http security headers protection for browsers
play

HTTP SECURITY HEADERS (Protection For Browsers) BIO Emmanuel JK - PowerPoint PPT Presentation

Nov 02, 2022 •447 likes •726 views

HTTP SECURITY HEADERS (Protection For Browsers) BIO Emmanuel JK Gbordzor ISO 27001 LI, CISA, CCNA, CCNA- Security, ITILv3, 11 years in IT About 2 years In Security Information Security Manager @ PaySwitch Head, Network &

  1. HTTP SECURITY HEADERS (Protection For Browsers)

  2. BIO • Emmanuel JK Gbordzor ISO 27001 LI, CISA, CCNA, CCNA- Security, ITILv3, … 11 years in IT – About 2 years In Security Information Security Manager @ PaySwitch Head, Network & Infrastructure @ PaySwitch Head of IT @ Financial Institution Bug bounty student by night – 1 st Private Invite on Hackerone

  3. Introduction • In this presentation, I will introduce you to HyperText Transfer Protocol (HTTP) response security headers. • By specifying expected and allowable behaviors, we will see how security headers can prevent a number of attacks against websites. • I’ll explain some of the different HTTP response headers that a web server can include in a response, and what impact they can have on the security of the web browser. • How web developers can implement these security headers to make user experience more secure

  4. A Simple Look At Web Browsing

  5. Snippet At The Request And Response Headers

  6. Browser Security Headers help: ➢ to define whether a set of security precautions should be activated or Why deactivated on the web browser. ➢ to reinforce the security of your web Browser browser to fend off attacks and to mitigate vulnerabilities. Security ➢ in fighting client side (browser) attacks such as clickjacking, Headers? injections, Multipurpose Internet Mail Extensions (MIME) sniffing, Cross-Site Scripting (XSS), etc.

  7. Content / Context HTTP STRICT X-FRAME-OPTIONS EXPECT-CT TRANSPORT SECURITY (HSTS) CONTENT-SECURITY- X-XSS-PROTECTION X-CONTENT-TYPE- POLICY OPTIONS

  8. HTTP Strict Transport Security (HSTS) • HSTS header forces browsers to communicate using secure (HTTPS) connection. • Protects against “downgrade attacks” • When configured with the “Preload” option, it can prevent Man-In-The-Middle (MiTM) attack • “Preload” - https://hstspreload.org/ - from google

  9. HTTP Redirection To HTTPS

  10. HTTP Redirection To HTTPS - Continued

  11. HTTP Strict Transport Security (HSTS) - Implementation Syntax: Strict-Transport-Security: max-age=<expire-time> includeSubDomains preload Apache: Header set Strict-Transport-Security "max- age=31536000; includeSubDomains; preload“ Nginx: add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload'; Microsoft IIS: Name: Strict-Transport-Security Value: max-age=31536000; includeSubDomains; preload

  12. X-Frame- Options • An iFrame is an element that allows a web app to be nested within a parent web app. • Can be used maliciously for a clickjacking attack or loading a malicious website inside the frame Prevention: • Frame busting • X-Frame-Option Header

  13. X-Frame-Options - Implementation Syntax: X-Frame-Options: deny sameorigin allow-from url (deprecated) Apache: Header always set X-Frame- Options “deny” Nginx: add_header X-Frame- Options “DENY”; WordPress: header('X-Frame-Options: DENY); Microsoft IIS: Name: X-Frame-Options Value: DENY

  14. Expect-CT • HTTP Public Key Pinning (HPKP) header is being deprecated to Expect-CT • Expect-CT detects certificates issued by rogue Certificate Authorities (CA) or prevents them from doing so • This header prevents MiTM attack against compromised Certificate Authority (CA) and rogue issued certificate

  15. Expect-CT - Implementation Syntax: Expect-CT: max-age enforce report-uri Apache: Header set Expect-CT 'enforce, max-age=86400, report- uri="https://foo.example/report“’ Nginx : add_header Expect-CT 'max-age=60, report-uri="https://mydomain.com/report"';

  16. Content-Security-Policy (CSP) This header helps you to whitelist sources of approved content into your browser hence, preventing the browser from loading malicious assets. This helps prevents XSS, clickjacking, code injection, etc., attacks When this header is well implemented, there is no need to implement “X -Frame- Options” and “ X-XSS- Protection” headers

  17. Content-Security-Policy - Directives Keywords: * , none, self, hosts Content-Security-Policy: default-src Serves as a fallback for the other fetch directives font-src Specifies valid sources for fonts loaded frame-src Sources for nested contexts such as <frame> and <iframe> img-src Sources of images and favicons media-src Valid sources for loading <audio>, <video> & <track> object-src Sources for the <object>, <embed> and <applet> elements script-src Specifies valid sources for JavaScript style-src Specifies valid sources for stylesheets report-uri Reports violations

  18. CSP Sample - https://haveibeenpwned.com content-security-policy: default-src 'none';script-src 'self' www.google-analytics.com www.google.com www.gstatic. js.stripe.com ajax.cloudflare.com;style-src 'self' 'unsafe-inline' cdnjs.cloudflare.com;img-src 'self' www.google-analytics.com stats.g.doubleclick.net www.gstatic.com;font-src 'self' cdnjs.cloudflare.com fonts.gstatic.com;base-uri 'self';child-src www.google.com js.stripe.com;frame-ancestors 'none';report-uri https://troyhunt.report- uri.com/r/d/csp/enforce .com/en_US/i/scr/pixel.gif;"

  19. X-XSS- Protection These header detect dangerous HTML input and either prevent the site from loading or remove potentially malicious scripts

  20. X-XSS-Protection - Implementation Syntax: X-XSS-Protection: 0 1 mode=block Apache: Header set X-XSS- Protection "1; mode=block“ Nginx: add_header X-XSS-Protection "1; mode=block"; Microsoft IIS: Name: X-XSS-Protection Value: 1; mode=block

  21. X-Content-Type-Options • For your seamless experience on the web, MIME sniffing of resource was introduced. • Adversely, an attacker can introduce a malicious executable script such as an image. When acted on by MIME sniffing could have the script executed.

  22. X-Content-Type-Options - Implementation Syntax: X-Content-Type-Options: nosniff Apache: Header set X-Content-Type-Options nosniff Nginx: add_header X-Content-Type-Options nosniff; Microsoft IIS: Name: X-Content-Type-Options Value: nosniff

  23. – Clickjacking – iFrame injection – Harlem shake Demo Time https://127.0.0.1/mutillidae/

  24. Takeaways • Enforce HTTPS using the Strict-Transport-Security header and add your domain to Chrome’s preload list. • Make your web app more robust against XSS by leveraging the X-XSS- Protection header. • Block clickjacking using the X-Frame-Options header. • Leverage Content-Security-Policy to whitelist specific sources and endpoints. • Prevent MIME-sniffing attacks using the X-Content-Type-Options header.

  25. Resources / Tools • Check Website HTTP Response Header – https://gf.dev/http-headers-test • Secure Headers Test – https://gf.dev/secure-headers-test • Scott Helme – Security Header Scanner – https://securityheaders.com • HTTP Headers Reference – https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers • HTTP Compatibility Among Browsers – https://caniuse.com

  26. References • https://www.netsparker.com/whitepaper-http- security-headers • https://www.ntu.edu.sg/home/ehchua/programming/ webprogramming/HTTP_Basics.html • https://owasp.org/www-chapter-ghana/#div- pastevents • https://www.keycdn.com/blog/http-security-headers

  27. THANK YOU Questions And Answers Let’s Connect: @egbordzor linkedin.com/in/egbordzor egbordzor@protonmail.com

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

1 Benefits of JSP Although JSP technically can't do anything servlets can't do, JSP makes it

1 Benefits of JSP Although JSP technically can't do anything servlets can't do, JSP makes it

Introduzione a Java Server Pages Lucidi tratti da www.corewebprogramming.com The Need for JSP With servlets, it is easy to Read form data Read HTTP request headers Set HTTP status codes and response headers Use cookies

1.09k views • 10 slides
Security Impacts of Security Impacts of Abusing IPv6 Extension Headers Abusing IPv6 Extension

Security Impacts of Security Impacts of Abusing IPv6 Extension Headers Abusing IPv6 Extension

Security Impacts of Security Impacts of Abusing IPv6 Extension Headers Abusing IPv6 Extension Headers Antonios Atlasis antonios.atlasis@cscss.org Centre for Strategic Cyberspace + Security Science Bio Independent IT Security

689 views • 66 slides
Chapter 20 Silberschatz and Galvin Security Protection and Security Protection is a strictly

Chapter 20 Silberschatz and Galvin Security Protection and Security Protection is a strictly

Chapter 20 Silberschatz and Galvin Security Protection and Security Protection is a strictly internal problem Protection: mechanism for controlling the access of programs, processes, or users to the resources defined by a computer

499 views • 16 slides
This time Continuing with Web Security Cookies XSS &amp; CSRF Required reading for this

This time Continuing with Web Security Cookies XSS &amp; CSRF Required reading for this

This time Continuing with Web Security Cookies XSS &amp; CSRF Required reading for this lecture: Web Security: Are You Part Of The Problem? Cross Site Request Forgery: An Introduction HTTP GET requests Contain headers.

1.77k views • 148 slides
Web Security: Browsers CS 161: Computer Security Prof. David Wagner February 19, 2013

Web Security: Browsers CS 161: Computer Security Prof. David Wagner February 19, 2013

Web Security: Browsers CS 161: Computer Security Prof. David Wagner February 19, 2013 Announcements Midterm 1: in class, next Monday, here Midterm review session: Saturday 2/22, 2-4pm, 100 GPB Project 1 is now out; due Monday 3/3

1.51k views • 37 slides
STL headers Defined in std namespace Headers are of form &lt;headername&gt; without the .h

STL headers Defined in std namespace Headers are of form &lt;headername&gt; without the .h

16 . Standard Template Library (STL) Standard Template Library Promotes Reuse Saves time and effort Better quality part of ANSI/ISO C++ standard STL headers Defined in std namespace Headers are of form

537 views • 7 slides
Browsers Web-Big Picture The Client Any software that is capable of issuing HTTP requests

Browsers Web-Big Picture The Client Any software that is capable of issuing HTTP requests

Browsers Web-Big Picture The Client Any software that is capable of issuing HTTP requests A general purpose software application for requesting HTTP resources and displaying responses to the user is a web browser. Web Resources

833 views • 17 slides
Print Books with Browsers Designing books in browsers using Paged.js Julie Blanc (@julieblancfr)

Print Books with Browsers Designing books in browsers using Paged.js Julie Blanc (@julieblancfr)

Print Books with Browsers Designing books in browsers using Paged.js Julie Blanc (@julieblancfr) Digital Publishing Summit May 26, 2019 Automated typesetting and pagination for print Make PDF outputs of HTML contents from browsers Flux

823 views • 67 slides
Security 101 Definition of Information Security Information security is the protection of

Security 101 Definition of Information Security Information security is the protection of

Computing Services Information Security Office Security 101 Definition of Information Security Information security is the protection of information and systems from unauthorized access, disclosure, modification, destruction or disruption. The

469 views • 22 slides
Extension Breakdown: Security Analysis of Browsers Extension Resources Control Policies

Extension Breakdown: Security Analysis of Browsers Extension Resources Control Policies

Extension Breakdown: Security Analysis of Browsers Extension Resources Control Policies Iskander Sanchez-Rola, Igor Santos, Davide Balzarotti Extensions Browser extensions are the most popular technique currently available to extend the

722 views • 38 slides
Protection &amp; Security Threat is potential security violation Attack is attempt to

Protection &amp; Security Threat is potential security violation Attack is attempt to

CSE 421/521 - Operating Systems The Security Problem Fall 2011 Protecting your system resources, your files, identity, confidentiality, or privacy Lecture - XXVI Intruders (crackers) attempt to breach security Protection &amp;

437 views • 5 slides
Protection and Security Threat is potential security violation Attack is attempt to breach

Protection and Security Threat is potential security violation Attack is attempt to breach

CSC 4103 - Operating Systems The Security Problem Spring 2007 Security must consider external environment of the system, and protect the system resources Lecture - XX Intruders (crackers) attempt to breach security Protection and

195 views • 4 slides
Ruby on Rails SWEN 250 Personal Software Engineering How Websites Work Browsers send HTTP

Ruby on Rails SWEN 250 Personal Software Engineering How Websites Work Browsers send HTTP

Web Applications &amp; Ruby on Rails SWEN 250 Personal Software Engineering How Websites Work Browsers send HTTP requests to a Server Servers send back HTTP responses HTTP requests &amp; responses are newline-delimited strings with:

447 views • 9 slides
An Analysis of Private Browsing Modes in Modern Browsers

An Analysis of Private Browsing Modes in Modern Browsers

Stanford Computer Security Lab An Analysis of Private Browsing Modes in Modern Browsers Gaurav Aggarwal, Elie Bursztein, Collin Jackson, Dan Boneh Usenix

653 views • 40 slides
Security 1 Recap: Protection Protection Prevent unintended/unauthorized accesses

Security 1 Recap: Protection Protection Prevent unintended/unauthorized accesses

Security 1 Recap: Protection Protection Prevent unintended/unauthorized accesses Protection domains Class hierarchy: root can to everything a normal user can do + alpha Access control matrix Domains (Users)

575 views • 24 slides
IPv6 Extension headers Suresh Krishnan James Woodyatt Erik Kline James Hoagland Extension

IPv6 Extension headers Suresh Krishnan James Woodyatt Erik Kline James Hoagland Extension

IPv6 Extension headers Suresh Krishnan James Woodyatt Erik Kline James Hoagland Extension headers The base IPv6 standard [RFC2460] defines extension headers An expansion mechanism to carry optional internet layer information.

638 views • 8 slides
EORTC GCG 55994 Randomized phase III study of neoadjuvant CT followed by surgery vs. concomitant

EORTC GCG 55994 Randomized phase III study of neoadjuvant CT followed by surgery vs. concomitant

Ongoing Trials status update EORTC GCG 55994 Randomized phase III study of neoadjuvant CT followed by surgery vs. concomitant RTX+CT in FIGO stage Ib2, IIa &gt; 4 cm or IIb cervical cancer. Trial setting: FIGO stage Ib2, IIa &gt; 4 cm or

482 views • 4 slides
O utcome and R esource I M pacts Clinical outcomes of FFR CT -guided diagnostic strategies versus

O utcome and R esource I M pacts Clinical outcomes of FFR CT -guided diagnostic strategies versus

P rospective L ongitudin A l T rial of F FR CT O utcome and R esource I M pacts Clinical outcomes of FFR CT -guided diagnostic strategies versus usual care in patients with suspected coronary artery disease Pamela S. Douglas, Gianluca Pontone,

196 views • 15 slides
Downtown Market Analysis and Benchmarking A workshop on using data to guide your work and

Downtown Market Analysis and Benchmarking A workshop on using data to guide your work and

Downtown Market Analysis and Benchmarking A workshop on using data to guide your work and to measure your accomplishments Presented to Connecticut Main Street Communities December 2, 2016, New Britain, CT John Simone, Connecticut Main

972 views • 49 slides
1 The Euler system of equations The Euler system of equations describing flows of incompressible

1 The Euler system of equations The Euler system of equations describing flows of incompressible

On integration of the equations of incompressible fluid flow Valery Dryuma, e-mail: valdryum@gmail.com Institute of Mathematics and Computer Science, AS RM, Kishinev 1 The Euler system of equations The Euler system of equations describing

284 views • 3 slides
State Dr. Mattox Beckman University of Illinois at Urbana-Champaign Department of Computer

State Dr. Mattox Beckman University of Illinois at Urbana-Champaign Department of Computer

Objectives Equational Reasoning References State Dr. Mattox Beckman University of Illinois at Urbana-Champaign Department of Computer Science Objectives Equational Reasoning References Objectives Describe the property of referential

558 views • 11 slides
Lipschitz Continuity in Model-based Reinforcement Learning Kavosh Asadi*, Dipendra Misra*,

Lipschitz Continuity in Model-based Reinforcement Learning Kavosh Asadi*, Dipendra Misra*,

Lipschitz Continuity in Model-based Reinforcement Learning Kavosh Asadi*, Dipendra Misra*, Michael L. Littman * denotes equal contribution 1 Model-based RL value/policy planning acting model experience model learning model learning: T

592 views • 13 slides
Categories of Timed Stochastic Relations Daniel Brown and Riccardo Pucella PRL, Northeastern

Categories of Timed Stochastic Relations Daniel Brown and Riccardo Pucella PRL, Northeastern

Categories of Timed Stochastic Relations Daniel Brown and Riccardo Pucella PRL, Northeastern University MFPS 25 Categories of Timed Stochastic Relations Daniel Brown and Riccardo Pucella Motivation Probabilistic process calculi (e.g.

441 views • 28 slides
Market Efficiency and Financial Econometrics: A Brief Historical Perspective J.Y. Campbell, A.W.

Market Efficiency and Financial Econometrics: A Brief Historical Perspective J.Y. Campbell, A.W.

Economics 201FS Professors Tim Bollerslev Spring 2006 and George Tauchen Market Efficiency and Financial Econometrics: A Brief Historical Perspective J.Y. Campbell, A.W. Lo and A.C. MacKinlay, 1997, The Econometrics of Financial Markets .

315 views • 9 slides

More recommend