http security headers protection for browsers
play

HTTP SECURITY HEADERS (Protection For Browsers) BIO Emmanuel JK - PowerPoint PPT Presentation

Nov 02, 2022 •447 likes •726 views

HTTP SECURITY HEADERS (Protection For Browsers) BIO Emmanuel JK Gbordzor ISO 27001 LI, CISA, CCNA, CCNA- Security, ITILv3, 11 years in IT About 2 years In Security Information Security Manager @ PaySwitch Head, Network &

  1. HTTP SECURITY HEADERS (Protection For Browsers)

  2. BIO • Emmanuel JK Gbordzor ISO 27001 LI, CISA, CCNA, CCNA- Security, ITILv3, … 11 years in IT – About 2 years In Security Information Security Manager @ PaySwitch Head, Network & Infrastructure @ PaySwitch Head of IT @ Financial Institution Bug bounty student by night – 1 st Private Invite on Hackerone

  3. Introduction • In this presentation, I will introduce you to HyperText Transfer Protocol (HTTP) response security headers. • By specifying expected and allowable behaviors, we will see how security headers can prevent a number of attacks against websites. • I’ll explain some of the different HTTP response headers that a web server can include in a response, and what impact they can have on the security of the web browser. • How web developers can implement these security headers to make user experience more secure

  4. A Simple Look At Web Browsing

  5. Snippet At The Request And Response Headers

  6. Browser Security Headers help: ➢ to define whether a set of security precautions should be activated or Why deactivated on the web browser. ➢ to reinforce the security of your web Browser browser to fend off attacks and to mitigate vulnerabilities. Security ➢ in fighting client side (browser) attacks such as clickjacking, Headers? injections, Multipurpose Internet Mail Extensions (MIME) sniffing, Cross-Site Scripting (XSS), etc.

  7. Content / Context HTTP STRICT X-FRAME-OPTIONS EXPECT-CT TRANSPORT SECURITY (HSTS) CONTENT-SECURITY- X-XSS-PROTECTION X-CONTENT-TYPE- POLICY OPTIONS

  8. HTTP Strict Transport Security (HSTS) • HSTS header forces browsers to communicate using secure (HTTPS) connection. • Protects against “downgrade attacks” • When configured with the “Preload” option, it can prevent Man-In-The-Middle (MiTM) attack • “Preload” - https://hstspreload.org/ - from google

  9. HTTP Redirection To HTTPS

  10. HTTP Redirection To HTTPS - Continued

  11. HTTP Strict Transport Security (HSTS) - Implementation Syntax: Strict-Transport-Security: max-age=<expire-time> includeSubDomains preload Apache: Header set Strict-Transport-Security "max- age=31536000; includeSubDomains; preload“ Nginx: add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload'; Microsoft IIS: Name: Strict-Transport-Security Value: max-age=31536000; includeSubDomains; preload

  12. X-Frame- Options • An iFrame is an element that allows a web app to be nested within a parent web app. • Can be used maliciously for a clickjacking attack or loading a malicious website inside the frame Prevention: • Frame busting • X-Frame-Option Header

  13. X-Frame-Options - Implementation Syntax: X-Frame-Options: deny sameorigin allow-from url (deprecated) Apache: Header always set X-Frame- Options “deny” Nginx: add_header X-Frame- Options “DENY”; WordPress: header('X-Frame-Options: DENY); Microsoft IIS: Name: X-Frame-Options Value: DENY

  14. Expect-CT • HTTP Public Key Pinning (HPKP) header is being deprecated to Expect-CT • Expect-CT detects certificates issued by rogue Certificate Authorities (CA) or prevents them from doing so • This header prevents MiTM attack against compromised Certificate Authority (CA) and rogue issued certificate

  15. Expect-CT - Implementation Syntax: Expect-CT: max-age enforce report-uri Apache: Header set Expect-CT 'enforce, max-age=86400, report- uri="https://foo.example/report“’ Nginx : add_header Expect-CT 'max-age=60, report-uri="https://mydomain.com/report"';

  16. Content-Security-Policy (CSP) This header helps you to whitelist sources of approved content into your browser hence, preventing the browser from loading malicious assets. This helps prevents XSS, clickjacking, code injection, etc., attacks When this header is well implemented, there is no need to implement “X -Frame- Options” and “ X-XSS- Protection” headers

  17. Content-Security-Policy - Directives Keywords: * , none, self, hosts Content-Security-Policy: default-src Serves as a fallback for the other fetch directives font-src Specifies valid sources for fonts loaded frame-src Sources for nested contexts such as <frame> and <iframe> img-src Sources of images and favicons media-src Valid sources for loading <audio>, <video> & <track> object-src Sources for the <object>, <embed> and <applet> elements script-src Specifies valid sources for JavaScript style-src Specifies valid sources for stylesheets report-uri Reports violations

  18. CSP Sample - https://haveibeenpwned.com content-security-policy: default-src 'none';script-src 'self' www.google-analytics.com www.google.com www.gstatic. js.stripe.com ajax.cloudflare.com;style-src 'self' 'unsafe-inline' cdnjs.cloudflare.com;img-src 'self' www.google-analytics.com stats.g.doubleclick.net www.gstatic.com;font-src 'self' cdnjs.cloudflare.com fonts.gstatic.com;base-uri 'self';child-src www.google.com js.stripe.com;frame-ancestors 'none';report-uri https://troyhunt.report- uri.com/r/d/csp/enforce .com/en_US/i/scr/pixel.gif;"

  19. X-XSS- Protection These header detect dangerous HTML input and either prevent the site from loading or remove potentially malicious scripts

  20. X-XSS-Protection - Implementation Syntax: X-XSS-Protection: 0 1 mode=block Apache: Header set X-XSS- Protection "1; mode=block“ Nginx: add_header X-XSS-Protection "1; mode=block"; Microsoft IIS: Name: X-XSS-Protection Value: 1; mode=block

  21. X-Content-Type-Options • For your seamless experience on the web, MIME sniffing of resource was introduced. • Adversely, an attacker can introduce a malicious executable script such as an image. When acted on by MIME sniffing could have the script executed.

  22. X-Content-Type-Options - Implementation Syntax: X-Content-Type-Options: nosniff Apache: Header set X-Content-Type-Options nosniff Nginx: add_header X-Content-Type-Options nosniff; Microsoft IIS: Name: X-Content-Type-Options Value: nosniff

  23. – Clickjacking – iFrame injection – Harlem shake Demo Time https://127.0.0.1/mutillidae/

  24. Takeaways • Enforce HTTPS using the Strict-Transport-Security header and add your domain to Chrome’s preload list. • Make your web app more robust against XSS by leveraging the X-XSS- Protection header. • Block clickjacking using the X-Frame-Options header. • Leverage Content-Security-Policy to whitelist specific sources and endpoints. • Prevent MIME-sniffing attacks using the X-Content-Type-Options header.

  25. Resources / Tools • Check Website HTTP Response Header – https://gf.dev/http-headers-test • Secure Headers Test – https://gf.dev/secure-headers-test • Scott Helme – Security Header Scanner – https://securityheaders.com • HTTP Headers Reference – https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers • HTTP Compatibility Among Browsers – https://caniuse.com

  26. References • https://www.netsparker.com/whitepaper-http- security-headers • https://www.ntu.edu.sg/home/ehchua/programming/ webprogramming/HTTP_Basics.html • https://owasp.org/www-chapter-ghana/#div- pastevents • https://www.keycdn.com/blog/http-security-headers

  27. THANK YOU Questions And Answers Let’s Connect: @egbordzor linkedin.com/in/egbordzor egbordzor@protonmail.com

Recommend

1 Benefits of JSP Although JSP technically can't do anything servlets can't do, JSP makes it

1 Benefits of JSP Although JSP technically can't do anything servlets can't do, JSP makes it

Introduzione a Java Server Pages Lucidi tratti da www.corewebprogramming.com The Need for JSP With servlets, it is easy to Read form data Read HTTP request headers Set HTTP status codes and response headers Use cookies

1.09k views • 10 slides
Security Impacts of Security Impacts of Abusing IPv6 Extension Headers Abusing IPv6 Extension

Security Impacts of Security Impacts of Abusing IPv6 Extension Headers Abusing IPv6 Extension

Security Impacts of Security Impacts of Abusing IPv6 Extension Headers Abusing IPv6 Extension Headers Antonios Atlasis antonios.atlasis@cscss.org Centre for Strategic Cyberspace + Security Science Bio Independent IT Security

689 views • 66 slides
Chapter 20 Silberschatz and Galvin Security Protection and Security Protection is a strictly

Chapter 20 Silberschatz and Galvin Security Protection and Security Protection is a strictly

Chapter 20 Silberschatz and Galvin Security Protection and Security Protection is a strictly internal problem Protection: mechanism for controlling the access of programs, processes, or users to the resources defined by a computer

499 views • 16 slides
This time Continuing with Web Security Cookies XSS &amp; CSRF Required reading for this

This time Continuing with Web Security Cookies XSS &amp; CSRF Required reading for this

This time Continuing with Web Security Cookies XSS &amp; CSRF Required reading for this lecture: Web Security: Are You Part Of The Problem? Cross Site Request Forgery: An Introduction HTTP GET requests Contain headers.

1.77k views • 148 slides
Web Security: Browsers CS 161: Computer Security Prof. David Wagner February 19, 2013

Web Security: Browsers CS 161: Computer Security Prof. David Wagner February 19, 2013

Web Security: Browsers CS 161: Computer Security Prof. David Wagner February 19, 2013 Announcements Midterm 1: in class, next Monday, here Midterm review session: Saturday 2/22, 2-4pm, 100 GPB Project 1 is now out; due Monday 3/3

1.51k views • 37 slides
STL headers Defined in std namespace Headers are of form &lt;headername&gt; without the .h

STL headers Defined in std namespace Headers are of form &lt;headername&gt; without the .h

16 . Standard Template Library (STL) Standard Template Library Promotes Reuse Saves time and effort Better quality part of ANSI/ISO C++ standard STL headers Defined in std namespace Headers are of form

537 views • 7 slides
Browsers Web-Big Picture The Client Any software that is capable of issuing HTTP requests

Browsers Web-Big Picture The Client Any software that is capable of issuing HTTP requests

Browsers Web-Big Picture The Client Any software that is capable of issuing HTTP requests A general purpose software application for requesting HTTP resources and displaying responses to the user is a web browser. Web Resources

833 views • 17 slides
Print Books with Browsers Designing books in browsers using Paged.js Julie Blanc (@julieblancfr)

Print Books with Browsers Designing books in browsers using Paged.js Julie Blanc (@julieblancfr)

Print Books with Browsers Designing books in browsers using Paged.js Julie Blanc (@julieblancfr) Digital Publishing Summit May 26, 2019 Automated typesetting and pagination for print Make PDF outputs of HTML contents from browsers Flux

823 views • 67 slides
Security 101 Definition of Information Security Information security is the protection of

Security 101 Definition of Information Security Information security is the protection of

Computing Services Information Security Office Security 101 Definition of Information Security Information security is the protection of information and systems from unauthorized access, disclosure, modification, destruction or disruption. The

469 views • 22 slides
Extension Breakdown: Security Analysis of Browsers Extension Resources Control Policies

Extension Breakdown: Security Analysis of Browsers Extension Resources Control Policies

Extension Breakdown: Security Analysis of Browsers Extension Resources Control Policies Iskander Sanchez-Rola, Igor Santos, Davide Balzarotti Extensions Browser extensions are the most popular technique currently available to extend the

722 views • 38 slides
Protection &amp; Security Threat is potential security violation Attack is attempt to

Protection &amp; Security Threat is potential security violation Attack is attempt to

CSE 421/521 - Operating Systems The Security Problem Fall 2011 Protecting your system resources, your files, identity, confidentiality, or privacy Lecture - XXVI Intruders (crackers) attempt to breach security Protection &amp;

437 views • 5 slides
Protection and Security Threat is potential security violation Attack is attempt to breach

Protection and Security Threat is potential security violation Attack is attempt to breach

CSC 4103 - Operating Systems The Security Problem Spring 2007 Security must consider external environment of the system, and protect the system resources Lecture - XX Intruders (crackers) attempt to breach security Protection and

195 views • 4 slides
Ruby on Rails SWEN 250 Personal Software Engineering How Websites Work Browsers send HTTP

Ruby on Rails SWEN 250 Personal Software Engineering How Websites Work Browsers send HTTP

Web Applications &amp; Ruby on Rails SWEN 250 Personal Software Engineering How Websites Work Browsers send HTTP requests to a Server Servers send back HTTP responses HTTP requests &amp; responses are newline-delimited strings with:

447 views • 9 slides
An Analysis of Private Browsing Modes in Modern Browsers

An Analysis of Private Browsing Modes in Modern Browsers

Stanford Computer Security Lab An Analysis of Private Browsing Modes in Modern Browsers Gaurav Aggarwal, Elie Bursztein, Collin Jackson, Dan Boneh Usenix

653 views • 40 slides
Security 1 Recap: Protection Protection Prevent unintended/unauthorized accesses

Security 1 Recap: Protection Protection Prevent unintended/unauthorized accesses

Security 1 Recap: Protection Protection Prevent unintended/unauthorized accesses Protection domains Class hierarchy: root can to everything a normal user can do + alpha Access control matrix Domains (Users)

575 views • 24 slides
IPv6 Extension headers Suresh Krishnan James Woodyatt Erik Kline James Hoagland Extension

IPv6 Extension headers Suresh Krishnan James Woodyatt Erik Kline James Hoagland Extension

IPv6 Extension headers Suresh Krishnan James Woodyatt Erik Kline James Hoagland Extension headers The base IPv6 standard [RFC2460] defines extension headers An expansion mechanism to carry optional internet layer information.

638 views • 8 slides
Outline OS security: protection and isolation CSci 5271 OS security: authentication

Outline OS security: protection and isolation CSci 5271 OS security: authentication

Outline OS security: protection and isolation CSci 5271 OS security: authentication Introduction to Computer Security Announcements intermission Day 9: OS security basics Stephen McCamant Basics of access control University of Minnesota,

269 views • 8 slides
SIPAT SUPER THERMAL POWER PROJECT SIPAT STAGE # 1 BOILER ECO. O/L LINKS ECONOMISER TO 1 ST PASS

SIPAT SUPER THERMAL POWER PROJECT SIPAT STAGE # 1 BOILER ECO. O/L LINKS ECONOMISER TO 1 ST PASS

SIPAT SUPER THERMAL POWER PROJECT SIPAT STAGE # 1 BOILER ECO. O/L LINKS ECONOMISER TO 1 ST PASS TOP HEADERS : OUTLET HEADERS VERTICAL WALL INTERMITTENT HEADERS ECO. JUNTION HEADERS ECO. MIXING PIECE SPIRAL WALL ECONOMISER BOTTOM RING

752 views • 33 slides
Outline Operating System Security Introduction CS 239 Memory protection

Outline Operating System Security Introduction CS 239 Memory protection

Outline Operating System Security Introduction CS 239 Memory protection Interprocess communications protection Security for Networks and File protection System Software Authentication May 20, 2002 Lecture 13 Lecture

348 views • 12 slides
A Brief Intro to Security December 5th, 2013 What is Computer Security? The protection

A Brief Intro to Security December 5th, 2013 What is Computer Security? The protection

A Brief Intro to Security December 5th, 2013 What is Computer Security? The protection afforded to an automated information system in order to attain the applicable objectives of preserving the integrity, availability, and

296 views • 14 slides
Browsers: Critical Infrastructure Ubiquitous: many platforms, sensitive apps Vulnerable:

Browsers: Critical Infrastructure Ubiquitous: many platforms, sensitive apps Vulnerable:

Browser Security Guarantees through Formal Shim Verification Zachary Tatlock Dongseok Jang Sorin Lerner UC San Diego Browsers: Critical Infrastructure Ubiquitous: many platforms, sensitive apps Vulnerable: Pwn2Own, just a click to

862 views • 73 slides
Meta-Headers: Top-Down Networking Architecture with Application-Specific Constraints Murat

Meta-Headers: Top-Down Networking Architecture with Application-Specific Constraints Murat

Meta-Headers: Top-Down Networking Architecture with Application-Specific Constraints Murat Yuksel University of Nevada, Reno Reno, NV yuksem@cse.unr.edu http://www.cse.unr.edu/~yuksem IEEE GLOBECOM FutureNet, Miami, FL, Dec 2010 1

586 views • 17 slides
Outline Introduction Operating System Security Memory protection CS 239

Outline Introduction Operating System Security Memory protection CS 239

Outline Introduction Operating System Security Memory protection CS 239 Interprocess communications protection File protection Computer Security February 16, 2005 Lecture 10 Lecture 10 Page 1 Page 2 CS 239, Winter 2005

406 views • 8 slides
OS Security Thierry Sans Security is a wide topic CSCD27 Computer and Network Security covers

OS Security Thierry Sans Security is a wide topic CSCD27 Computer and Network Security covers

OS Security Thierry Sans Security is a wide topic CSCD27 Computer and Network Security covers Cryptography Network security System security Web security (recap) Protection File systems implement a protection system Who

800 views • 30 slides

More recommend