Post on 15-Aug-2015
W3C Content Security Policyand HTTP Headers for Security
David Epler Security Architect
depler@aboutweb.com
About Me
• Application Developer originally • Contributor to Learn CF In a Week • OWASP Individual Member • OWASP Zed Attack Proxy (ZAP)
Evangelist • Security Certifications - CEH, GWAPT
About the Session• What will be covered
• HTTP Header Basics • HTTP Headers for Security
• X-Content-Type-Options • X-XSS-Protection • X-Frame-Options • Cookies
• HTTP Strict Transport Security (HSTS) • W3C Content Security Policy (CSP)
HTTP BasicsHTTP RequestGET / HTTP/1.1Host: www.aboutweb.com
HTTP ResponseHTTP/1.1 200 OKDate: Tue, 7 Apr 2015 20:21:22 GMTServer: ApacheContent-‐Type: text/html
HTTP Response Headers• Can be set by web server, web application, or
anything that interacts with HTTP response
Header always set X-‐Mork KO
<cfheader name=“X-‐Mork” value=“nanu-‐nanu”>
<%php header(“X-‐Mork: shazbot”) %>
Apache (requires mod_header)
ColdFusion
PHP
HTTP ResponseHTTP/1.1 200 OKDate: Tue, 7 Apr 2015 21:22:23 GMTServer: Apache X-‐Mork: nanu-‐nanuContent-‐Type: text/html <html> … </html>
X-Content-Type-Options• Protect against MIME type confusion
attacks • Internet Explorer 9+,
Chrome, & Safari
Internet Explorer Chrometext/css text/csstext/ecmascript text/ecmascripttext/javascript text/javascripttext/jscript text/jscriptapplication/ecmascript application/ecmascriptapplication/javascript application/javascriptapplication/x-javascript application/x-javascripttext/vbs text/javascript1.1text/vbscript text/javascript1.2text/x-javascript text/javascript1.3
text/livescript
X-‐Content-‐Type-‐Options: nosniff
X-XSS-Protection• Configures user-agent's built in reflective
XSS protection • Internet Explorer 8+ and Chrome
Value Meaning0 Disable XSS protection 1 Enable XSS protection
1; mode=block Enable XSS protection & block content1; report=URL Report potential XSS to URL (Chrome/Webkit only)
X-‐XSS-‐Protection: 1; mode=block
X-Frame-Options• Indicates if browser should be allowed to
render content in <frame> or <iframe> • Clickjack/UI Redress attack Value MeaningDENY Prevents any domain from framing the content
SAMEORIGIN Only allows sites on same domain to frame the contentALLOW-FROM URL Whitelist of URLs that are allowed to frame the content
X-Frame-Options• Browser support varies based on value
Browser DENY/SAMEORIGIN ALLOW-FROMChrome 4.1 not supportedFirefox 3.6.9 18.0
Internet Explorer 8 9Opera 10.50Safari 4 not supported
X-‐Frame-‐Options: SAMEORIGIN
Cookies• Important directives on cookies
• HTTPOnly • cookie is not accessible to Javascript
• Secure • sends cookie over HTTPS
Set-‐Cookie: JSESSIONID=4B4BE61DB23C8858560A7BC35804507F; Path=/; Secure; HttpOnly
DEMO
HTTP Strict Transport Security (HSTS)
• Instructs the browser to always use HTTPS protocol instead of HTTP • Helps prevent
• Network Attacks • Mixed Content Vulnerabilities
• HSTS does not allow a user to override the invalid certificate message
Certificate Error w/o HSTS
Certificate Error w/ HSTS
HSTS Directives
• max-‐age tells user-agent how long to cache the STS setting in seconds
• includeSubDomains tells user-agent to include any subdomains
HSTS Examples
Require HTTPS for 60 seconds on domain !
Require HTTPS for 365 days on domain and all subdomains !
Remove HSTS Policy (including subdomains)
Strict-‐Transport-‐Security: max-‐age=60
Strict-‐Transport-‐Security: max-‐age=31536000; includeSubDomains
Strict-‐Transport-‐Security: max-‐age=0
Handling Requests
• HTTP Requests • Should respond with HTTP Status
Code 301 and redirect to HTTPS • Strict-‐Transport-‐Security header
must not be included on HTTP • HTTPS Requests
• Should always respond with Strict-‐Transport-‐Security header
HSTS Preloading• Not part of official specification • Chrome maintains list of sites that always use
HTTPS • Used by Firefox and Safari as well
• Need to submit site to be included in preload list • https://hstspreload.appspot.com/Strict-‐Transport-‐Security:
max-‐age=10886400; includeSubDomains; preload
HSTS Browser Support
http://caniuse.com/#feat=stricttransportsecurity
DEMO
W3C Content Security Policy (CSP)
• Provides whitelist to browser for loading resources • Developed by Mozilla and 1st implemented in Firefox 4
• Experimental Headers •X-‐Content-‐Security-‐Policy •X-‐WebKit-‐CSP
• Content Security Policy 1.0W3C Candidate RecommendationNovember 15, 2012
•HTTP Header:Content-‐Security-‐Policy
Content-‐Security-‐Policy-‐Report-‐Only
CSP 1.0 DirectivesValue Meaning
default-‐src default source, used for any directives that are not definedscript-‐src sources for Javascriptobject-‐src sources for <object>, <embed>, and <applet>style-‐src sources for CSS stylesheetsimg-‐src sources for imagesmedia-‐src sources for HTML5 <video>, <audio>, <source>, and <track>frame-‐src sources for <frame> and <iframe>font-‐src sources for web fonts
connect-‐src sources for XMLHttpRequest, Websockets, and EventSourcereport-‐uri location to send violation reportssandbox specifies sandbox policy
CSP Source ExpressionsValue Meaning* wildcard, allows all origins
‘self’ allow same origin‘none’ deny all access
www.example.com allow specific domain*.example.com allow all subdomains on a domain
https://www.example.com specific URLhttps: require httpsdata: allow data uri schemes (base64)
Special Sources•unsafe-‐inline
• Allows inline content for script-‐src and style-‐src
•unsafe-‐eval • Allows for unsafe dynamic evaluation
of code such as Javascript eval() in script-‐src
CSP Examples
Allow everything from same originContent-‐Security-‐Policy: default-‐src ‘self’
Content-‐Security-‐Policy:default-‐src ‘self’; object-‐src ‘none’;script-‐src ‘self’ https://cdn.com;style-‐src ‘self’ https://cdn.com
Relatively secure
CSP Examples
UnsafeContent-‐Security-‐Policy:default-‐src *;script-‐src * ‘unsafe-‐inline’ ‘unsafe-‐eval’; style-‐src * ‘unsafe-‐inline’
CSP Examples
TwitterContent-‐Security-‐Policy:default-‐src https:; connect-‐src https:; font-‐src https: data:; frame-‐src https: twitter:; img-‐src https: data:; media-‐src https:; object-‐src https:; script-‐src 'unsafe-‐inline' 'nonce-‐hz5M+L2F+QfMRn8NOtP4jQ==' 'unsafe-‐eval' https:; style-‐src 'unsafe-‐inline' https:; report-‐uri https://twitter.com/i/csp_report?a=NVQWGYLXFVZXO2LGOQ%3D%3D%3D%3D%3D%3D&ro=false;
CSP 1.0 Browser Support
http://caniuse.com/#feat=contentsecuritypolicy
DEMO
CSP 1.1 and beyond• CSP 1.1 (Level 2) W3C Candidate
Recommendation February 19, 2015 • added nonce and hash to script-‐src and style-‐src
• added new directives •base-‐uri, child-‐src, form-‐action, frame-‐ancestors, plugin-‐types
• additional fields added to violation report • limited browser support
• Blog: http://www.dcepler.net • Email: depler@aboutweb.com • Twitter: @dcepler
Q&A - Thanks
Resources• HTTP Headers
• MIME-Handling Changes in Internet Explorer • http://blogs.msdn.com/b/ie/archive/2010/10/26/mime-handling-changes-in-
internet-explorer.aspx • Controlling the XSS Filter
• http://blogs.msdn.com/b/ieinternals/archive/2011/01/31/controlling-the-internet-explorer-xss-filter-with-the-x-xss-protection-http-header.aspx
• OWASP: Clickjacking Defense Cheat Sheet • https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet
• OWASP: Cookie HTTPOnly • https://www.owasp.org/index.php/HttpOnly
• OWASP: Cookie Secure • https://www.owasp.org/index.php/SecureFlag
• Veracode: Guidelines for Security Headers • https://www.veracode.com/blog/2014/03/guidelines-for-setting-security-headers
Resources• HTTP Strict Transport Security
• Specification • https://tools.ietf.org/html/rfc6797
• OWASP HTTP Strict Transport Security • https://www.owasp.org/index.php/HTTP_Strict_Transport_Security
• Mozilla Developer Network • https://developer.mozilla.org/en-US/docs/Web/Security/
HTTP_strict_transport_security • HSTS Preload
• https://hstspreload.appspot.com/ • IIS Module
• http://hstsiis.codeplex.com/
Resources• Content Security Policy
• CSP 1.0 Candidate Recommendation • http://www.w3.org/TR/2012/CR-CSP-20121115/
• CSP 1.1 Candidate Recommendation • http://www.w3.org/TR/2015/CR-CSP2-20150219/
• OWASP Content Security Policy • https://www.owasp.org/index.php/Content_Security_Policy
• An Introduction to Content Security Policy • http://www.html5rocks.com/en/tutorials/security/content-security-policy/
• Content Security Policy Reference • http://content-security-policy.com/
• CSP Playground • http://www.cspplayground.com/