W3C Content Security Policyand HTTP Headers for Security

David Epler Security Architect

depler@aboutweb.com

About Me

• Application Developer originally • Contributor to Learn CF In a Week • OWASP Individual Member • OWASP Zed Attack Proxy (ZAP)

Evangelist • Security Certifications - CEH, GWAPT

About the Session• What will be covered

• HTTP Header Basics • HTTP Headers for Security

• X-Content-Type-Options • X-XSS-Protection • X-Frame-Options • Cookies

• HTTP Strict Transport Security (HSTS) • W3C Content Security Policy (CSP)

HTTP BasicsHTTP RequestGET  /  HTTP/1.1Host:  www.aboutweb.com

HTTP ResponseHTTP/1.1  200  OKDate:  Tue,  7  Apr  2015  20:21:22  GMTServer:  ApacheContent-­‐Type:  text/html  

HTTP Response Headers• Can be set by web server, web application, or

anything that interacts with HTTP response

Header  always  set  X-­‐Mork  KO

<cfheader  name=“X-­‐Mork”  value=“nanu-­‐nanu”>

<%php  header(“X-­‐Mork:  shazbot”)  %>

Apache (requires mod_header)

ColdFusion

PHP

HTTP ResponseHTTP/1.1  200  OKDate:  Tue,  7  Apr  2015  21:22:23  GMTServer:  Apache  X-­‐Mork:  nanu-­‐nanuContent-­‐Type:  text/html  <html>  …  </html>

X-Content-Type-Options• Protect against MIME type confusion

attacks • Internet Explorer 9+,

Chrome, & Safari

Internet Explorer Chrometext/css text/csstext/ecmascript text/ecmascripttext/javascript text/javascripttext/jscript text/jscriptapplication/ecmascript application/ecmascriptapplication/javascript application/javascriptapplication/x-javascript application/x-javascripttext/vbs text/javascript1.1text/vbscript text/javascript1.2text/x-javascript text/javascript1.3

text/livescript

X-­‐Content-­‐Type-­‐Options:  nosniff

X-XSS-Protection• Configures user-agent's built in reflective

XSS protection • Internet Explorer 8+ and Chrome

Value Meaning0 Disable XSS protection 1 Enable XSS protection

1; mode=block Enable XSS protection & block content1; report=URL Report potential XSS to URL (Chrome/Webkit only)

X-­‐XSS-­‐Protection:  1;  mode=block

X-Frame-Options• Indicates if browser should be allowed to

render content in <frame> or <iframe> • Clickjack/UI Redress attack Value MeaningDENY Prevents any domain from framing the content

SAMEORIGIN Only allows sites on same domain to frame the contentALLOW-FROM URL Whitelist of URLs that are allowed to frame the content

X-Frame-Options• Browser support varies based on value

Browser DENY/SAMEORIGIN ALLOW-FROMChrome 4.1 not supportedFirefox 3.6.9 18.0

Internet Explorer 8 9Opera 10.50Safari 4 not supported

X-­‐Frame-­‐Options:  SAMEORIGIN

Cookies• Important directives on cookies

• HTTPOnly • cookie is not accessible to Javascript

• Secure • sends cookie over HTTPS

Set-­‐Cookie:  JSESSIONID=4B4BE61DB23C8858560A7BC35804507F;  Path=/;  Secure;  HttpOnly

DEMO

HTTP Strict Transport Security (HSTS)

• Instructs the browser to always use HTTPS protocol instead of HTTP • Helps prevent

• Network Attacks • Mixed Content Vulnerabilities

• HSTS does not allow a user to override the invalid certificate message

Certificate Error w/o HSTS

Certificate Error w/ HSTS

HSTS Directives

• max-­‐age tells user-agent how long to cache the STS setting in seconds

• includeSubDomains tells user-agent to include any subdomains

HSTS Examples

Require HTTPS for 60 seconds on domain !

Require HTTPS for 365 days on domain and all subdomains !

Remove HSTS Policy (including subdomains)

Strict-­‐Transport-­‐Security:  max-­‐age=60

Strict-­‐Transport-­‐Security:  max-­‐age=31536000;  includeSubDomains

Strict-­‐Transport-­‐Security:  max-­‐age=0

Handling Requests

• HTTP Requests • Should respond with HTTP Status

Code 301 and redirect to HTTPS • Strict-­‐Transport-­‐Security header

must not be included on HTTP • HTTPS Requests

• Should always respond with Strict-­‐Transport-­‐Security header

HSTS Preloading• Not part of official specification • Chrome maintains list of sites that always use

HTTPS • Used by Firefox and Safari as well

• Need to submit site to be included in preload list • https://hstspreload.appspot.com/Strict-­‐Transport-­‐Security:  

max-­‐age=10886400;  includeSubDomains;  preload

HSTS Browser Support

http://caniuse.com/#feat=stricttransportsecurity

DEMO

W3C Content Security Policy (CSP)

• Provides whitelist to browser for loading resources • Developed by Mozilla and 1st implemented in Firefox 4

• Experimental Headers •X-­‐Content-­‐Security-­‐Policy  •X-­‐WebKit-­‐CSP  

• Content Security Policy 1.0W3C Candidate RecommendationNovember 15, 2012

•HTTP Header:Content-­‐Security-­‐Policy

Content-­‐Security-­‐Policy-­‐Report-­‐Only

CSP 1.0 DirectivesValue Meaning

default-­‐src default source, used for any directives that are not definedscript-­‐src sources for Javascriptobject-­‐src sources for <object>, <embed>, and <applet>style-­‐src sources for CSS stylesheetsimg-­‐src sources for imagesmedia-­‐src sources for HTML5 <video>, <audio>, <source>, and <track>frame-­‐src sources for <frame> and <iframe>font-­‐src sources for web fonts

connect-­‐src sources for XMLHttpRequest, Websockets, and EventSourcereport-­‐uri location to send violation reportssandbox specifies sandbox policy

CSP Source ExpressionsValue Meaning* wildcard, allows all origins

‘self’ allow same origin‘none’ deny all access

www.example.com allow specific domain*.example.com allow all subdomains on a domain

https://www.example.com specific URLhttps: require httpsdata: allow data uri schemes (base64)

Special Sources•unsafe-­‐inline  

• Allows inline content for script-­‐src and style-­‐src

•unsafe-­‐eval  • Allows for unsafe dynamic evaluation

of code such as Javascript eval() in script-­‐src

CSP Examples

Allow everything from same originContent-­‐Security-­‐Policy:  default-­‐src  ‘self’

Content-­‐Security-­‐Policy:default-­‐src  ‘self’;  object-­‐src  ‘none’;script-­‐src  ‘self’  https://cdn.com;style-­‐src  ‘self’  https://cdn.com

Relatively secure

CSP Examples

UnsafeContent-­‐Security-­‐Policy:default-­‐src  *;script-­‐src  *  ‘unsafe-­‐inline’  ‘unsafe-­‐eval’; style-­‐src  *  ‘unsafe-­‐inline’

CSP Examples

TwitterContent-­‐Security-­‐Policy:default-­‐src  https:;  connect-­‐src  https:;  font-­‐src  https:  data:;  frame-­‐src  https:  twitter:;  img-­‐src  https:  data:;  media-­‐src  https:;  object-­‐src  https:;  script-­‐src  'unsafe-­‐inline'  'nonce-­‐hz5M+L2F+QfMRn8NOtP4jQ=='  'unsafe-­‐eval'  https:;  style-­‐src  'unsafe-­‐inline'  https:;  report-­‐uri  https://twitter.com/i/csp_report?a=NVQWGYLXFVZXO2LGOQ%3D%3D%3D%3D%3D%3D&ro=false;

CSP 1.0 Browser Support

http://caniuse.com/#feat=contentsecuritypolicy

DEMO

CSP 1.1 and beyond• CSP 1.1 (Level 2) W3C Candidate

Recommendation February 19, 2015 • added nonce and hash to script-­‐src and style-­‐src

• added new directives •base-­‐uri,  child-­‐src,  form-­‐action,  frame-­‐ancestors,  plugin-­‐types  

• additional fields added to violation report • limited browser support

• Blog: http://www.dcepler.net • Email: depler@aboutweb.com • Twitter: @dcepler

Q&A - Thanks

Resources• HTTP Headers

• MIME-Handling Changes in Internet Explorer • http://blogs.msdn.com/b/ie/archive/2010/10/26/mime-handling-changes-in-

internet-explorer.aspx • Controlling the XSS Filter

• http://blogs.msdn.com/b/ieinternals/archive/2011/01/31/controlling-the-internet-explorer-xss-filter-with-the-x-xss-protection-http-header.aspx

• OWASP: Clickjacking Defense Cheat Sheet • https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet

• OWASP: Cookie HTTPOnly • https://www.owasp.org/index.php/HttpOnly

• OWASP: Cookie Secure • https://www.owasp.org/index.php/SecureFlag

• Veracode: Guidelines for Security Headers • https://www.veracode.com/blog/2014/03/guidelines-for-setting-security-headers

Resources• HTTP Strict Transport Security

• Specification • https://tools.ietf.org/html/rfc6797

• OWASP HTTP Strict Transport Security • https://www.owasp.org/index.php/HTTP_Strict_Transport_Security

• Mozilla Developer Network • https://developer.mozilla.org/en-US/docs/Web/Security/

HTTP_strict_transport_security • HSTS Preload

• https://hstspreload.appspot.com/ • IIS Module

• http://hstsiis.codeplex.com/

Resources• Content Security Policy

• CSP 1.0 Candidate Recommendation • http://www.w3.org/TR/2012/CR-CSP-20121115/

• CSP 1.1 Candidate Recommendation • http://www.w3.org/TR/2015/CR-CSP2-20150219/

• OWASP Content Security Policy • https://www.owasp.org/index.php/Content_Security_Policy

• An Introduction to Content Security Policy • http://www.html5rocks.com/en/tutorials/security/content-security-policy/

• Content Security Policy Reference • http://content-security-policy.com/

• CSP Playground • http://www.cspplayground.com/