Security-­‐Policy:
 default-­‐src  ‘self’;  object-­‐src  ‘none’;
 script-­‐src  ‘self’  https://cdn.com;
 style-­‐src  ‘self’  https://cdn.com Relatively secure
  • 27. CSP Examples Unsafe Content-­‐Security-­‐Policy:
 default-­‐src  *;
 script-­‐src  *  ‘unsafe-­‐inline’  ‘unsafe-­‐eval’;
 style-­‐src  *  ‘unsafe-­‐inline’
  • 28. CSP Examples Twitter Content-­‐Security-­‐Policy:
 default-­‐src  https:;  connect-­‐src  https:;  font-­‐ src  https:  data:;  frame-­‐src  https:  twitter:;   img-­‐src  https:  data:;  media-­‐src  https:;  object-­‐ src  https:;  script-­‐src  'unsafe-­‐inline'  'nonce-­‐ hz5M+L2F+QfMRn8NOtP4jQ=='  'unsafe-­‐eval'  https:;   style-­‐src  'unsafe-­‐inline'  https:;  report-­‐uri   https://twitter.com/i/csp_report? a=NVQWGYLXFVZXO2LGOQ%3D%3D%3D%3D%3D %3D&ro=false;
  • 29. CSP 1.0 Browser Support http://caniuse.com/#feat=contentsecuritypolicy
  • 30. DEMO
  • 31. CSP 1.1 and beyond • CSP 1.1 (Level 2) W3C Candidate Recommendation February 19, 2015 • added nonce and hash to script-­‐src and style-­‐src • added new directives • base-­‐uri,  child-­‐src,  form-­‐action,   frame-­‐ancestors,  plugin-­‐types   • additional fields added to violation report • limited browser support
  • 32. • Blog: http://www.dcepler.net • Email: depler@aboutweb.com • Twitter: @dcepler Q&A - Thanks
  • 33. Resources • HTTP Headers • MIME-Handling Changes in Internet Explorer • http://blogs.msdn.com/b/ie/archive/2010/10/26/mime-handling-changes-in- internet-explorer.aspx • Controlling the XSS Filter • http://blogs.msdn.com/b/ieinternals/archive/2011/01/31/controlling-the-internet- explorer-xss-filter-with-the-x-xss-protection-http-header.aspx • OWASP: Clickjacking Defense Cheat Sheet • https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet • OWASP: Cookie HTTPOnly • https://www.owasp.org/index.php/HttpOnly • OWASP: Cookie Secure • https://www.owasp.org/index.php/SecureFlag • Veracode: Guidelines for Security Headers • https://www.veracode.com/blog/2014/03/guidelines-for-setting-security-headers
  • 34. Resources • HTTP Strict Transport Security • Specification • https://tools.ietf.org/html/rfc6797 • OWASP HTTP Strict Transport Security • https://www.owasp.org/index.php/HTTP_Strict_Transport_Security • Mozilla Developer Network • https://developer.mozilla.org/en-US/docs/Web/Security/ HTTP_strict_transport_security • HSTS Preload • https://hstspreload.appspot.com/ • IIS Module • http://hstsiis.codeplex.com/

  • 35. Resources • Content Security Policy • CSP 1.0 Candidate Recommendation • http://www.w3.org/TR/2012/CR-CSP-20121115/ • CSP 1.1 Candidate Recommendation • http://www.w3.org/TR/2015/CR-CSP2-20150219/ • OWASP Content Security Policy • https://www.owasp.org/index.php/Content_Security_Policy • An Introduction to Content Security Policy • http://www.html5rocks.com/en/tutorials/security/content-security-policy/ • Content Security Policy Reference • http://content-security-policy.com/ • CSP Playground • http://www.cspplayground.com/