![Page 2: HTTP Security Headers · 2013-12-06 · Problem: Clickjacking Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13. X-Frame-Options Framing sucks, get rid of framing! Hosted](https://reader031.vdocument.in/reader031/viewer/2022040910/5e84888a040e15445162465e/html5/thumbnails/2.jpg)
This Talk Was Brought To You By
Hosted by OWASP & the NYC Chapter
The Etsy Security Team
Wednesday, November 20, 13
![Page 3: HTTP Security Headers · 2013-12-06 · Problem: Clickjacking Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13. X-Frame-Options Framing sucks, get rid of framing! Hosted](https://reader031.vdocument.in/reader031/viewer/2022040910/5e84888a040e15445162465e/html5/thumbnails/3.jpg)
What’s an Etsy?
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
![Page 4: HTTP Security Headers · 2013-12-06 · Problem: Clickjacking Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13. X-Frame-Options Framing sucks, get rid of framing! Hosted](https://reader031.vdocument.in/reader031/viewer/2022040910/5e84888a040e15445162465e/html5/thumbnails/4.jpg)
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
![Page 5: HTTP Security Headers · 2013-12-06 · Problem: Clickjacking Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13. X-Frame-Options Framing sucks, get rid of framing! Hosted](https://reader031.vdocument.in/reader031/viewer/2022040910/5e84888a040e15445162465e/html5/thumbnails/5.jpg)
Security Headers?
Why Security Headers?
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
![Page 6: HTTP Security Headers · 2013-12-06 · Problem: Clickjacking Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13. X-Frame-Options Framing sucks, get rid of framing! Hosted](https://reader031.vdocument.in/reader031/viewer/2022040910/5e84888a040e15445162465e/html5/thumbnails/6.jpg)
Security Headers
Fundamentally, a user security issue
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
![Page 7: HTTP Security Headers · 2013-12-06 · Problem: Clickjacking Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13. X-Frame-Options Framing sucks, get rid of framing! Hosted](https://reader031.vdocument.in/reader031/viewer/2022040910/5e84888a040e15445162465e/html5/thumbnails/7.jpg)
Security Headers
Fundamentally, a user security issueChanges are browser-impacting
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
![Page 8: HTTP Security Headers · 2013-12-06 · Problem: Clickjacking Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13. X-Frame-Options Framing sucks, get rid of framing! Hosted](https://reader031.vdocument.in/reader031/viewer/2022040910/5e84888a040e15445162465e/html5/thumbnails/8.jpg)
Security Headers
Fundamentally, a user security issueChanges are browser-impactingUnfortunately, browsers != users
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
![Page 9: HTTP Security Headers · 2013-12-06 · Problem: Clickjacking Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13. X-Frame-Options Framing sucks, get rid of framing! Hosted](https://reader031.vdocument.in/reader031/viewer/2022040910/5e84888a040e15445162465e/html5/thumbnails/9.jpg)
Security Headers
Fundamentally, a user security issueChanges are browser-impactingUnfortunately, browsers != usersOften requires non-trivial changes
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
![Page 10: HTTP Security Headers · 2013-12-06 · Problem: Clickjacking Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13. X-Frame-Options Framing sucks, get rid of framing! Hosted](https://reader031.vdocument.in/reader031/viewer/2022040910/5e84888a040e15445162465e/html5/thumbnails/10.jpg)
Security Headers
Strategies for deployment
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
![Page 11: HTTP Security Headers · 2013-12-06 · Problem: Clickjacking Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13. X-Frame-Options Framing sucks, get rid of framing! Hosted](https://reader031.vdocument.in/reader031/viewer/2022040910/5e84888a040e15445162465e/html5/thumbnails/11.jpg)
Security Headers
Strategies for deploymentLessons learned from our bug bounty
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
![Page 12: HTTP Security Headers · 2013-12-06 · Problem: Clickjacking Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13. X-Frame-Options Framing sucks, get rid of framing! Hosted](https://reader031.vdocument.in/reader031/viewer/2022040910/5e84888a040e15445162465e/html5/thumbnails/12.jpg)
Overview
HTTP Strict Transport Security (HSTS)
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
![Page 13: HTTP Security Headers · 2013-12-06 · Problem: Clickjacking Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13. X-Frame-Options Framing sucks, get rid of framing! Hosted](https://reader031.vdocument.in/reader031/viewer/2022040910/5e84888a040e15445162465e/html5/thumbnails/13.jpg)
Overview
HTTP Strict Transport Security (HSTS)Content Security Policy (CSP)
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
![Page 14: HTTP Security Headers · 2013-12-06 · Problem: Clickjacking Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13. X-Frame-Options Framing sucks, get rid of framing! Hosted](https://reader031.vdocument.in/reader031/viewer/2022040910/5e84888a040e15445162465e/html5/thumbnails/14.jpg)
Overview
HTTP Strict Transport Security (HSTS)Content Security Policy (CSP)X-Frame-Options (XFO)
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
![Page 15: HTTP Security Headers · 2013-12-06 · Problem: Clickjacking Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13. X-Frame-Options Framing sucks, get rid of framing! Hosted](https://reader031.vdocument.in/reader031/viewer/2022040910/5e84888a040e15445162465e/html5/thumbnails/15.jpg)
Overview
HTTP Strict Transport Security (HSTS)Content Security Policy (CSP)X-Frame-Options (XFO)Miscellaneous
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
![Page 16: HTTP Security Headers · 2013-12-06 · Problem: Clickjacking Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13. X-Frame-Options Framing sucks, get rid of framing! Hosted](https://reader031.vdocument.in/reader031/viewer/2022040910/5e84888a040e15445162465e/html5/thumbnails/16.jpg)
HSTS --What is it?
A guarantee to visit the url using HTTPS
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
![Page 17: HTTP Security Headers · 2013-12-06 · Problem: Clickjacking Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13. X-Frame-Options Framing sucks, get rid of framing! Hosted](https://reader031.vdocument.in/reader031/viewer/2022040910/5e84888a040e15445162465e/html5/thumbnails/17.jpg)
HSTS --What is it?
A guarantee to visit the url using HTTPSYou have to have seen the site before
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
![Page 18: HTTP Security Headers · 2013-12-06 · Problem: Clickjacking Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13. X-Frame-Options Framing sucks, get rid of framing! Hosted](https://reader031.vdocument.in/reader031/viewer/2022040910/5e84888a040e15445162465e/html5/thumbnails/18.jpg)
What’s the Attack?
The Classic Man-in-the-Middle Attack
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
![Page 19: HTTP Security Headers · 2013-12-06 · Problem: Clickjacking Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13. X-Frame-Options Framing sucks, get rid of framing! Hosted](https://reader031.vdocument.in/reader031/viewer/2022040910/5e84888a040e15445162465e/html5/thumbnails/19.jpg)
What’s the Attack?
The Classic Man-in-the-Middle AttackLet’s just turn on TLS/SSL for everything
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
![Page 20: HTTP Security Headers · 2013-12-06 · Problem: Clickjacking Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13. X-Frame-Options Framing sucks, get rid of framing! Hosted](https://reader031.vdocument.in/reader031/viewer/2022040910/5e84888a040e15445162465e/html5/thumbnails/20.jpg)
What’s the Attack?
The Classic Man-in-the-Middle AttackLet’s just turn on TLS/SSL for everythingMake HTTPS canonical for your site
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
![Page 21: HTTP Security Headers · 2013-12-06 · Problem: Clickjacking Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13. X-Frame-Options Framing sucks, get rid of framing! Hosted](https://reader031.vdocument.in/reader031/viewer/2022040910/5e84888a040e15445162465e/html5/thumbnails/21.jpg)
HTTP/HTTPS Traffic
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
![Page 22: HTTP Security Headers · 2013-12-06 · Problem: Clickjacking Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13. X-Frame-Options Framing sucks, get rid of framing! Hosted](https://reader031.vdocument.in/reader031/viewer/2022040910/5e84888a040e15445162465e/html5/thumbnails/22.jpg)
HTTP/HTTPS Traffic
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
![Page 23: HTTP Security Headers · 2013-12-06 · Problem: Clickjacking Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13. X-Frame-Options Framing sucks, get rid of framing! Hosted](https://reader031.vdocument.in/reader031/viewer/2022040910/5e84888a040e15445162465e/html5/thumbnails/23.jpg)
HSTS Background
Infrastructure changes needed for SSL
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
![Page 24: HTTP Security Headers · 2013-12-06 · Problem: Clickjacking Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13. X-Frame-Options Framing sucks, get rid of framing! Hosted](https://reader031.vdocument.in/reader031/viewer/2022040910/5e84888a040e15445162465e/html5/thumbnails/24.jpg)
HSTS Background
Infrastructure changes needed for SSLBundle HSTS as part of an SSL preference for users
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
![Page 25: HTTP Security Headers · 2013-12-06 · Problem: Clickjacking Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13. X-Frame-Options Framing sucks, get rid of framing! Hosted](https://reader031.vdocument.in/reader031/viewer/2022040910/5e84888a040e15445162465e/html5/thumbnails/25.jpg)
The Old Ways
Split Architecture
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
![Page 26: HTTP Security Headers · 2013-12-06 · Problem: Clickjacking Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13. X-Frame-Options Framing sucks, get rid of framing! Hosted](https://reader031.vdocument.in/reader031/viewer/2022040910/5e84888a040e15445162465e/html5/thumbnails/26.jpg)
The Old Ways
Split ArchitectureMost pages HTTP, “secure” ones HTTPS
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
![Page 27: HTTP Security Headers · 2013-12-06 · Problem: Clickjacking Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13. X-Frame-Options Framing sucks, get rid of framing! Hosted](https://reader031.vdocument.in/reader031/viewer/2022040910/5e84888a040e15445162465e/html5/thumbnails/27.jpg)
The Old Ways
Split ArchitectureMost pages HTTP, “secure” ones HTTPSLoad balancers constrained rollout
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
![Page 28: HTTP Security Headers · 2013-12-06 · Problem: Clickjacking Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13. X-Frame-Options Framing sucks, get rid of framing! Hosted](https://reader031.vdocument.in/reader031/viewer/2022040910/5e84888a040e15445162465e/html5/thumbnails/28.jpg)
On Load Balancers
HTTP-> HTTPS logic handled by the LB
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
![Page 29: HTTP Security Headers · 2013-12-06 · Problem: Clickjacking Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13. X-Frame-Options Framing sucks, get rid of framing! Hosted](https://reader031.vdocument.in/reader031/viewer/2022040910/5e84888a040e15445162465e/html5/thumbnails/29.jpg)
On Load Balancers
HTTP-> HTTPS logic handled by the LBDifficult and slow to change
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
![Page 30: HTTP Security Headers · 2013-12-06 · Problem: Clickjacking Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13. X-Frame-Options Framing sucks, get rid of framing! Hosted](https://reader031.vdocument.in/reader031/viewer/2022040910/5e84888a040e15445162465e/html5/thumbnails/30.jpg)
On Load Balancers
HTTP-> HTTPS logic handled by the LBDifficult and slow to changeBroke HTTPS plugins
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
![Page 31: HTTP Security Headers · 2013-12-06 · Problem: Clickjacking Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13. X-Frame-Options Framing sucks, get rid of framing! Hosted](https://reader031.vdocument.in/reader031/viewer/2022040910/5e84888a040e15445162465e/html5/thumbnails/31.jpg)
Refactoring
HTTP-> HTTPS logic handled by the app
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
![Page 32: HTTP Security Headers · 2013-12-06 · Problem: Clickjacking Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13. X-Frame-Options Framing sucks, get rid of framing! Hosted](https://reader031.vdocument.in/reader031/viewer/2022040910/5e84888a040e15445162465e/html5/thumbnails/32.jpg)
Refactoring
HTTP-> HTTPS logic handled by the appMake it easy to add new secure pages
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
![Page 33: HTTP Security Headers · 2013-12-06 · Problem: Clickjacking Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13. X-Frame-Options Framing sucks, get rid of framing! Hosted](https://reader031.vdocument.in/reader031/viewer/2022040910/5e84888a040e15445162465e/html5/thumbnails/33.jpg)
Refactoring
HTTP-> HTTPS logic handled by the appMake it easy to add new secure pagesTransparency for developers
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
![Page 34: HTTP Security Headers · 2013-12-06 · Problem: Clickjacking Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13. X-Frame-Options Framing sucks, get rid of framing! Hosted](https://reader031.vdocument.in/reader031/viewer/2022040910/5e84888a040e15445162465e/html5/thumbnails/34.jpg)
How Do I HTTPSRamp it up!
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
![Page 35: HTTP Security Headers · 2013-12-06 · Problem: Clickjacking Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13. X-Frame-Options Framing sucks, get rid of framing! Hosted](https://reader031.vdocument.in/reader031/viewer/2022040910/5e84888a040e15445162465e/html5/thumbnails/35.jpg)
How Do I HTTPSRamp it up!Enabled HSTS if SSL preference “on”
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
![Page 36: HTTP Security Headers · 2013-12-06 · Problem: Clickjacking Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13. X-Frame-Options Framing sucks, get rid of framing! Hosted](https://reader031.vdocument.in/reader031/viewer/2022040910/5e84888a040e15445162465e/html5/thumbnails/36.jpg)
How Do I HTTPSRamp it up!Enabled HSTS if SSL preference “on”Bail-out Mechanism:
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
![Page 37: HTTP Security Headers · 2013-12-06 · Problem: Clickjacking Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13. X-Frame-Options Framing sucks, get rid of framing! Hosted](https://reader031.vdocument.in/reader031/viewer/2022040910/5e84888a040e15445162465e/html5/thumbnails/37.jpg)
The HSTS Header
Enabled header when full-site SSL “on”
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
![Page 38: HTTP Security Headers · 2013-12-06 · Problem: Clickjacking Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13. X-Frame-Options Framing sucks, get rid of framing! Hosted](https://reader031.vdocument.in/reader031/viewer/2022040910/5e84888a040e15445162465e/html5/thumbnails/38.jpg)
The HSTS Header
Enabled header when full-site SSL “on”
Strict-Transport-Security: max-age=631138520; includeSubDomains
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
![Page 39: HTTP Security Headers · 2013-12-06 · Problem: Clickjacking Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13. X-Frame-Options Framing sucks, get rid of framing! Hosted](https://reader031.vdocument.in/reader031/viewer/2022040910/5e84888a040e15445162465e/html5/thumbnails/39.jpg)
HSTS Part 2
Strict-Transport-Security: max-age=631138520; includeSubDomains
All subdomains get HSTS that match the host
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
![Page 40: HTTP Security Headers · 2013-12-06 · Problem: Clickjacking Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13. X-Frame-Options Framing sucks, get rid of framing! Hosted](https://reader031.vdocument.in/reader031/viewer/2022040910/5e84888a040e15445162465e/html5/thumbnails/40.jpg)
HSTS Part 3Note the difference: HSTS on ‘www.etsy.com’
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
![Page 41: HTTP Security Headers · 2013-12-06 · Problem: Clickjacking Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13. X-Frame-Options Framing sucks, get rid of framing! Hosted](https://reader031.vdocument.in/reader031/viewer/2022040910/5e84888a040e15445162465e/html5/thumbnails/41.jpg)
HSTS Part 3Note the difference: HSTS on ‘www.etsy.com’
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
![Page 42: HTTP Security Headers · 2013-12-06 · Problem: Clickjacking Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13. X-Frame-Options Framing sucks, get rid of framing! Hosted](https://reader031.vdocument.in/reader031/viewer/2022040910/5e84888a040e15445162465e/html5/thumbnails/42.jpg)
HSTS Part 3Note the difference: HSTS on ‘www.etsy.com’
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
![Page 43: HTTP Security Headers · 2013-12-06 · Problem: Clickjacking Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13. X-Frame-Options Framing sucks, get rid of framing! Hosted](https://reader031.vdocument.in/reader031/viewer/2022040910/5e84888a040e15445162465e/html5/thumbnails/43.jpg)
HSTS Part 2
Check out Chrome’s HSTS settingschrome://net-internals/#hsts
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
![Page 44: HTTP Security Headers · 2013-12-06 · Problem: Clickjacking Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13. X-Frame-Options Framing sucks, get rid of framing! Hosted](https://reader031.vdocument.in/reader031/viewer/2022040910/5e84888a040e15445162465e/html5/thumbnails/44.jpg)
HSTS Rollout
Implement HTTPS management on app level
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
![Page 45: HTTP Security Headers · 2013-12-06 · Problem: Clickjacking Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13. X-Frame-Options Framing sucks, get rid of framing! Hosted](https://reader031.vdocument.in/reader031/viewer/2022040910/5e84888a040e15445162465e/html5/thumbnails/45.jpg)
HSTS Rollout
Implement HTTPS management on app levelRolled out to admins -> sellers -> buyers
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
![Page 46: HTTP Security Headers · 2013-12-06 · Problem: Clickjacking Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13. X-Frame-Options Framing sucks, get rid of framing! Hosted](https://reader031.vdocument.in/reader031/viewer/2022040910/5e84888a040e15445162465e/html5/thumbnails/46.jpg)
HSTS Rollout
Implement HTTPS management on app levelRolled out to admins -> sellers -> buyersCode-based “SSL wrangler” in repo
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
![Page 47: HTTP Security Headers · 2013-12-06 · Problem: Clickjacking Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13. X-Frame-Options Framing sucks, get rid of framing! Hosted](https://reader031.vdocument.in/reader031/viewer/2022040910/5e84888a040e15445162465e/html5/thumbnails/47.jpg)
SSL Wranglin’
Controller to handle SSL transition
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
![Page 48: HTTP Security Headers · 2013-12-06 · Problem: Clickjacking Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13. X-Frame-Options Framing sucks, get rid of framing! Hosted](https://reader031.vdocument.in/reader031/viewer/2022040910/5e84888a040e15445162465e/html5/thumbnails/48.jpg)
SSL Wranglin’
Controller to handle SSL transitionSkipped for users with full-site SSL pref on
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
![Page 49: HTTP Security Headers · 2013-12-06 · Problem: Clickjacking Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13. X-Frame-Options Framing sucks, get rid of framing! Hosted](https://reader031.vdocument.in/reader031/viewer/2022040910/5e84888a040e15445162465e/html5/thumbnails/49.jpg)
SSL Wranglin’
Controller to handle SSL transitionSkipped for users with full-site SSL pref onOn sign-out, set HSTS max-age=0
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
![Page 50: HTTP Security Headers · 2013-12-06 · Problem: Clickjacking Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13. X-Frame-Options Framing sucks, get rid of framing! Hosted](https://reader031.vdocument.in/reader031/viewer/2022040910/5e84888a040e15445162465e/html5/thumbnails/50.jpg)
Wins
Fixes on-domain mixed content
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
![Page 51: HTTP Security Headers · 2013-12-06 · Problem: Clickjacking Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13. X-Frame-Options Framing sucks, get rid of framing! Hosted](https://reader031.vdocument.in/reader031/viewer/2022040910/5e84888a040e15445162465e/html5/thumbnails/51.jpg)
Wins
Fixes on-domain mixed contentBrowser transparently 302 redirects
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
![Page 52: HTTP Security Headers · 2013-12-06 · Problem: Clickjacking Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13. X-Frame-Options Framing sucks, get rid of framing! Hosted](https://reader031.vdocument.in/reader031/viewer/2022040910/5e84888a040e15445162465e/html5/thumbnails/52.jpg)
SSL ConcernsDo your CDNs support it?
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
![Page 53: HTTP Security Headers · 2013-12-06 · Problem: Clickjacking Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13. X-Frame-Options Framing sucks, get rid of framing! Hosted](https://reader031.vdocument.in/reader031/viewer/2022040910/5e84888a040e15445162465e/html5/thumbnails/53.jpg)
SSL ConcernsDo your CDNs support it?What about 3rd party content providers?
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
![Page 54: HTTP Security Headers · 2013-12-06 · Problem: Clickjacking Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13. X-Frame-Options Framing sucks, get rid of framing! Hosted](https://reader031.vdocument.in/reader031/viewer/2022040910/5e84888a040e15445162465e/html5/thumbnails/54.jpg)
SSL ConcernsDo your CDNs support it?What about 3rd party content providers?Can your servers/LBs handle it?
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
![Page 55: HTTP Security Headers · 2013-12-06 · Problem: Clickjacking Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13. X-Frame-Options Framing sucks, get rid of framing! Hosted](https://reader031.vdocument.in/reader031/viewer/2022040910/5e84888a040e15445162465e/html5/thumbnails/55.jpg)
Kill Mixed ContentYou still need to fix off-domain HTTP
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
![Page 56: HTTP Security Headers · 2013-12-06 · Problem: Clickjacking Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13. X-Frame-Options Framing sucks, get rid of framing! Hosted](https://reader031.vdocument.in/reader031/viewer/2022040910/5e84888a040e15445162465e/html5/thumbnails/56.jpg)
Kill Mixed ContentYou still need to fix off-domain HTTPBrowser mixed content warnings
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
![Page 57: HTTP Security Headers · 2013-12-06 · Problem: Clickjacking Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13. X-Frame-Options Framing sucks, get rid of framing! Hosted](https://reader031.vdocument.in/reader031/viewer/2022040910/5e84888a040e15445162465e/html5/thumbnails/57.jpg)
Kill Mixed ContentYou still need to fix off-domain HTTPBrowser mixed content warnings
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
![Page 58: HTTP Security Headers · 2013-12-06 · Problem: Clickjacking Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13. X-Frame-Options Framing sucks, get rid of framing! Hosted](https://reader031.vdocument.in/reader031/viewer/2022040910/5e84888a040e15445162465e/html5/thumbnails/58.jpg)
Mobile
HSTS supported on mobile browsers
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
![Page 59: HTTP Security Headers · 2013-12-06 · Problem: Clickjacking Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13. X-Frame-Options Framing sucks, get rid of framing! Hosted](https://reader031.vdocument.in/reader031/viewer/2022040910/5e84888a040e15445162465e/html5/thumbnails/59.jpg)
Mobile
HSTS supported on mobile browsersNotably absent from others
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
![Page 60: HTTP Security Headers · 2013-12-06 · Problem: Clickjacking Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13. X-Frame-Options Framing sucks, get rid of framing! Hosted](https://reader031.vdocument.in/reader031/viewer/2022040910/5e84888a040e15445162465e/html5/thumbnails/60.jpg)
Mobile
HSTS supported on mobile browsersNotably absent from others
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
![Page 61: HTTP Security Headers · 2013-12-06 · Problem: Clickjacking Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13. X-Frame-Options Framing sucks, get rid of framing! Hosted](https://reader031.vdocument.in/reader031/viewer/2022040910/5e84888a040e15445162465e/html5/thumbnails/61.jpg)
HSTS: Be Ready
Not a crutch for fixing routing problems!
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
![Page 62: HTTP Security Headers · 2013-12-06 · Problem: Clickjacking Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13. X-Frame-Options Framing sucks, get rid of framing! Hosted](https://reader031.vdocument.in/reader031/viewer/2022040910/5e84888a040e15445162465e/html5/thumbnails/62.jpg)
HSTS: Be Ready
Not a crutch for fixing routing problems!There will be outliers
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
![Page 63: HTTP Security Headers · 2013-12-06 · Problem: Clickjacking Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13. X-Frame-Options Framing sucks, get rid of framing! Hosted](https://reader031.vdocument.in/reader031/viewer/2022040910/5e84888a040e15445162465e/html5/thumbnails/63.jpg)
HSTS: Be Ready
Not a crutch for fixing routing problems!There will be outliersSSL/TLS errors confuse users
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
![Page 64: HTTP Security Headers · 2013-12-06 · Problem: Clickjacking Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13. X-Frame-Options Framing sucks, get rid of framing! Hosted](https://reader031.vdocument.in/reader031/viewer/2022040910/5e84888a040e15445162465e/html5/thumbnails/64.jpg)
HSTS: Be Ready
Not a crutch for fixing routing problems!There will be outliersSSL/TLS errors confuse usersHave a process for managing HSTS
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
![Page 65: HTTP Security Headers · 2013-12-06 · Problem: Clickjacking Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13. X-Frame-Options Framing sucks, get rid of framing! Hosted](https://reader031.vdocument.in/reader031/viewer/2022040910/5e84888a040e15445162465e/html5/thumbnails/65.jpg)
X-Frame-Options
Problem: Clickjacking
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
![Page 66: HTTP Security Headers · 2013-12-06 · Problem: Clickjacking Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13. X-Frame-Options Framing sucks, get rid of framing! Hosted](https://reader031.vdocument.in/reader031/viewer/2022040910/5e84888a040e15445162465e/html5/thumbnails/66.jpg)
X-Frame-OptionsFraming sucks, get rid of framing!
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
![Page 67: HTTP Security Headers · 2013-12-06 · Problem: Clickjacking Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13. X-Frame-Options Framing sucks, get rid of framing! Hosted](https://reader031.vdocument.in/reader031/viewer/2022040910/5e84888a040e15445162465e/html5/thumbnails/67.jpg)
X-Frame-Options
How do you prevent this type of attack?
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
![Page 68: HTTP Security Headers · 2013-12-06 · Problem: Clickjacking Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13. X-Frame-Options Framing sucks, get rid of framing! Hosted](https://reader031.vdocument.in/reader031/viewer/2022040910/5e84888a040e15445162465e/html5/thumbnails/68.jpg)
X-Frame-Options
How do you prevent this type of attack?<script>
if (top!=self) top.location.href=self.location.href
</script>
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
![Page 69: HTTP Security Headers · 2013-12-06 · Problem: Clickjacking Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13. X-Frame-Options Framing sucks, get rid of framing! Hosted](https://reader031.vdocument.in/reader031/viewer/2022040910/5e84888a040e15445162465e/html5/thumbnails/69.jpg)
X-Frame-Options
How do you prevent this type of attack?<script>
if (top!=self) top.location.href=self.location.href
</script>
Not really a defense at all
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
![Page 70: HTTP Security Headers · 2013-12-06 · Problem: Clickjacking Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13. X-Frame-Options Framing sucks, get rid of framing! Hosted](https://reader031.vdocument.in/reader031/viewer/2022040910/5e84888a040e15445162465e/html5/thumbnails/70.jpg)
How Do I Use XFO?
Figure out when you’re being framed
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
![Page 71: HTTP Security Headers · 2013-12-06 · Problem: Clickjacking Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13. X-Frame-Options Framing sucks, get rid of framing! Hosted](https://reader031.vdocument.in/reader031/viewer/2022040910/5e84888a040e15445162465e/html5/thumbnails/71.jpg)
How Do I Use XFO?
Figure out when you’re being framedLog the framing attempts
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
![Page 72: HTTP Security Headers · 2013-12-06 · Problem: Clickjacking Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13. X-Frame-Options Framing sucks, get rid of framing! Hosted](https://reader031.vdocument.in/reader031/viewer/2022040910/5e84888a040e15445162465e/html5/thumbnails/72.jpg)
How Do I Use XFO?
Figure out when you’re being framedLog the framing attemptsWhitelist specific framing sites (search engines)
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
![Page 73: HTTP Security Headers · 2013-12-06 · Problem: Clickjacking Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13. X-Frame-Options Framing sucks, get rid of framing! Hosted](https://reader031.vdocument.in/reader031/viewer/2022040910/5e84888a040e15445162465e/html5/thumbnails/73.jpg)
How Do I Use XFO?Figure out when you’re being framedLog the framing attemptsWhitelist specific framing sites (search engines)Only allow whitelisted sites to frame
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
![Page 74: HTTP Security Headers · 2013-12-06 · Problem: Clickjacking Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13. X-Frame-Options Framing sucks, get rid of framing! Hosted](https://reader031.vdocument.in/reader031/viewer/2022040910/5e84888a040e15445162465e/html5/thumbnails/74.jpg)
Be Careful
Thoroughly vet your whitelist
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
![Page 75: HTTP Security Headers · 2013-12-06 · Problem: Clickjacking Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13. X-Frame-Options Framing sucks, get rid of framing! Hosted](https://reader031.vdocument.in/reader031/viewer/2022040910/5e84888a040e15445162465e/html5/thumbnails/75.jpg)
Be Careful
Thoroughly vet your whitelistRead about XFO’s options
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
![Page 76: HTTP Security Headers · 2013-12-06 · Problem: Clickjacking Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13. X-Frame-Options Framing sucks, get rid of framing! Hosted](https://reader031.vdocument.in/reader031/viewer/2022040910/5e84888a040e15445162465e/html5/thumbnails/76.jpg)
Be Careful
Thoroughly vet your whitelistRead about XFO’s optionsTest thoroughly
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
![Page 77: HTTP Security Headers · 2013-12-06 · Problem: Clickjacking Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13. X-Frame-Options Framing sucks, get rid of framing! Hosted](https://reader031.vdocument.in/reader031/viewer/2022040910/5e84888a040e15445162465e/html5/thumbnails/77.jpg)
Non-Whitelisted sites
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
![Page 78: HTTP Security Headers · 2013-12-06 · Problem: Clickjacking Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13. X-Frame-Options Framing sucks, get rid of framing! Hosted](https://reader031.vdocument.in/reader031/viewer/2022040910/5e84888a040e15445162465e/html5/thumbnails/78.jpg)
Non-Whitelisted sites
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
![Page 79: HTTP Security Headers · 2013-12-06 · Problem: Clickjacking Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13. X-Frame-Options Framing sucks, get rid of framing! Hosted](https://reader031.vdocument.in/reader031/viewer/2022040910/5e84888a040e15445162465e/html5/thumbnails/79.jpg)
Don’t Forget...
If you’re taking away framing, warn your users
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
![Page 80: HTTP Security Headers · 2013-12-06 · Problem: Clickjacking Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13. X-Frame-Options Framing sucks, get rid of framing! Hosted](https://reader031.vdocument.in/reader031/viewer/2022040910/5e84888a040e15445162465e/html5/thumbnails/80.jpg)
Don’t Forget...
If you’re taking away framing, warn your users
Whitelisting will break everyone else
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
![Page 81: HTTP Security Headers · 2013-12-06 · Problem: Clickjacking Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13. X-Frame-Options Framing sucks, get rid of framing! Hosted](https://reader031.vdocument.in/reader031/viewer/2022040910/5e84888a040e15445162465e/html5/thumbnails/81.jpg)
Let’s Talk CSP
Policies can grow fairly large
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
![Page 82: HTTP Security Headers · 2013-12-06 · Problem: Clickjacking Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13. X-Frame-Options Framing sucks, get rid of framing! Hosted](https://reader031.vdocument.in/reader031/viewer/2022040910/5e84888a040e15445162465e/html5/thumbnails/82.jpg)
Let’s Talk CSP
Policies can grow fairly large
Doesn’t like inline javascript by default
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
![Page 83: HTTP Security Headers · 2013-12-06 · Problem: Clickjacking Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13. X-Frame-Options Framing sucks, get rid of framing! Hosted](https://reader031.vdocument.in/reader031/viewer/2022040910/5e84888a040e15445162465e/html5/thumbnails/83.jpg)
Let’s Talk CSP
Policies can grow fairly large
Doesn’t like inline javascript by default
Where do I start?
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
![Page 84: HTTP Security Headers · 2013-12-06 · Problem: Clickjacking Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13. X-Frame-Options Framing sucks, get rid of framing! Hosted](https://reader031.vdocument.in/reader031/viewer/2022040910/5e84888a040e15445162465e/html5/thumbnails/84.jpg)
CSP 1.0
Most websites have inline JS
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
![Page 85: HTTP Security Headers · 2013-12-06 · Problem: Clickjacking Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13. X-Frame-Options Framing sucks, get rid of framing! Hosted](https://reader031.vdocument.in/reader031/viewer/2022040910/5e84888a040e15445162465e/html5/thumbnails/85.jpg)
CSP 1.0
Most websites have inline JS
Removing/refactoring some of it just isn’t possible
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
![Page 86: HTTP Security Headers · 2013-12-06 · Problem: Clickjacking Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13. X-Frame-Options Framing sucks, get rid of framing! Hosted](https://reader031.vdocument.in/reader031/viewer/2022040910/5e84888a040e15445162465e/html5/thumbnails/86.jpg)
CSP 1.0
Most websites have inline JS
Removing/refactoring some of it just isn’t possible
FF & Chrome use unprefixed ‘Content-Security-Policy’
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
![Page 87: HTTP Security Headers · 2013-12-06 · Problem: Clickjacking Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13. X-Frame-Options Framing sucks, get rid of framing! Hosted](https://reader031.vdocument.in/reader031/viewer/2022040910/5e84888a040e15445162465e/html5/thumbnails/87.jpg)
CSP 1.1
Will have browser javascript API support
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
![Page 88: HTTP Security Headers · 2013-12-06 · Problem: Clickjacking Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13. X-Frame-Options Framing sucks, get rid of framing! Hosted](https://reader031.vdocument.in/reader031/viewer/2022040910/5e84888a040e15445162465e/html5/thumbnails/88.jpg)
CSP 1.1
Will have browser javascript API support
Support for inline CSP in a <meta> tag
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
![Page 89: HTTP Security Headers · 2013-12-06 · Problem: Clickjacking Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13. X-Frame-Options Framing sucks, get rid of framing! Hosted](https://reader031.vdocument.in/reader031/viewer/2022040910/5e84888a040e15445162465e/html5/thumbnails/89.jpg)
CSP 1.1CSP 1.1 will allow for script-nonce and script-hash
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
![Page 90: HTTP Security Headers · 2013-12-06 · Problem: Clickjacking Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13. X-Frame-Options Framing sucks, get rid of framing! Hosted](https://reader031.vdocument.in/reader031/viewer/2022040910/5e84888a040e15445162465e/html5/thumbnails/90.jpg)
CSP Lessons
CSP introduced the idea of a reporting mechanism
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
![Page 91: HTTP Security Headers · 2013-12-06 · Problem: Clickjacking Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13. X-Frame-Options Framing sucks, get rid of framing! Hosted](https://reader031.vdocument.in/reader031/viewer/2022040910/5e84888a040e15445162465e/html5/thumbnails/91.jpg)
CSP Lessons
CSP introduced the idea of a reporting mechanism
Identify pages with inline scripts => smaller policy size
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
![Page 92: HTTP Security Headers · 2013-12-06 · Problem: Clickjacking Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13. X-Frame-Options Framing sucks, get rid of framing! Hosted](https://reader031.vdocument.in/reader031/viewer/2022040910/5e84888a040e15445162465e/html5/thumbnails/92.jpg)
CSP Lessons
CSP introduced the idea of a reporting mechanism
Identify pages with inline scripts => smaller policy size
Log, aggregate reports to find mixed content
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
![Page 93: HTTP Security Headers · 2013-12-06 · Problem: Clickjacking Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13. X-Frame-Options Framing sucks, get rid of framing! Hosted](https://reader031.vdocument.in/reader031/viewer/2022040910/5e84888a040e15445162465e/html5/thumbnails/93.jpg)
CSP Lessons
CSP introduced the idea of a reporting mechanism
Identify pages with inline scripts => smaller policy size
Log, aggregate reports to find mixed content
Some interesting results
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
![Page 94: HTTP Security Headers · 2013-12-06 · Problem: Clickjacking Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13. X-Frame-Options Framing sucks, get rid of framing! Hosted](https://reader031.vdocument.in/reader031/viewer/2022040910/5e84888a040e15445162465e/html5/thumbnails/94.jpg)
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
![Page 95: HTTP Security Headers · 2013-12-06 · Problem: Clickjacking Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13. X-Frame-Options Framing sucks, get rid of framing! Hosted](https://reader031.vdocument.in/reader031/viewer/2022040910/5e84888a040e15445162465e/html5/thumbnails/95.jpg)
How Do I Deploy CSP?
Organize and assess your existing javascript
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
![Page 96: HTTP Security Headers · 2013-12-06 · Problem: Clickjacking Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13. X-Frame-Options Framing sucks, get rid of framing! Hosted](https://reader031.vdocument.in/reader031/viewer/2022040910/5e84888a040e15445162465e/html5/thumbnails/96.jpg)
How Do I Deploy CSP?
Organize and assess your existing javascript
Have specific template logic for handling javascript
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
![Page 97: HTTP Security Headers · 2013-12-06 · Problem: Clickjacking Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13. X-Frame-Options Framing sucks, get rid of framing! Hosted](https://reader031.vdocument.in/reader031/viewer/2022040910/5e84888a040e15445162465e/html5/thumbnails/97.jpg)
How Do I Deploy CSP?
Organize and assess your existing javascript
Have specific template logic for handling javascript
Give devs an ‘opt-out’ mechanism for inline js
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
![Page 98: HTTP Security Headers · 2013-12-06 · Problem: Clickjacking Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13. X-Frame-Options Framing sucks, get rid of framing! Hosted](https://reader031.vdocument.in/reader031/viewer/2022040910/5e84888a040e15445162465e/html5/thumbnails/98.jpg)
How Do I Deploy CSP?
Organize and assess your existing javascript
Have specific template logic for handling javascript
Give devs an ‘opt-out’ mechanism for inline js
Deploy to specific parts/subdomains of your site
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
![Page 99: HTTP Security Headers · 2013-12-06 · Problem: Clickjacking Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13. X-Frame-Options Framing sucks, get rid of framing! Hosted](https://reader031.vdocument.in/reader031/viewer/2022040910/5e84888a040e15445162465e/html5/thumbnails/99.jpg)
CSP Compliance
Actively monitor the # of inline scripts you have left
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
![Page 100: HTTP Security Headers · 2013-12-06 · Problem: Clickjacking Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13. X-Frame-Options Framing sucks, get rid of framing! Hosted](https://reader031.vdocument.in/reader031/viewer/2022040910/5e84888a040e15445162465e/html5/thumbnails/100.jpg)
Some CSP Tools
Some tools for CSP Generation
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
![Page 101: HTTP Security Headers · 2013-12-06 · Problem: Clickjacking Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13. X-Frame-Options Framing sucks, get rid of framing! Hosted](https://reader031.vdocument.in/reader031/viewer/2022040910/5e84888a040e15445162465e/html5/thumbnails/101.jpg)
Some CSP Tools
Some tools for CSP Generation
http://cspisawesome.com/
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
![Page 102: HTTP Security Headers · 2013-12-06 · Problem: Clickjacking Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13. X-Frame-Options Framing sucks, get rid of framing! Hosted](https://reader031.vdocument.in/reader031/viewer/2022040910/5e84888a040e15445162465e/html5/thumbnails/102.jpg)
Some CSP Tools
Some tools for CSP Generation
http://cspisawesome.com/
https://github.com/Kennysan/CSPTools
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
![Page 103: HTTP Security Headers · 2013-12-06 · Problem: Clickjacking Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13. X-Frame-Options Framing sucks, get rid of framing! Hosted](https://reader031.vdocument.in/reader031/viewer/2022040910/5e84888a040e15445162465e/html5/thumbnails/103.jpg)
CSP Tools
Browser proxy, automated browser, and csp parser
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
![Page 104: HTTP Security Headers · 2013-12-06 · Problem: Clickjacking Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13. X-Frame-Options Framing sucks, get rid of framing! Hosted](https://reader031.vdocument.in/reader031/viewer/2022040910/5e84888a040e15445162465e/html5/thumbnails/104.jpg)
CSP Tools
Browser proxy, automated browser, and csp parser
Lets you create/test a CSP for your prod environment
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
![Page 105: HTTP Security Headers · 2013-12-06 · Problem: Clickjacking Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13. X-Frame-Options Framing sucks, get rid of framing! Hosted](https://reader031.vdocument.in/reader031/viewer/2022040910/5e84888a040e15445162465e/html5/thumbnails/105.jpg)
CSP Tools
Browser proxy, automated browser, and csp parser
Lets you create/test a CSP for your prod environment
https://github.com/Kennysan/CSPTools
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
![Page 106: HTTP Security Headers · 2013-12-06 · Problem: Clickjacking Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13. X-Frame-Options Framing sucks, get rid of framing! Hosted](https://reader031.vdocument.in/reader031/viewer/2022040910/5e84888a040e15445162465e/html5/thumbnails/106.jpg)
X-XSS-Protection
Originally IE XSS blocking mechanism
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
![Page 107: HTTP Security Headers · 2013-12-06 · Problem: Clickjacking Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13. X-Frame-Options Framing sucks, get rid of framing! Hosted](https://reader031.vdocument.in/reader031/viewer/2022040910/5e84888a040e15445162465e/html5/thumbnails/107.jpg)
X-XSS-Protection
Originally IE XSS blocking mechanism
Looks for parameter arguments in response
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
![Page 108: HTTP Security Headers · 2013-12-06 · Problem: Clickjacking Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13. X-Frame-Options Framing sucks, get rid of framing! Hosted](https://reader031.vdocument.in/reader031/viewer/2022040910/5e84888a040e15445162465e/html5/thumbnails/108.jpg)
X-XSS-Protection
Originally IE XSS blocking mechanism
Looks for parameter arguments in response
Side effect: Clients can break your javascript
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
![Page 109: HTTP Security Headers · 2013-12-06 · Problem: Clickjacking Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13. X-Frame-Options Framing sucks, get rid of framing! Hosted](https://reader031.vdocument.in/reader031/viewer/2022040910/5e84888a040e15445162465e/html5/thumbnails/109.jpg)
X-XSS-Protection
X-XSS-Protection: 1; mode=block
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
![Page 110: HTTP Security Headers · 2013-12-06 · Problem: Clickjacking Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13. X-Frame-Options Framing sucks, get rid of framing! Hosted](https://reader031.vdocument.in/reader031/viewer/2022040910/5e84888a040e15445162465e/html5/thumbnails/110.jpg)
X-XSS-Protection
X-XSS-Protection: 1; mode=block
Reflected XSS protection, but now...
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
![Page 111: HTTP Security Headers · 2013-12-06 · Problem: Clickjacking Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13. X-Frame-Options Framing sucks, get rid of framing! Hosted](https://reader031.vdocument.in/reader031/viewer/2022040910/5e84888a040e15445162465e/html5/thumbnails/111.jpg)
X-XSS-Protection
X-XSS-Protection: 1; mode=block
Reflected XSS protection, but now...
Chrome lets you specify a report url
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
![Page 112: HTTP Security Headers · 2013-12-06 · Problem: Clickjacking Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13. X-Frame-Options Framing sucks, get rid of framing! Hosted](https://reader031.vdocument.in/reader031/viewer/2022040910/5e84888a040e15445162465e/html5/thumbnails/112.jpg)
X-XSS-Protection
X-XSS-Protection: 1; mode=block
Reflected XSS protection, but now...
Chrome lets you specify a report url
Clientside protection; serverside reporting
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
![Page 113: HTTP Security Headers · 2013-12-06 · Problem: Clickjacking Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13. X-Frame-Options Framing sucks, get rid of framing! Hosted](https://reader031.vdocument.in/reader031/viewer/2022040910/5e84888a040e15445162465e/html5/thumbnails/113.jpg)
XSS Logging
X-XSS-Protection: 1; mode=block; report-uri=/log.php
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
![Page 114: HTTP Security Headers · 2013-12-06 · Problem: Clickjacking Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13. X-Frame-Options Framing sucks, get rid of framing! Hosted](https://reader031.vdocument.in/reader031/viewer/2022040910/5e84888a040e15445162465e/html5/thumbnails/114.jpg)
XSS Logging
X-XSS-Protection: 1; mode=block; report-uri=/log.php
Allows Chrome reflected XSS logging, ala CSP-style
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
![Page 115: HTTP Security Headers · 2013-12-06 · Problem: Clickjacking Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13. X-Frame-Options Framing sucks, get rid of framing! Hosted](https://reader031.vdocument.in/reader031/viewer/2022040910/5e84888a040e15445162465e/html5/thumbnails/115.jpg)
XSS Logging
X-XSS-Protection: 1; mode=block; report-uri=/log.php
Allows Chrome reflected XSS logging, ala CSP-style
Other browsers: Implement server-side XSS-Auditor
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
![Page 116: HTTP Security Headers · 2013-12-06 · Problem: Clickjacking Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13. X-Frame-Options Framing sucks, get rid of framing! Hosted](https://reader031.vdocument.in/reader031/viewer/2022040910/5e84888a040e15445162465e/html5/thumbnails/116.jpg)
XSS Logging
X-XSS-Protection: 1; mode=block; report-uri=/log.php
Allows Chrome reflected XSS logging, ala CSP-style
Other browsers: Implement server-side XSS-Auditor
Look for this functionality in CSP 1.1
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
![Page 117: HTTP Security Headers · 2013-12-06 · Problem: Clickjacking Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13. X-Frame-Options Framing sucks, get rid of framing! Hosted](https://reader031.vdocument.in/reader031/viewer/2022040910/5e84888a040e15445162465e/html5/thumbnails/117.jpg)
X-Content-Type-OptionsX-Content-Type-Options: nosniff
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
![Page 118: HTTP Security Headers · 2013-12-06 · Problem: Clickjacking Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13. X-Frame-Options Framing sucks, get rid of framing! Hosted](https://reader031.vdocument.in/reader031/viewer/2022040910/5e84888a040e15445162465e/html5/thumbnails/118.jpg)
X-Content-Type-OptionsX-Content-Type-Options: nosniff
Older versions of IE will guess response content-type
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
![Page 119: HTTP Security Headers · 2013-12-06 · Problem: Clickjacking Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13. X-Frame-Options Framing sucks, get rid of framing! Hosted](https://reader031.vdocument.in/reader031/viewer/2022040910/5e84888a040e15445162465e/html5/thumbnails/119.jpg)
X-Content-Type-OptionsX-Content-Type-Options: nosniff
Older versions of IE will guess response content-type
Ignores Content-Type specified!
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
![Page 120: HTTP Security Headers · 2013-12-06 · Problem: Clickjacking Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13. X-Frame-Options Framing sucks, get rid of framing! Hosted](https://reader031.vdocument.in/reader031/viewer/2022040910/5e84888a040e15445162465e/html5/thumbnails/120.jpg)
X-Content-Type-OptionsX-Content-Type-Options: nosniff
Older versions of IE will guess response content-type
Ignores Content-Type specified!
Example: query parameter lets you specify .html
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
![Page 121: HTTP Security Headers · 2013-12-06 · Problem: Clickjacking Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13. X-Frame-Options Framing sucks, get rid of framing! Hosted](https://reader031.vdocument.in/reader031/viewer/2022040910/5e84888a040e15445162465e/html5/thumbnails/121.jpg)
X-Content-Type-OptionsX-Content-Type-Options: nosniff
Older versions of IE will guess response content-type
Ignores Content-Type specified!
Example: query parameter lets you specify .html
IE will consider the content to be text/html!
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
![Page 122: HTTP Security Headers · 2013-12-06 · Problem: Clickjacking Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13. X-Frame-Options Framing sucks, get rid of framing! Hosted](https://reader031.vdocument.in/reader031/viewer/2022040910/5e84888a040e15445162465e/html5/thumbnails/122.jpg)
Final Thoughts
Treat header deployment like any other code
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
![Page 123: HTTP Security Headers · 2013-12-06 · Problem: Clickjacking Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13. X-Frame-Options Framing sucks, get rid of framing! Hosted](https://reader031.vdocument.in/reader031/viewer/2022040910/5e84888a040e15445162465e/html5/thumbnails/123.jpg)
Final Thoughts
Treat header deployment like any other code
Be agile with header development
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
![Page 124: HTTP Security Headers · 2013-12-06 · Problem: Clickjacking Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13. X-Frame-Options Framing sucks, get rid of framing! Hosted](https://reader031.vdocument.in/reader031/viewer/2022040910/5e84888a040e15445162465e/html5/thumbnails/124.jpg)
Final Thoughts
Treat header deployment like any other code
Be agile with header development
Can’t deploy everywhere? Have a plan--deploy in part
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
![Page 125: HTTP Security Headers · 2013-12-06 · Problem: Clickjacking Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13. X-Frame-Options Framing sucks, get rid of framing! Hosted](https://reader031.vdocument.in/reader031/viewer/2022040910/5e84888a040e15445162465e/html5/thumbnails/125.jpg)
Final Thoughts
Treat header deployment like any other code
Be agile with header development
Can’t deploy everywhere? Have a plan--deploy in part
Starting with security is easier than baking it in later
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
![Page 126: HTTP Security Headers · 2013-12-06 · Problem: Clickjacking Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13. X-Frame-Options Framing sucks, get rid of framing! Hosted](https://reader031.vdocument.in/reader031/viewer/2022040910/5e84888a040e15445162465e/html5/thumbnails/126.jpg)
Final Thoughts
Treat header deployment like any other code
Be agile with header development
Can’t deploy everywhere? Have a plan--deploy in part
Starting with security is easier than baking it in later
Log early and often--you learn a lot
Hosted by OWASP & the NYC Chapter
Wednesday, November 20, 13
![Page 127: HTTP Security Headers · 2013-12-06 · Problem: Clickjacking Hosted by OWASP & the NYC Chapter Wednesday, November 20, 13. X-Frame-Options Framing sucks, get rid of framing! Hosted](https://reader031.vdocument.in/reader031/viewer/2022040910/5e84888a040e15445162465e/html5/thumbnails/127.jpg)
Thanks for Listening!@kennysan
github.com/kennysanHosted by OWASP & the NYC Chapter
Wednesday, November 20, 13