SlideShare ist ein Scribd-Unternehmen logo

Browser Serving Your Web Application Security - NorthEast PHP 2017

Philippe Gamache
Philippe Gamache

One important concept in web application security is defense in depth. You protect your server, your network, your database and your application, but what about the user browser? Can it be done? Yes! Several new technologies and protocols to assist security has been added to the browsers. Several should be added, activated and configure from your web server or web page. In this presentation we will explore these technologies and learn how to use them. You’ll learn about the Robots meta tags (for crawlers indexing), Browsing Compatibility, XSS and Clickjaking Protection, SSL/TLS Control, and Content Security Policy.

Technologie
1 von 62
Downloaden Sie, um offline zu lesen
BROWSER SERVING YOUR WEB APPLICATION SECURITY ALL YOU NEED TO KNOW
ABOUT ME HI I’M PHILIPPE I’m a Developer Evangelist for kuzzle.io. Long-time internet developer, author, screen caster, podcaster and speaker. I’m specializes in PHP, Symfony, Kuzzle, security, code quality, performance, real time and geolocation. • Sécurité PHP 5 et MySQL 5 • OWASP Montreal • PHP Quebec • Table Top Game Developer • Pen & Paper RPG Writer
PURPOSE OF THE PRESENTATION • Improve the code of your website • Protect your site against certain attacks • Protect your users from certain attacks • Protect your development sites WHY WE ARE TALKING ABOUT THIS?
PROTECT YOUR DEV SITES • Dev/test/qa/regression servers • If they are available via the web • Robots.txt is not enough • forget • File compliance AVOID LEEKS
META NAME=ROBOTS CODE <meta name="robots” content="noindex” />
PROTECT YOUR SITES • name • robots for all robots • specific: • Googlebot: Googlebot-News, Googlebot-Image, Googlebot-Video, Googlebot- Mobile, Mediapartners-Google, Mediapartners, AdsBot-Google, AdsBot- Google-Mobile-Apps • slurp • msnbot, bingbot • teoma META NAME=ROBOTS
PROTECT YOUR SITES • content • all • index • follow META NAME=ROBOTS
PROTECT YOUR SITES • content • none • noindex • noarchive • nocache • nofollow META NAME=ROBOTS
PROTECT YOUR SITES • content • nosnippet • noodp • noydir • notranslate • noimageindex • unavailable_after: [RFC-850 date/time] META NAME=ROBOTS
HEADER : X-ROBOTS-TAG APACHE EXAMPLE #apache <IfModule mod_headers.c> Header set X-Robots-Tag “noindex, nofollow, noarchive" <FilesMatch “.(doc|pdf|png|jpe?g|gif)$”> Header set X-Robots-Tag “noindex, noarchive, nosnippet" </FilesMatch> <IfModule>
HEADER : X-ROBOTS-TAG PHP EXAMPLE <?php header(“X-Robots-Tag : noindex”, true);
HEADER : X-ROBOTS-TAG EXAMPLES X-Robots-Tag: noarchive X-Robots-Tag: unavailable_after: 25 Jun 2010 15:00:00 PST X-Robots-Tag: googlebot: nofollow X-Robots-Tag: otherbot: noindex, nofollow
IMPROVE YOUR CODE • Normally, for IE8 + • Requests IE to use the latest render engines or a particular version. • Should use the ChromeFrame renderer (for IE6 and IE7) • Does not validate • Reduce the display speed of the site if it needs to change mode • Does not work in a conditional comment ( <!--[if lt IE 7]> ) META/HEADER : X-UA-COMPATIBLE
META: X-UA-COMPATIBLE CODE <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1"> <meta http-equiv="X-UA-Compatible” content="IE=9">
HEADER: X-UA-COMPATIBLE CODE PHP <?php header (“X-UA-Compatible : IE=Edge,chrome=1”, true);
HEADER: X-UA-COMPATIBLE APACHE EXAMPLE #apache <IfModule mod_headers.c> Header set X-UA-Compatible “IE=Edge,chrome=1” # Mod_headers Does not use the content type, # but we do not want to send this header <FilesMatch “.(js|css|gif|png|jpe?g|pdf|xml|oga|ogg|m4a|ogv|mp4| m4v|webm|svg|svgz|eot|ttf|otf|woff|ico|webp|appcache|manifest|htc| crx|oex|xpi|safariextz|vcf)$” > Header unset X-UA-Compatible </FilesMatch> </IfModule>
CLICKJACKING PROTECTION • “Clickjacking” protection • <frame> • <iframe> • <object> • Value • DENY • SAMEORIGIN • ALLOW-FROM uri META/HEADER : X-FRAME-OPTIONS
META/HEADER : X-FRAME-OPTIONS BROWSER SUPPORT Android Chrome Edge Firefox Internet Explorer Opera Safari X-Frame-Option 4+ 4+ 12+ 4+ 8+ 10.5+ 4.0+ Allow-from N/A N/A* N/A* 18+ 9+ N/A N/A* *Use CSP frame-ancestors directive instead
HEADER : X-FRAME-OPTIONS APACHE EXAMPLE #apache <IfModule mod_headers.c> Header set X-Frame-Options “deny” </IfModule>
HEADER : X-FRAME-OPTIONS PHP CODE <?php header(“X-Frame-Options: deny”, true);
META : X-FRAME-OPTIONS CODE <meta http-equiv="X-Frame-Options” content="deny">
PROTECT AGAINS DRIVE-BY ATTAQUE • Only one value: nosniff HEADER : X-CONTENT-TYPE-OPTIONS Android Chrome Edge Firefox Internet Explorer Opera Safari nosniff 3+ 1.0+* 11+ 50+** 8+ 13+ N/A * during download ** or with NoScript
HEADER : X-CONTENT-TYPE-OPTIONS APACHE EXAMPLE #apache <IfModule mod_headers.c> Header set X-Content-Type-Options “nosniff” </IfModule>
HEADER : X-CONTENT-TYPE-OPTIONS PHP CODE <?php header(“X-Content-Type-Options: nosniff”, true);
XSS PROTECTION • Automatic protection against XSS • mode=block • report=<reporting-URI> META/HEADER : X-XSS-PROTECTION Android Chrome Edge Firefox Internet Explorer Opera Safari X-XSS-Protection (Yes) 4+ 11+ N/A* 8+ Yes 4+ report No Chromium No No No No No * yes with NoScript
HEADER : X-XSS-PROTECTION APACHE EXAMPLE #apache <IfModule mod_headers.c> Header set X-XSS-Protection “1; mode=block” </IfModule>
HEADER : X-XSS-PROTECTION PHP CODE <?php header(“X-XSS-Protection: 0”, true);
META : X-XSS-PROTECTION EXAMPLE <meta http-equiv="X-XSS-Protection" content="1"> <meta http-equiv="X-XSS-Protection" content="1; mode=block"> <meta http-equiv="X-XSS-Protection” content="0"> <!-- Chromium only --> <meta http-equiv="X-XSS-Protection” content="1; report=<url>">
SUPER PROTECTION • 3 level of specification • Specification 1.0 Recommendation • http://w3c.org/TR/CSP1 • Specification 2.0 Recommendation • http://w3c.org/TR/CSP2 • Specification 3.0 Working Draft • http://w3c.org/TR/CSP3 META/HEADER : CONTENT-SECURITY-POLICY
SUPER PROTECTION META/HEADER : CONTENT-SECURITY-POLICY Android Chrome Edge Firefox Internet Explorer Opera Safari Recommendation 1 4.4+ 25+ 12+ 23+ 11+ 7+ X-Content-Security-Policy 12+* 4+ 10+ X-WebKit-CSP 14+ 5.1+ Recommendation 2 53+ 40+ 15+ 31+** 27+ 10+ Working Draft 3 * Limited ** Partial
META/HEADER : CONTENT-SECURITY-POLICY • default-src (csp 1, 2, 3) • child-src (csp 2, 3) • connect-src (csp 1, 2, 3) • font-src (csp 1, 2, 3) • frame-src (csp 1, 3) • img-src (csp 1, 2, 3) • manifest-src (csp 3) • media-src (csp 1, 2) • object-src (csp 1, 2) • script-src (csp 1, 2) • style-src (csp 1, 2) • worker-src (csp 3) FETCH DIRECTIVES
META/HEADER : CONTENT-SECURITY-POLICY • * (csp 1, 2, 3) • 'self' (csp 1, 2, 3) • 'none' (csp 1, 2, 3) • uri (csp 1, 2, 3) • media1.example.com • *.cdn.example.com • protocol • https: (csp 1, 2, 3) • http: (csp 1, 2, 3) • data: (csp 1, 2, 3) • mediastream: (csp 2, 3) • blob: (csp 2, 3) • filesystem: (csp 2, 3) • unsafe-inline (csp 1, 2, 3) • unsafe-eval (csp 1, 2, 3) • 'nonce-<base64-value>' (csp 2, 3) • <hash-source> (csp 2, 3) • 'strict-dynamic' (csp 2, 3) FETCH DIRECTIVES VALUES
META/HEADER : CONTENT-SECURITY-POLICY • Document Directives • base-uri (csp 2, 3) • disown-opener (csp 3) • plugin-types (csp 2, 3) • sandbox (csp 1, 2, 3) • Navigation Directives • form-action (csp 2, 3) • frame-ancestors (csp 2, 3) • Directives Defined in Other Documents • block-all-mixed-content (csp 3) • require-sri-for (csp 3) • upgrade-insecure-requests (csp 3) DIRECTIVES
META/HEADER: CONTENT-SECURITY-POLICY • allow-forms • allow-modals • allow-orientation-lock • allow-pointer-lock • allow-popups • allow-popups-to-escape-sandbox • allow-presentation • allow-same-origin • allow-scripts • allow-top-navigation SANDBOX VALUE
HEADER: CONTENT-SECURITY-POLICY APACHE EXAMPLE #apache <IfModule mod_headers.c> Header set Content-Security-Policy “default-src ‘self’;” </IfModule>
HEADER: CONTENT-SECURITY-POLICY PHP CODE <?php header(“Content-Security-Policy: default-src ‘self’;”, true);
META: CONTENT-SECURITY-POLICY CODE <meta http-equiv="Content-Security-Policy" content="default-src https:">
META/HEADER: CONTENT-SECURITY-POLICY EXAMPLES default-src 'self'; script-src 'self'; script-src 'self' www.google-analytics.com ajax.googleapis.com; default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self'; default-src 'self'; img-src *; object-src media1.example.com media2.example.com *.cdn.example.com; script-src trustedscripts.example.com default-src https: 'unsafe-inline' 'unsafe-eval' default-src *; script-src https://example.com/js/;” default-src *; sandbox allow-scripts
META/HEADER: CONTENT-SECURITY-POLICY EXAMPLES default-src 'self'; frame-ancestors 'none' base-uri 'self' object-src 'none' plugin-types application/x-shockwave-flash plugin-types application/x-java-applet form-action 'none' default-src 'self'; require-sri-for script style block-all-mixed-content upgrade-insecure-requests; default-src https:
META/HEADER : CONTENT-SECURITY-POLICY • Reporting Directives • report-uri (CSP 1, 2, 3) • report-to (CSP 3) • Meta/Header • Content-Security-Policy-Report-Only REPORT
HEADER : CONTENT-SECURITY-POLICY APACHE EXAMPLE REPORT Content-Security-Policy “default-src ‘self’; report-uri http://example.org/csp-report.php” http://evil.example.com/image.png
META/HEADER : CONTENT-SECURITY-POLICY RESPONSE { “csp-report”: { “document-uri”: “http://example.org/page.html", “referrer”: “http://evil.example.com/haxor.html", “blocked-uri”: “http://evil.example.com/image.png", “violated-directive”: “default-src ‘self’”, “original-policy”: “default-src ‘self’; report-uri http://example.org/csp-report.cgi” } }
CROSS-ORIGIN RESOURCE SHARING • Access-Control-Allow-Credentials • Access-Control-Allow-Headers • Access-Control-Allow-Methods • Access-Control-Allow-Origin • Access-Control-Expose-Headers • Access-Control-Max-Age • Access-Control-Request-Headers • Access-Control-Request-Method META/HEADER: ACCESS-CONTROL-*
CROSS-ORIGIN RESOURCE SHARING META/HEADER: ACCESS-CONTROL-* Android Chrome Edge Firefox Internet Explorer Opera Safari Access-Control-* 2.1+ 4+ 12+ 3.5+ 10+ 12+ 4+
META: ACCESS-CONTROL-* CODE <meta http-equiv="Access-Control-Allow-Origin” content="*"> <meta http-equiv="Access-Control-Allow-Origin” content="http://kuzzle.io"> <meta http-equiv="Access-Control-Allow-Credentials” content="true"> <meta http-equiv="Access-Control-Allow-Headers” content="Content-Length, X-Powered-By"> <meta http-equiv="Access-Control-Allow-Methods” content="POST, GET, OPTIONS"> <meta http-equiv="Access-Control-Expose-Headers” content="Content-Length, X-Powered-By"> <meta http-equiv="Access-Control-Max-Age” content="600"> <meta http-equiv="Access-Control-Request-Headers” content="Content-Length, X-Powered-By"> <meta http-equiv="Access-Control-Request-Methods” content="POST">
HEADER: ACCESS-CONTROL-* APACHE EXAMPLE #apache <IfModule mod_headers.c> Header set Access-Control-Allow-Origin “http://kuzzle.io” Header set Access-Control-Allow-Credentials “true” Header set Access-Control-Allow-Headers “Content-Length, X-Powered-By” Header set Access-Control-Allow-Methods “POST, GET, OPTIONS” Header set Access-Control-Expose-Headers “Content-Length, X-Powered-By” Header set Access-Control-Max-Age “60” Header set Access-Control-Request-Headers “Content-Length, X-Powered-By” Header set Access-Control-Request-Methods “POST” </IfModule>
HEADER: ACCESS-CONTROL-* PHP CODE <?php header(“Access-Control-Allow-Origin: http://kuzzle.io”, true); header(“Access-Control-Allow-Credentials: true”, true); header(“Access-Control-Allow-Headers: Content-Length, X-Powered-By”, true); header(“Access-Control-Allow-Methods: POST, GET, OPTIONS”, true); header(“Access-Control-Expose-Headers: Content-Length, X-Powered-By”, true); header(“Access-Control-Max-Age: 60”, true); header(“Access-Control-Request-Headers: Content-Length, X-Powered-By”, true); header(“Access-Control-Request-Methods: POST”, true);
PROTECT YOUR SESSIONS • Stealing session (session cookie) is quite simple. • Use HTTPS on your server if you use sessions. • But it is not enough... PHP CONFIGURATION
PROTECT YOUR SESSIONS PHP CONFIGURATION session.use_cookies “1” session.use_only_cookies “1” session.cookie_secure “1” session.cookie_httponly “1”
PROTECT YOUR COOKIES • Secure • HttpOnly • SameSite SETCOOKIE Android Chrome Edge Firefox Internet Explorer Opera Safari Secure 1+ 1+ 10+ 3+ 9+ 11+ 5+ HttpOnly 1+ 1+ 10+ 3+ 9+ 11+ 5+ SameSite 51+ 51+ N/A N/A N/A 39+ N/A
PROTECT YOUR COOKIES PHP CODE bool setcookie ( string $name [, string $value = "" [, int $expire = 0 [, string $path = "" [, string $domain = "" [, bool $secure = false [, bool $httponly = false ]]]]]] )
PROTECT IN TRANSIT DATA • Require the browser to use a site in SSL (and retains the information) HTTP STRICT TRANSPORT SECURITY Android Chrome Edge Firefox Internet Explorer Opera Safari Strict-Transport- Security 4.4+ 4+ 12+ 4+ 11+ 12+ 7+
HTTP STRICT TRANSPORT SECURITY EXAMPLES Strict-Transport-Security: max-age=<expire-time> Strict-Transport-Security: max-age=<expire-time>; includeSubDomains Strict-Transport-Security: max-age=<expire-time>; preload Strict-Transport-Security: max-age=<expire-time>; includeSubDomains; preload
HTTP STRICT TRANSPORT SECURITY APACHE EXAMPLE #apache <VirtualHost *:80> ServerAlias * RewriteEngine On RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [redirect=301] </VirtualHost> <VirtualHost *:443> ServerAlias * ... <IfModule mod_headers.c> Header set Strict-Transport-Security “max-age=16070400; preload" </IfModule> </VirtualHost>
HTTP STRICT TRANSPORT SECURITY PHP EXAMPLE <?php // IIS defines the HTTPS protocol to be “off” for non-SSL requests if (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] != 'off') { header(’Strict-Transport-Security: max-age=16070400’); } else { header('Location: https://’.$_SERVER[’HTTP_HOST'] . $_SERVER['REQUEST_URI'], true, 301); exit; }
PROTECT IN TRANSIT DATA • Tells a Web client to associate a specific public cryptographic public key to a Web server to reduce the risk of MITM attacks with falsified certificates. HTTP PUBLIC KEY PINNING (HPKP) Android Chrome Edge Firefox Internet Explorer Opera Safari Public-Key-Pins 38+ 38+ N/A 35+ N/A 25+ N/A Report-uri 46+ 46+ N/A N/A N/A 33+ N/A
HTTP PUBLIC KEY PINNING (HPKP) EXAMPLES Public-Key-Pins: pin-sha256=<base64==>; max-age=<expireTime>; Public-Key-Pins: pin-sha256=<base64==>; max-age=<expireTime>; includeSubDomains Public-Key-Pins: pin-sha256=<base64==>; max-age=<expireTime>; report-uri=<reportURI> Public-Key-Pins-Report-Only: pin-sha256=<base64==>; max-age=<expireTime>; report- uri=<reportURI>
PROTECT IMPORTED FILES INTEGRITIES • Verify extracted files are delivered without unexpected manipulation. • Uses a cryptographic hash. • <script>, <link> • Base64 of • sha256 • sha384 • sha512 SUBRESOURCE INTEGRITY
SUBRESOURCE INTEGRITY EXAMPLES <script src="https://example.com/example-framework.js" integrity="sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxy9rx7HNQlGYl1kPzQho1wx4JwY8wC" crossorigin="anonymous"></script> <link rel="stylesheet” href="https://site53.example.net/style.css" integrity="sha384-+/M6kredJcxdsqkczBUjMLvqyHb1K/JThDXWsBVxMEeZHEaMKEOEct339VItX1zB" crossorigin="anonymous"> cat example-framework.js | openssl dgst -sha384 -binary | openssl enc -base64 -A
PROTECT YOUR • Allows you to specify when the browser will define a Referer header.no- referrer • no-referrer • no-referrer-when-downgrade • origin • origin-when-cross-origin • same-origin • strict-origin • strict-origin-when-cross-origin • unsafe-url HEADER: REFERRER-POLICY
HEADER: REFERRER-POLICY COMPATIBILITY Android Chrome Edge Firefox Internet Explorer Opera Safari Referrer-Policy 56+ 56+ N/A 50+ N/A 43+ N/A same-origin N/A N/A N/A 52+ N/A N/A N/A strict-origin N/A N/A N/A 52+ N/A N/A N/A strict-origin- when-cross- origin N/A N/A N/A 52+ N/A N/A N/A
ANY QUESTIONS? THANK YOU! If you want to talk more, feel free to contact me. http://kuzzle.io This presentation was created using Keynote. The text is set in Oswald and Ubuntu. The source code is set in Ubuntu Mono. The iconography is provided by Keynote, kuzzle.io and Font Awesome. Unless otherwise noted, all photographs are used by permission under a Creative Commons license. Please refer to the Photo Credits slide for more information. Copyright © This work is licensed under Creative Commons Attribution-ShareAlike 4.0 International. For uses not covered under this license, please contact the author. hello@kuzzle.io @kuzzleio Kuzzle kuzzleio http://kuzzle.io Browser Serving Your Web Application Security 2014-2017 Philippe Gamache GAMACHE, Philippe. “Browser Serving Your Web Application Security” NorthEast PHP Conference. August 10, 2017. Conference presentation. pgamache@kuzzle.io @philoupedia philippegamache joind.in/talk/c5998 Please visit us at:

Empfohlen

OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017 OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017 Philippe Gamache
 
Drupal Security Hardening
Drupal Security HardeningDrupal Security Hardening
Drupal Security HardeningGerald Villorente
 
Securing Drupal 7: Do not get Hacked or Spammed to death!
Securing Drupal 7: Do not get Hacked or Spammed to death!Securing Drupal 7: Do not get Hacked or Spammed to death!
Securing Drupal 7: Do not get Hacked or Spammed to death!Adelle Frank
 
Hack Proof Your Drupal Site
Hack Proof Your Drupal SiteHack Proof Your Drupal Site
Hack Proof Your Drupal SiteNaveen Valecha
 
Drupal and Security: What You Need to Know
Drupal and Security: What You Need to KnowDrupal and Security: What You Need to Know
Drupal and Security: What You Need to KnowAcquia
 
Drupal Security Intro
Drupal Security IntroDrupal Security Intro
Drupal Security IntroCash Williams
 
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)Hack Into Drupal Sites (or, How to Secure Your Drupal Site)
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)nyccamp
 
Top Ten Web Application Defenses v12
Top Ten Web Application Defenses v12Top Ten Web Application Defenses v12
Top Ten Web Application Defenses v12Jim Manico
 

Empfohlen

OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017 OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017 Philippe Gamache
 
Drupal Security Hardening
Drupal Security HardeningDrupal Security Hardening
Drupal Security HardeningGerald Villorente
 
Securing Drupal 7: Do not get Hacked or Spammed to death!
Securing Drupal 7: Do not get Hacked or Spammed to death!Securing Drupal 7: Do not get Hacked or Spammed to death!
Securing Drupal 7: Do not get Hacked or Spammed to death!Adelle Frank
 
Hack Proof Your Drupal Site
Hack Proof Your Drupal SiteHack Proof Your Drupal Site
Hack Proof Your Drupal SiteNaveen Valecha
 
Drupal and Security: What You Need to Know
Drupal and Security: What You Need to KnowDrupal and Security: What You Need to Know
Drupal and Security: What You Need to KnowAcquia
 
Drupal Security Intro
Drupal Security IntroDrupal Security Intro
Drupal Security IntroCash Williams
 
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)Hack Into Drupal Sites (or, How to Secure Your Drupal Site)
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)nyccamp
 
Top Ten Web Application Defenses v12
Top Ten Web Application Defenses v12Top Ten Web Application Defenses v12
Top Ten Web Application Defenses v12Jim Manico
 
Attacking Drupal
Attacking DrupalAttacking Drupal
Attacking DrupalGreg Foss
 
Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5Jim Manico
 
Development Security Framework based on Owasp Esapi for JSF2.0
Development Security Framework based on Owasp Esapi for JSF2.0Development Security Framework based on Owasp Esapi for JSF2.0
Development Security Framework based on Owasp Esapi for JSF2.0Rakesh Kachhadiya
 
Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Jim Manico
 
OWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript DevelopersOWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript DevelopersLewis Ardern
 
Cross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with JavaCross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with JavaJim Manico
 
So you thought you were safe using AngularJS.. Think again!
So you thought you were safe using AngularJS.. Think again!So you thought you were safe using AngularJS.. Think again!
So you thought you were safe using AngularJS.. Think again!Lewis Ardern
 
Hacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesHacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesMikhail Egorov
 
OWASP London - So you thought you were safe using AngularJS.. Think again!
OWASP London - So you thought you were safe using AngularJS.. Think again!OWASP London - So you thought you were safe using AngularJS.. Think again!
OWASP London - So you thought you were safe using AngularJS.. Think again!Lewis Ardern
 
DefCamp 2013 - Http header analysis
DefCamp 2013 - Http header analysisDefCamp 2013 - Http header analysis
DefCamp 2013 - Http header analysisDefCamp
 
DVWA BruCON Workshop
DVWA BruCON WorkshopDVWA BruCON Workshop
DVWA BruCON Workshoptestuser1223
 
DVWA(Damn Vulnerabilities Web Application)
DVWA(Damn Vulnerabilities Web Application)DVWA(Damn Vulnerabilities Web Application)
DVWA(Damn Vulnerabilities Web Application)Soham Kansodaria
 
Deep dive into Java security architecture
Deep dive into Java security architectureDeep dive into Java security architecture
Deep dive into Java security architecturePrabath Siriwardena
 
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers Lewis Ardern
 
Web Security - CSP & Web Cryptography
Web Security - CSP & Web CryptographyWeb Security - CSP & Web Cryptography
Web Security - CSP & Web CryptographySamsung Open Source Group
 
Shields Up! Securing React Apps
Shields Up! Securing React AppsShields Up! Securing React Apps
Shields Up! Securing React AppsZachary Klein
 
Configuring CQ Security
Configuring CQ SecurityConfiguring CQ Security
Configuring CQ Securityconnectwebex
 
Java Security Framework's
Java Security Framework'sJava Security Framework's
Java Security Framework'sMohammed Fazuluddin
 
JavaCro'14 - Securing web applications with Spring Security 3 – Fernando Redo...
JavaCro'14 - Securing web applications with Spring Security 3 – Fernando Redo...JavaCro'14 - Securing web applications with Spring Security 3 – Fernando Redo...
JavaCro'14 - Securing web applications with Spring Security 3 – Fernando Redo...HUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association
 
OWASP SF - Reviewing Modern JavaScript Applications
OWASP SF - Reviewing Modern JavaScript ApplicationsOWASP SF - Reviewing Modern JavaScript Applications
OWASP SF - Reviewing Modern JavaScript ApplicationsLewis Ardern
 
[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security Headers[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security HeadersOWASP
 
Csp and http headers
Csp and http headersCsp and http headers
Csp and http headersColdFusionConference
 

Weitere ähnliche Inhalte

Was ist angesagt?

Attacking Drupal
Attacking DrupalAttacking Drupal
Attacking DrupalGreg Foss
 
Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5Jim Manico
 
Development Security Framework based on Owasp Esapi for JSF2.0
Development Security Framework based on Owasp Esapi for JSF2.0Development Security Framework based on Owasp Esapi for JSF2.0
Development Security Framework based on Owasp Esapi for JSF2.0Rakesh Kachhadiya
 
Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Jim Manico
 
OWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript DevelopersOWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript DevelopersLewis Ardern
 
Cross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with JavaCross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with JavaJim Manico
 
So you thought you were safe using AngularJS.. Think again!
So you thought you were safe using AngularJS.. Think again!So you thought you were safe using AngularJS.. Think again!
So you thought you were safe using AngularJS.. Think again!Lewis Ardern
 
Hacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesHacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesMikhail Egorov
 
OWASP London - So you thought you were safe using AngularJS.. Think again!
OWASP London - So you thought you were safe using AngularJS.. Think again!OWASP London - So you thought you were safe using AngularJS.. Think again!
OWASP London - So you thought you were safe using AngularJS.. Think again!Lewis Ardern
 
DefCamp 2013 - Http header analysis
DefCamp 2013 - Http header analysisDefCamp 2013 - Http header analysis
DefCamp 2013 - Http header analysisDefCamp
 
DVWA BruCON Workshop
DVWA BruCON WorkshopDVWA BruCON Workshop
DVWA BruCON Workshoptestuser1223
 
DVWA(Damn Vulnerabilities Web Application)
DVWA(Damn Vulnerabilities Web Application)DVWA(Damn Vulnerabilities Web Application)
DVWA(Damn Vulnerabilities Web Application)Soham Kansodaria
 
Deep dive into Java security architecture
Deep dive into Java security architectureDeep dive into Java security architecture
Deep dive into Java security architecturePrabath Siriwardena
 
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers Lewis Ardern
 
Shields Up! Securing React Apps
Shields Up! Securing React AppsShields Up! Securing React Apps
Shields Up! Securing React AppsZachary Klein
 
Configuring CQ Security
Configuring CQ SecurityConfiguring CQ Security
Configuring CQ Securityconnectwebex
 
OWASP SF - Reviewing Modern JavaScript Applications
OWASP SF - Reviewing Modern JavaScript ApplicationsOWASP SF - Reviewing Modern JavaScript Applications
OWASP SF - Reviewing Modern JavaScript ApplicationsLewis Ardern
 

Was ist angesagt? (20)

Attacking Drupal
Attacking DrupalAttacking Drupal
Attacking Drupal
 
Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5
 
Development Security Framework based on Owasp Esapi for JSF2.0
Development Security Framework based on Owasp Esapi for JSF2.0Development Security Framework based on Owasp Esapi for JSF2.0
Development Security Framework based on Owasp Esapi for JSF2.0
 
Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2
 
OWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript DevelopersOWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript Developers
 
Cross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with JavaCross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with Java
 
So you thought you were safe using AngularJS.. Think again!
So you thought you were safe using AngularJS.. Think again!So you thought you were safe using AngularJS.. Think again!
So you thought you were safe using AngularJS.. Think again!
 
Hacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesHacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sites
 
OWASP London - So you thought you were safe using AngularJS.. Think again!
OWASP London - So you thought you were safe using AngularJS.. Think again!OWASP London - So you thought you were safe using AngularJS.. Think again!
OWASP London - So you thought you were safe using AngularJS.. Think again!
 
DefCamp 2013 - Http header analysis
DefCamp 2013 - Http header analysisDefCamp 2013 - Http header analysis
DefCamp 2013 - Http header analysis
 
DVWA BruCON Workshop
DVWA BruCON WorkshopDVWA BruCON Workshop
DVWA BruCON Workshop
 
DVWA(Damn Vulnerabilities Web Application)
DVWA(Damn Vulnerabilities Web Application)DVWA(Damn Vulnerabilities Web Application)
DVWA(Damn Vulnerabilities Web Application)
 
Deep dive into Java security architecture
Deep dive into Java security architectureDeep dive into Java security architecture
Deep dive into Java security architecture
 
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
 
Web Security - CSP & Web Cryptography
Web Security - CSP & Web CryptographyWeb Security - CSP & Web Cryptography
Web Security - CSP & Web Cryptography
 
Shields Up! Securing React Apps
Shields Up! Securing React AppsShields Up! Securing React Apps
Shields Up! Securing React Apps
 
Configuring CQ Security
Configuring CQ SecurityConfiguring CQ Security
Configuring CQ Security
 
Java Security Framework's
Java Security Framework'sJava Security Framework's
Java Security Framework's
 
JavaCro'14 - Securing web applications with Spring Security 3 – Fernando Redo...
JavaCro'14 - Securing web applications with Spring Security 3 – Fernando Redo...JavaCro'14 - Securing web applications with Spring Security 3 – Fernando Redo...
JavaCro'14 - Securing web applications with Spring Security 3 – Fernando Redo...
 
OWASP SF - Reviewing Modern JavaScript Applications
OWASP SF - Reviewing Modern JavaScript ApplicationsOWASP SF - Reviewing Modern JavaScript Applications
OWASP SF - Reviewing Modern JavaScript Applications
 

Ähnlich wie Browser Serving Your Web Application Security - NorthEast PHP 2017

[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security Headers[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security HeadersOWASP
 
Csp and http headers
Csp and http headersCsp and http headers
Csp and http headersdevObjective
 
Rails and Content Security Policies
Rails and Content Security PoliciesRails and Content Security Policies
Rails and Content Security PoliciesMatias Korhonen
 
Going on an HTTP Diet: Front-End Web Performance
Going on an HTTP Diet: Front-End Web PerformanceGoing on an HTTP Diet: Front-End Web Performance
Going on an HTTP Diet: Front-End Web PerformanceAdam Norwood
 
HTML5 and CSS3 Techniques You Can Use Today
HTML5 and CSS3 Techniques You Can Use TodayHTML5 and CSS3 Techniques You Can Use Today
HTML5 and CSS3 Techniques You Can Use TodayTodd Anglin
 
Content-Security-Policy 2018.0
Content-Security-Policy 2018.0Content-Security-Policy 2018.0
Content-Security-Policy 2018.0Philippe Gamache
 
Unleashing Creative Freedom with MODX - 2015-08-26 at PHP Zwolle
Unleashing Creative Freedom with MODX - 2015-08-26 at PHP Zwolle Unleashing Creative Freedom with MODX - 2015-08-26 at PHP Zwolle
Unleashing Creative Freedom with MODX - 2015-08-26 at PHP Zwolle Mark Hamstra
 
Deep Dive: Alfresco Core Repository (... embedded in a micro-services style a...
Deep Dive: Alfresco Core Repository (... embedded in a micro-services style a...Deep Dive: Alfresco Core Repository (... embedded in a micro-services style a...
Deep Dive: Alfresco Core Repository (... embedded in a micro-services style a...J V
 
Reviewing AngularJS
Reviewing AngularJSReviewing AngularJS
Reviewing AngularJSLewis Ardern
 
PHP language presentation
PHP language presentationPHP language presentation
PHP language presentationAnnujj Agrawaal
 
Rails security: above and beyond the defaults
Rails security: above and beyond the defaultsRails security: above and beyond the defaults
Rails security: above and beyond the defaultsMatias Korhonen
 
Developing High Performance Web Apps - CodeMash 2011
Developing High Performance Web Apps - CodeMash 2011Developing High Performance Web Apps - CodeMash 2011
Developing High Performance Web Apps - CodeMash 2011Timothy Fisher
 
Progressive Downloads and Rendering
Progressive Downloads and RenderingProgressive Downloads and Rendering
Progressive Downloads and RenderingStoyan Stefanov
 
Developing Your Ultimate Package
Developing Your Ultimate PackageDeveloping Your Ultimate Package
Developing Your Ultimate PackageSimon Collison
 
Securing Your Webserver By Pradeep Sharma
Securing Your Webserver By Pradeep SharmaSecuring Your Webserver By Pradeep Sharma
Securing Your Webserver By Pradeep SharmaOSSCube
 
introduction to node.js
introduction to node.jsintroduction to node.js
introduction to node.jsorkaplan
 

Ähnlich wie Browser Serving Your Web Application Security - NorthEast PHP 2017 (20)

[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security Headers[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security Headers
 
Csp and http headers
Csp and http headersCsp and http headers
Csp and http headers
 
Csp and http headers
Csp and http headersCsp and http headers
Csp and http headers
 
Rails and Content Security Policies
Rails and Content Security PoliciesRails and Content Security Policies
Rails and Content Security Policies
 
Going on an HTTP Diet: Front-End Web Performance
Going on an HTTP Diet: Front-End Web PerformanceGoing on an HTTP Diet: Front-End Web Performance
Going on an HTTP Diet: Front-End Web Performance
 
HTML5 and CSS3 Techniques You Can Use Today
HTML5 and CSS3 Techniques You Can Use TodayHTML5 and CSS3 Techniques You Can Use Today
HTML5 and CSS3 Techniques You Can Use Today
 
Content-Security-Policy 2018.0
Content-Security-Policy 2018.0Content-Security-Policy 2018.0
Content-Security-Policy 2018.0
 
Unleashing Creative Freedom with MODX - 2015-08-26 at PHP Zwolle
Unleashing Creative Freedom with MODX - 2015-08-26 at PHP Zwolle Unleashing Creative Freedom with MODX - 2015-08-26 at PHP Zwolle
Unleashing Creative Freedom with MODX - 2015-08-26 at PHP Zwolle
 
Deep Dive: Alfresco Core Repository (... embedded in a micro-services style a...
Deep Dive: Alfresco Core Repository (... embedded in a micro-services style a...Deep Dive: Alfresco Core Repository (... embedded in a micro-services style a...
Deep Dive: Alfresco Core Repository (... embedded in a micro-services style a...
 
Reviewing AngularJS
Reviewing AngularJSReviewing AngularJS
Reviewing AngularJS
 
PHP language presentation
PHP language presentationPHP language presentation
PHP language presentation
 
Rails security: above and beyond the defaults
Rails security: above and beyond the defaultsRails security: above and beyond the defaults
Rails security: above and beyond the defaults
 
Sanjeev ghai 12
Sanjeev ghai 12Sanjeev ghai 12
Sanjeev ghai 12
 
Building Client-Side Attacks with HTML5 Features
Building Client-Side Attacks with HTML5 FeaturesBuilding Client-Side Attacks with HTML5 Features
Building Client-Side Attacks with HTML5 Features
 
Developing High Performance Web Apps - CodeMash 2011
Developing High Performance Web Apps - CodeMash 2011Developing High Performance Web Apps - CodeMash 2011
Developing High Performance Web Apps - CodeMash 2011
 
Progressive Downloads and Rendering
Progressive Downloads and RenderingProgressive Downloads and Rendering
Progressive Downloads and Rendering
 
Developing Your Ultimate Package
Developing Your Ultimate PackageDeveloping Your Ultimate Package
Developing Your Ultimate Package
 
Securing Your Webserver By Pradeep Sharma
Securing Your Webserver By Pradeep SharmaSecuring Your Webserver By Pradeep Sharma
Securing Your Webserver By Pradeep Sharma
 
introduction to node.js
introduction to node.jsintroduction to node.js
introduction to node.js
 
Attacking HTML5
Attacking HTML5Attacking HTML5
Attacking HTML5
 

Mehr von Philippe Gamache

Cryptographie 101 Pour les programmeurs (PHP)
Cryptographie 101 Pour les programmeurs (PHP)Cryptographie 101 Pour les programmeurs (PHP)
Cryptographie 101 Pour les programmeurs (PHP)Philippe Gamache
 
Multi Factor Authetification - ZendCon 2017
Multi Factor Authetification - ZendCon 2017Multi Factor Authetification - ZendCon 2017
Multi Factor Authetification - ZendCon 2017Philippe Gamache
 
Browser Serving Your We Application Security - ZendCon 2017
Browser Serving Your We Application Security - ZendCon 2017Browser Serving Your We Application Security - ZendCon 2017
Browser Serving Your We Application Security - ZendCon 2017Philippe Gamache
 
Browser Serving Your Web Application Security - Madison PHP 2017
Browser Serving Your Web Application Security - Madison PHP 2017Browser Serving Your Web Application Security - Madison PHP 2017
Browser Serving Your Web Application Security - Madison PHP 2017Philippe Gamache
 
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017Philippe Gamache
 
Kaizen ou l'amélioration continue
Kaizen ou l'amélioration continueKaizen ou l'amélioration continue
Kaizen ou l'amélioration continuePhilippe Gamache
 
Entreprise Security API - OWASP Montreal
Entreprise Security API - OWASP MontrealEntreprise Security API - OWASP Montreal
Entreprise Security API - OWASP MontrealPhilippe Gamache
 
Entreprise Security API - ConFoo 2011
Entreprise Security API - ConFoo 2011Entreprise Security API - ConFoo 2011
Entreprise Security API - ConFoo 2011Philippe Gamache
 
Strong authetification - ConFoo 2011
Strong authetification - ConFoo 2011Strong authetification - ConFoo 2011
Strong authetification - ConFoo 2011Philippe Gamache
 
Une application en une heure avec symfony - Collège de Mainsonneuve
Une application en une heure avec symfony - Collège de MainsonneuveUne application en une heure avec symfony - Collège de Mainsonneuve
Une application en une heure avec symfony - Collège de MainsonneuvePhilippe Gamache
 
Laboratoire sécurité : audit de code PHP - Conférence PHP Québec 2009
Laboratoire sécurité : audit de code PHP - Conférence PHP Québec 2009Laboratoire sécurité : audit de code PHP - Conférence PHP Québec 2009
Laboratoire sécurité : audit de code PHP - Conférence PHP Québec 2009Philippe Gamache
 
One hour application - PHP Quebec Conference 2009
One hour application - PHP Quebec Conference 2009One hour application - PHP Quebec Conference 2009
One hour application - PHP Quebec Conference 2009Philippe Gamache
 
Une application en deux heure - PHP Québec Janvier 2009
Une application en deux heure - PHP Québec Janvier 2009Une application en deux heure - PHP Québec Janvier 2009
Une application en deux heure - PHP Québec Janvier 2009Philippe Gamache
 
Audit de code PHP - PHP Code Audit - HackFest.ca 2009
Audit de code PHP - PHP Code Audit - HackFest.ca 2009Audit de code PHP - PHP Code Audit - HackFest.ca 2009
Audit de code PHP - PHP Code Audit - HackFest.ca 2009Philippe Gamache
 
Auditing and securing PHP applications - FRHACK 2009
Auditing and securing PHP applications - FRHACK 2009Auditing and securing PHP applications - FRHACK 2009
Auditing and securing PHP applications - FRHACK 2009Philippe Gamache
 

Mehr von Philippe Gamache (16)

Cryptographie 101 Pour les programmeurs (PHP)
Cryptographie 101 Pour les programmeurs (PHP)Cryptographie 101 Pour les programmeurs (PHP)
Cryptographie 101 Pour les programmeurs (PHP)
 
Mentor et votre équipe
Mentor et votre équipeMentor et votre équipe
Mentor et votre équipe
 
Multi Factor Authetification - ZendCon 2017
Multi Factor Authetification - ZendCon 2017Multi Factor Authetification - ZendCon 2017
Multi Factor Authetification - ZendCon 2017
 
Browser Serving Your We Application Security - ZendCon 2017
Browser Serving Your We Application Security - ZendCon 2017Browser Serving Your We Application Security - ZendCon 2017
Browser Serving Your We Application Security - ZendCon 2017
 
Browser Serving Your Web Application Security - Madison PHP 2017
Browser Serving Your Web Application Security - Madison PHP 2017Browser Serving Your Web Application Security - Madison PHP 2017
Browser Serving Your Web Application Security - Madison PHP 2017
 
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
 
Kaizen ou l'amélioration continue
Kaizen ou l'amélioration continueKaizen ou l'amélioration continue
Kaizen ou l'amélioration continue
 
Entreprise Security API - OWASP Montreal
Entreprise Security API - OWASP MontrealEntreprise Security API - OWASP Montreal
Entreprise Security API - OWASP Montreal
 
Entreprise Security API - ConFoo 2011
Entreprise Security API - ConFoo 2011Entreprise Security API - ConFoo 2011
Entreprise Security API - ConFoo 2011
 
Strong authetification - ConFoo 2011
Strong authetification - ConFoo 2011Strong authetification - ConFoo 2011
Strong authetification - ConFoo 2011
 
Une application en une heure avec symfony - Collège de Mainsonneuve
Une application en une heure avec symfony - Collège de MainsonneuveUne application en une heure avec symfony - Collège de Mainsonneuve
Une application en une heure avec symfony - Collège de Mainsonneuve
 
Laboratoire sécurité : audit de code PHP - Conférence PHP Québec 2009
Laboratoire sécurité : audit de code PHP - Conférence PHP Québec 2009Laboratoire sécurité : audit de code PHP - Conférence PHP Québec 2009
Laboratoire sécurité : audit de code PHP - Conférence PHP Québec 2009
 
One hour application - PHP Quebec Conference 2009
One hour application - PHP Quebec Conference 2009One hour application - PHP Quebec Conference 2009
One hour application - PHP Quebec Conference 2009
 
Une application en deux heure - PHP Québec Janvier 2009
Une application en deux heure - PHP Québec Janvier 2009Une application en deux heure - PHP Québec Janvier 2009
Une application en deux heure - PHP Québec Janvier 2009
 
Audit de code PHP - PHP Code Audit - HackFest.ca 2009
Audit de code PHP - PHP Code Audit - HackFest.ca 2009Audit de code PHP - PHP Code Audit - HackFest.ca 2009
Audit de code PHP - PHP Code Audit - HackFest.ca 2009
 
Auditing and securing PHP applications - FRHACK 2009
Auditing and securing PHP applications - FRHACK 2009Auditing and securing PHP applications - FRHACK 2009
Auditing and securing PHP applications - FRHACK 2009
 

Kürzlich hochgeladen

Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rick Flair
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Manual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditManual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditSkynet Technologies
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Farhan Tariq
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityIES VE
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsRavi Sanghani
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfNeo4j
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality AssuranceInflectra
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demoHarshalMandlekar2
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI AgeCprime
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterMydbops
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPathCommunity
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Scott Andery
 

Kürzlich hochgeladen (20)

Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Manual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditManual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance Audit
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a reality
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and Insights
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdf
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demo
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI Age
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL Router
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to Hero
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
 
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
 

Browser Serving Your Web Application Security - NorthEast PHP 2017

  • 1. BROWSER SERVING YOUR WEB APPLICATION SECURITY ALL YOU NEED TO KNOW
  • 2. ABOUT ME HI I’M PHILIPPE I’m a Developer Evangelist for kuzzle.io. Long-time internet developer, author, screen caster, podcaster and speaker. I’m specializes in PHP, Symfony, Kuzzle, security, code quality, performance, real time and geolocation. • Sécurité PHP 5 et MySQL 5 • OWASP Montreal • PHP Quebec • Table Top Game Developer • Pen & Paper RPG Writer
  • 3. PURPOSE OF THE PRESENTATION • Improve the code of your website • Protect your site against certain attacks • Protect your users from certain attacks • Protect your development sites WHY WE ARE TALKING ABOUT THIS?
  • 4. PROTECT YOUR DEV SITES • Dev/test/qa/regression servers • If they are available via the web • Robots.txt is not enough • forget • File compliance AVOID LEEKS
  • 6. PROTECT YOUR SITES • name • robots for all robots • specific: • Googlebot: Googlebot-News, Googlebot-Image, Googlebot-Video, Googlebot- Mobile, Mediapartners-Google, Mediapartners, AdsBot-Google, AdsBot- Google-Mobile-Apps • slurp • msnbot, bingbot • teoma META NAME=ROBOTS
  • 7. PROTECT YOUR SITES • content • all • index • follow META NAME=ROBOTS
  • 8. PROTECT YOUR SITES • content • none • noindex • noarchive • nocache • nofollow META NAME=ROBOTS
  • 9. PROTECT YOUR SITES • content • nosnippet • noodp • noydir • notranslate • noimageindex • unavailable_after: [RFC-850 date/time] META NAME=ROBOTS
  • 10. HEADER : X-ROBOTS-TAG APACHE EXAMPLE #apache <IfModule mod_headers.c> Header set X-Robots-Tag “noindex, nofollow, noarchive" <FilesMatch “.(doc|pdf|png|jpe?g|gif)$”> Header set X-Robots-Tag “noindex, noarchive, nosnippet" </FilesMatch> <IfModule>
  • 12. HEADER : X-ROBOTS-TAG EXAMPLES X-Robots-Tag: noarchive X-Robots-Tag: unavailable_after: 25 Jun 2010 15:00:00 PST X-Robots-Tag: googlebot: nofollow X-Robots-Tag: otherbot: noindex, nofollow
  • 13. IMPROVE YOUR CODE • Normally, for IE8 + • Requests IE to use the latest render engines or a particular version. • Should use the ChromeFrame renderer (for IE6 and IE7) • Does not validate • Reduce the display speed of the site if it needs to change mode • Does not work in a conditional comment ( <!--[if lt IE 7]> ) META/HEADER : X-UA-COMPATIBLE
  • 14. META: X-UA-COMPATIBLE CODE <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1"> <meta http-equiv="X-UA-Compatible” content="IE=9">
  • 15. HEADER: X-UA-COMPATIBLE CODE PHP <?php header (“X-UA-Compatible : IE=Edge,chrome=1”, true);
  • 16. HEADER: X-UA-COMPATIBLE APACHE EXAMPLE #apache <IfModule mod_headers.c> Header set X-UA-Compatible “IE=Edge,chrome=1” # Mod_headers Does not use the content type, # but we do not want to send this header <FilesMatch “.(js|css|gif|png|jpe?g|pdf|xml|oga|ogg|m4a|ogv|mp4| m4v|webm|svg|svgz|eot|ttf|otf|woff|ico|webp|appcache|manifest|htc| crx|oex|xpi|safariextz|vcf)$” > Header unset X-UA-Compatible </FilesMatch> </IfModule>
  • 17. CLICKJACKING PROTECTION • “Clickjacking” protection • <frame> • <iframe> • <object> • Value • DENY • SAMEORIGIN • ALLOW-FROM uri META/HEADER : X-FRAME-OPTIONS
  • 18. META/HEADER : X-FRAME-OPTIONS BROWSER SUPPORT Android Chrome Edge Firefox Internet Explorer Opera Safari X-Frame-Option 4+ 4+ 12+ 4+ 8+ 10.5+ 4.0+ Allow-from N/A N/A* N/A* 18+ 9+ N/A N/A* *Use CSP frame-ancestors directive instead
  • 19. HEADER : X-FRAME-OPTIONS APACHE EXAMPLE #apache <IfModule mod_headers.c> Header set X-Frame-Options “deny” </IfModule>
  • 22. PROTECT AGAINS DRIVE-BY ATTAQUE • Only one value: nosniff HEADER : X-CONTENT-TYPE-OPTIONS Android Chrome Edge Firefox Internet Explorer Opera Safari nosniff 3+ 1.0+* 11+ 50+** 8+ 13+ N/A * during download ** or with NoScript
  • 23. HEADER : X-CONTENT-TYPE-OPTIONS APACHE EXAMPLE #apache <IfModule mod_headers.c> Header set X-Content-Type-Options “nosniff” </IfModule>
  • 25. XSS PROTECTION • Automatic protection against XSS • mode=block • report=<reporting-URI> META/HEADER : X-XSS-PROTECTION Android Chrome Edge Firefox Internet Explorer Opera Safari X-XSS-Protection (Yes) 4+ 11+ N/A* 8+ Yes 4+ report No Chromium No No No No No * yes with NoScript
  • 26. HEADER : X-XSS-PROTECTION APACHE EXAMPLE #apache <IfModule mod_headers.c> Header set X-XSS-Protection “1; mode=block” </IfModule>
  • 28. META : X-XSS-PROTECTION EXAMPLE <meta http-equiv="X-XSS-Protection" content="1"> <meta http-equiv="X-XSS-Protection" content="1; mode=block"> <meta http-equiv="X-XSS-Protection” content="0"> <!-- Chromium only --> <meta http-equiv="X-XSS-Protection” content="1; report=<url>">
  • 29. SUPER PROTECTION • 3 level of specification • Specification 1.0 Recommendation • http://w3c.org/TR/CSP1 • Specification 2.0 Recommendation • http://w3c.org/TR/CSP2 • Specification 3.0 Working Draft • http://w3c.org/TR/CSP3 META/HEADER : CONTENT-SECURITY-POLICY
  • 30. SUPER PROTECTION META/HEADER : CONTENT-SECURITY-POLICY Android Chrome Edge Firefox Internet Explorer Opera Safari Recommendation 1 4.4+ 25+ 12+ 23+ 11+ 7+ X-Content-Security-Policy 12+* 4+ 10+ X-WebKit-CSP 14+ 5.1+ Recommendation 2 53+ 40+ 15+ 31+** 27+ 10+ Working Draft 3 * Limited ** Partial
  • 31. META/HEADER : CONTENT-SECURITY-POLICY • default-src (csp 1, 2, 3) • child-src (csp 2, 3) • connect-src (csp 1, 2, 3) • font-src (csp 1, 2, 3) • frame-src (csp 1, 3) • img-src (csp 1, 2, 3) • manifest-src (csp 3) • media-src (csp 1, 2) • object-src (csp 1, 2) • script-src (csp 1, 2) • style-src (csp 1, 2) • worker-src (csp 3) FETCH DIRECTIVES
  • 32. META/HEADER : CONTENT-SECURITY-POLICY • * (csp 1, 2, 3) • 'self' (csp 1, 2, 3) • 'none' (csp 1, 2, 3) • uri (csp 1, 2, 3) • media1.example.com • *.cdn.example.com • protocol • https: (csp 1, 2, 3) • http: (csp 1, 2, 3) • data: (csp 1, 2, 3) • mediastream: (csp 2, 3) • blob: (csp 2, 3) • filesystem: (csp 2, 3) • unsafe-inline (csp 1, 2, 3) • unsafe-eval (csp 1, 2, 3) • 'nonce-<base64-value>' (csp 2, 3) • <hash-source> (csp 2, 3) • 'strict-dynamic' (csp 2, 3) FETCH DIRECTIVES VALUES
  • 33. META/HEADER : CONTENT-SECURITY-POLICY • Document Directives • base-uri (csp 2, 3) • disown-opener (csp 3) • plugin-types (csp 2, 3) • sandbox (csp 1, 2, 3) • Navigation Directives • form-action (csp 2, 3) • frame-ancestors (csp 2, 3) • Directives Defined in Other Documents • block-all-mixed-content (csp 3) • require-sri-for (csp 3) • upgrade-insecure-requests (csp 3) DIRECTIVES
  • 34. META/HEADER: CONTENT-SECURITY-POLICY • allow-forms • allow-modals • allow-orientation-lock • allow-pointer-lock • allow-popups • allow-popups-to-escape-sandbox • allow-presentation • allow-same-origin • allow-scripts • allow-top-navigation SANDBOX VALUE
  • 35. HEADER: CONTENT-SECURITY-POLICY APACHE EXAMPLE #apache <IfModule mod_headers.c> Header set Content-Security-Policy “default-src ‘self’;” </IfModule>
  • 38. META/HEADER: CONTENT-SECURITY-POLICY EXAMPLES default-src 'self'; script-src 'self'; script-src 'self' www.google-analytics.com ajax.googleapis.com; default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self'; default-src 'self'; img-src *; object-src media1.example.com media2.example.com *.cdn.example.com; script-src trustedscripts.example.com default-src https: 'unsafe-inline' 'unsafe-eval' default-src *; script-src https://example.com/js/;” default-src *; sandbox allow-scripts
  • 39. META/HEADER: CONTENT-SECURITY-POLICY EXAMPLES default-src 'self'; frame-ancestors 'none' base-uri 'self' object-src 'none' plugin-types application/x-shockwave-flash plugin-types application/x-java-applet form-action 'none' default-src 'self'; require-sri-for script style block-all-mixed-content upgrade-insecure-requests; default-src https:
  • 40. META/HEADER : CONTENT-SECURITY-POLICY • Reporting Directives • report-uri (CSP 1, 2, 3) • report-to (CSP 3) • Meta/Header • Content-Security-Policy-Report-Only REPORT
  • 41. HEADER : CONTENT-SECURITY-POLICY APACHE EXAMPLE REPORT Content-Security-Policy “default-src ‘self’; report-uri http://example.org/csp-report.php” http://evil.example.com/image.png
  • 42. META/HEADER : CONTENT-SECURITY-POLICY RESPONSE { “csp-report”: { “document-uri”: “http://example.org/page.html", “referrer”: “http://evil.example.com/haxor.html", “blocked-uri”: “http://evil.example.com/image.png", “violated-directive”: “default-src ‘self’”, “original-policy”: “default-src ‘self’; report-uri http://example.org/csp-report.cgi” } }
  • 43. CROSS-ORIGIN RESOURCE SHARING • Access-Control-Allow-Credentials • Access-Control-Allow-Headers • Access-Control-Allow-Methods • Access-Control-Allow-Origin • Access-Control-Expose-Headers • Access-Control-Max-Age • Access-Control-Request-Headers • Access-Control-Request-Method META/HEADER: ACCESS-CONTROL-*
  • 44. CROSS-ORIGIN RESOURCE SHARING META/HEADER: ACCESS-CONTROL-* Android Chrome Edge Firefox Internet Explorer Opera Safari Access-Control-* 2.1+ 4+ 12+ 3.5+ 10+ 12+ 4+
  • 45. META: ACCESS-CONTROL-* CODE <meta http-equiv="Access-Control-Allow-Origin” content="*"> <meta http-equiv="Access-Control-Allow-Origin” content="http://kuzzle.io"> <meta http-equiv="Access-Control-Allow-Credentials” content="true"> <meta http-equiv="Access-Control-Allow-Headers” content="Content-Length, X-Powered-By"> <meta http-equiv="Access-Control-Allow-Methods” content="POST, GET, OPTIONS"> <meta http-equiv="Access-Control-Expose-Headers” content="Content-Length, X-Powered-By"> <meta http-equiv="Access-Control-Max-Age” content="600"> <meta http-equiv="Access-Control-Request-Headers” content="Content-Length, X-Powered-By"> <meta http-equiv="Access-Control-Request-Methods” content="POST">
  • 46. HEADER: ACCESS-CONTROL-* APACHE EXAMPLE #apache <IfModule mod_headers.c> Header set Access-Control-Allow-Origin “http://kuzzle.io” Header set Access-Control-Allow-Credentials “true” Header set Access-Control-Allow-Headers “Content-Length, X-Powered-By” Header set Access-Control-Allow-Methods “POST, GET, OPTIONS” Header set Access-Control-Expose-Headers “Content-Length, X-Powered-By” Header set Access-Control-Max-Age “60” Header set Access-Control-Request-Headers “Content-Length, X-Powered-By” Header set Access-Control-Request-Methods “POST” </IfModule>
  • 47. HEADER: ACCESS-CONTROL-* PHP CODE <?php header(“Access-Control-Allow-Origin: http://kuzzle.io”, true); header(“Access-Control-Allow-Credentials: true”, true); header(“Access-Control-Allow-Headers: Content-Length, X-Powered-By”, true); header(“Access-Control-Allow-Methods: POST, GET, OPTIONS”, true); header(“Access-Control-Expose-Headers: Content-Length, X-Powered-By”, true); header(“Access-Control-Max-Age: 60”, true); header(“Access-Control-Request-Headers: Content-Length, X-Powered-By”, true); header(“Access-Control-Request-Methods: POST”, true);
  • 48. PROTECT YOUR SESSIONS • Stealing session (session cookie) is quite simple. • Use HTTPS on your server if you use sessions. • But it is not enough... PHP CONFIGURATION
  • 49. PROTECT YOUR SESSIONS PHP CONFIGURATION session.use_cookies “1” session.use_only_cookies “1” session.cookie_secure “1” session.cookie_httponly “1”
  • 50. PROTECT YOUR COOKIES • Secure • HttpOnly • SameSite SETCOOKIE Android Chrome Edge Firefox Internet Explorer Opera Safari Secure 1+ 1+ 10+ 3+ 9+ 11+ 5+ HttpOnly 1+ 1+ 10+ 3+ 9+ 11+ 5+ SameSite 51+ 51+ N/A N/A N/A 39+ N/A
  • 51. PROTECT YOUR COOKIES PHP CODE bool setcookie ( string $name [, string $value = "" [, int $expire = 0 [, string $path = "" [, string $domain = "" [, bool $secure = false [, bool $httponly = false ]]]]]] )
  • 52. PROTECT IN TRANSIT DATA • Require the browser to use a site in SSL (and retains the information) HTTP STRICT TRANSPORT SECURITY Android Chrome Edge Firefox Internet Explorer Opera Safari Strict-Transport- Security 4.4+ 4+ 12+ 4+ 11+ 12+ 7+
  • 53. HTTP STRICT TRANSPORT SECURITY EXAMPLES Strict-Transport-Security: max-age=<expire-time> Strict-Transport-Security: max-age=<expire-time>; includeSubDomains Strict-Transport-Security: max-age=<expire-time>; preload Strict-Transport-Security: max-age=<expire-time>; includeSubDomains; preload
  • 54. HTTP STRICT TRANSPORT SECURITY APACHE EXAMPLE #apache <VirtualHost *:80> ServerAlias * RewriteEngine On RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [redirect=301] </VirtualHost> <VirtualHost *:443> ServerAlias * ... <IfModule mod_headers.c> Header set Strict-Transport-Security “max-age=16070400; preload" </IfModule> </VirtualHost>
  • 55. HTTP STRICT TRANSPORT SECURITY PHP EXAMPLE <?php // IIS defines the HTTPS protocol to be “off” for non-SSL requests if (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] != 'off') { header(’Strict-Transport-Security: max-age=16070400’); } else { header('Location: https://’.$_SERVER[’HTTP_HOST'] . $_SERVER['REQUEST_URI'], true, 301); exit; }
  • 56. PROTECT IN TRANSIT DATA • Tells a Web client to associate a specific public cryptographic public key to a Web server to reduce the risk of MITM attacks with falsified certificates. HTTP PUBLIC KEY PINNING (HPKP) Android Chrome Edge Firefox Internet Explorer Opera Safari Public-Key-Pins 38+ 38+ N/A 35+ N/A 25+ N/A Report-uri 46+ 46+ N/A N/A N/A 33+ N/A
  • 57. HTTP PUBLIC KEY PINNING (HPKP) EXAMPLES Public-Key-Pins: pin-sha256=<base64==>; max-age=<expireTime>; Public-Key-Pins: pin-sha256=<base64==>; max-age=<expireTime>; includeSubDomains Public-Key-Pins: pin-sha256=<base64==>; max-age=<expireTime>; report-uri=<reportURI> Public-Key-Pins-Report-Only: pin-sha256=<base64==>; max-age=<expireTime>; report- uri=<reportURI>
  • 58. PROTECT IMPORTED FILES INTEGRITIES • Verify extracted files are delivered without unexpected manipulation. • Uses a cryptographic hash. • <script>, <link> • Base64 of • sha256 • sha384 • sha512 SUBRESOURCE INTEGRITY
  • 59. SUBRESOURCE INTEGRITY EXAMPLES <script src="https://example.com/example-framework.js" integrity="sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxy9rx7HNQlGYl1kPzQho1wx4JwY8wC" crossorigin="anonymous"></script> <link rel="stylesheet” href="https://site53.example.net/style.css" integrity="sha384-+/M6kredJcxdsqkczBUjMLvqyHb1K/JThDXWsBVxMEeZHEaMKEOEct339VItX1zB" crossorigin="anonymous"> cat example-framework.js | openssl dgst -sha384 -binary | openssl enc -base64 -A
  • 60. PROTECT YOUR • Allows you to specify when the browser will define a Referer header.no- referrer • no-referrer • no-referrer-when-downgrade • origin • origin-when-cross-origin • same-origin • strict-origin • strict-origin-when-cross-origin • unsafe-url HEADER: REFERRER-POLICY
  • 61. HEADER: REFERRER-POLICY COMPATIBILITY Android Chrome Edge Firefox Internet Explorer Opera Safari Referrer-Policy 56+ 56+ N/A 50+ N/A 43+ N/A same-origin N/A N/A N/A 52+ N/A N/A N/A strict-origin N/A N/A N/A 52+ N/A N/A N/A strict-origin- when-cross- origin N/A N/A N/A 52+ N/A N/A N/A
  • 62. ANY QUESTIONS? THANK YOU! If you want to talk more, feel free to contact me. http://kuzzle.io This presentation was created using Keynote. The text is set in Oswald and Ubuntu. The source code is set in Ubuntu Mono. The iconography is provided by Keynote, kuzzle.io and Font Awesome. Unless otherwise noted, all photographs are used by permission under a Creative Commons license. Please refer to the Photo Credits slide for more information. Copyright © This work is licensed under Creative Commons Attribution-ShareAlike 4.0 International. For uses not covered under this license, please contact the author. hello@kuzzle.io @kuzzleio Kuzzle kuzzleio http://kuzzle.io Browser Serving Your Web Application Security 2014-2017 Philippe Gamache GAMACHE, Philippe. “Browser Serving Your Web Application Security” NorthEast PHP Conference. August 10, 2017. Conference presentation. pgamache@kuzzle.io @philoupedia philippegamache joind.in/talk/c5998 Please visit us at: