getting browsers to improve the security of your webapp
TRANSCRIPT
![Page 1: Getting Browsers to Improve the Security of Your Webapp](https://reader031.vdocument.in/reader031/viewer/2022022413/58ed3cb41a28ab09328b45e9/html5/thumbnails/1.jpg)
François Marier @fmarier
Getting Browsers to Improvethe Security of Your Webapp
![Page 2: Getting Browsers to Improve the Security of Your Webapp](https://reader031.vdocument.in/reader031/viewer/2022022413/58ed3cb41a28ab09328b45e9/html5/thumbnails/2.jpg)
externalresources
usercontent
cookies encryption
![Page 3: Getting Browsers to Improve the Security of Your Webapp](https://reader031.vdocument.in/reader031/viewer/2022022413/58ed3cb41a28ab09328b45e9/html5/thumbnails/3.jpg)
externalresources
![Page 4: Getting Browsers to Improve the Security of Your Webapp](https://reader031.vdocument.in/reader031/viewer/2022022413/58ed3cb41a28ab09328b45e9/html5/thumbnails/4.jpg)
Subresource integrity
mechanism for preventingtampering of static assets
![Page 5: Getting Browsers to Improve the Security of Your Webapp](https://reader031.vdocument.in/reader031/viewer/2022022413/58ed3cb41a28ab09328b45e9/html5/thumbnails/5.jpg)
![Page 6: Getting Browsers to Improve the Security of Your Webapp](https://reader031.vdocument.in/reader031/viewer/2022022413/58ed3cb41a28ab09328b45e9/html5/thumbnails/6.jpg)
![Page 7: Getting Browsers to Improve the Security of Your Webapp](https://reader031.vdocument.in/reader031/viewer/2022022413/58ed3cb41a28ab09328b45e9/html5/thumbnails/7.jpg)
https://ajax.googleapis.com/ajax
/libs/jquery/1.9.1/jquery.min.js
![Page 8: Getting Browsers to Improve the Security of Your Webapp](https://reader031.vdocument.in/reader031/viewer/2022022413/58ed3cb41a28ab09328b45e9/html5/thumbnails/8.jpg)
what would happen if thatserver were compromised?
![Page 9: Getting Browsers to Improve the Security of Your Webapp](https://reader031.vdocument.in/reader031/viewer/2022022413/58ed3cb41a28ab09328b45e9/html5/thumbnails/9.jpg)
![Page 10: Getting Browsers to Improve the Security of Your Webapp](https://reader031.vdocument.in/reader031/viewer/2022022413/58ed3cb41a28ab09328b45e9/html5/thumbnails/10.jpg)
Bad Things™
steal sessionsleak confidential dataredirect to phishing sitesenlist DDoS zombies
![Page 11: Getting Browsers to Improve the Security of Your Webapp](https://reader031.vdocument.in/reader031/viewer/2022022413/58ed3cb41a28ab09328b45e9/html5/thumbnails/11.jpg)
simple solution
![Page 12: Getting Browsers to Improve the Security of Your Webapp](https://reader031.vdocument.in/reader031/viewer/2022022413/58ed3cb41a28ab09328b45e9/html5/thumbnails/12.jpg)
instead of this:
<script
src=”https://ajax.googleapis.com...”>
integrity=”sha256-1z4uG/+cVbhShP...”
crossorigin=”anonymous”>
![Page 13: Getting Browsers to Improve the Security of Your Webapp](https://reader031.vdocument.in/reader031/viewer/2022022413/58ed3cb41a28ab09328b45e9/html5/thumbnails/13.jpg)
<script
src=”https://ajax.googleapis.com...”>
integrity=”sha256-1z4uG/+cVbhShP...”
crossorigin=”anonymous”>
do this:
![Page 14: Getting Browsers to Improve the Security of Your Webapp](https://reader031.vdocument.in/reader031/viewer/2022022413/58ed3cb41a28ab09328b45e9/html5/thumbnails/14.jpg)
guarantee:script won't changeor it'll be blocked
![Page 15: Getting Browsers to Improve the Security of Your Webapp](https://reader031.vdocument.in/reader031/viewer/2022022413/58ed3cb41a28ab09328b45e9/html5/thumbnails/15.jpg)
rel=”noopener”
mechanism for disabling thewindow.opener object
![Page 16: Getting Browsers to Improve the Security of Your Webapp](https://reader031.vdocument.in/reader031/viewer/2022022413/58ed3cb41a28ab09328b45e9/html5/thumbnails/16.jpg)
My Account
● Change my address● Change my billing card● Reset my password● Delete my account
● Watch some cute kittens!
![Page 17: Getting Browsers to Improve the Security of Your Webapp](https://reader031.vdocument.in/reader031/viewer/2022022413/58ed3cb41a28ab09328b45e9/html5/thumbnails/17.jpg)
My Account
● Change my address● Change my billing card● Reset my password● Delete my account
● Watch some cute kittens!
kittens!!!!!!!!
![Page 18: Getting Browsers to Improve the Security of Your Webapp](https://reader031.vdocument.in/reader031/viewer/2022022413/58ed3cb41a28ab09328b45e9/html5/thumbnails/18.jpg)
<a href=”...” target=”_blank”>
![Page 19: Getting Browsers to Improve the Security of Your Webapp](https://reader031.vdocument.in/reader031/viewer/2022022413/58ed3cb41a28ab09328b45e9/html5/thumbnails/19.jpg)
window.opener.location
![Page 20: Getting Browsers to Improve the Security of Your Webapp](https://reader031.vdocument.in/reader031/viewer/2022022413/58ed3cb41a28ab09328b45e9/html5/thumbnails/20.jpg)
window.opener.location
![Page 21: Getting Browsers to Improve the Security of Your Webapp](https://reader031.vdocument.in/reader031/viewer/2022022413/58ed3cb41a28ab09328b45e9/html5/thumbnails/21.jpg)
window.opener.location =
'http://stealmypasswd.org';
![Page 22: Getting Browsers to Improve the Security of Your Webapp](https://reader031.vdocument.in/reader031/viewer/2022022413/58ed3cb41a28ab09328b45e9/html5/thumbnails/22.jpg)
My Account
● Change my address● Change my billing card● Reset my password● Delete my account
● Watch some cute kittens!
kittens!!!!!!!!
![Page 23: Getting Browsers to Improve the Security of Your Webapp](https://reader031.vdocument.in/reader031/viewer/2022022413/58ed3cb41a28ab09328b45e9/html5/thumbnails/23.jpg)
Session Expired
Username:
Password:
Log back in!
kittens!!!!!!!!
![Page 24: Getting Browsers to Improve the Security of Your Webapp](https://reader031.vdocument.in/reader031/viewer/2022022413/58ed3cb41a28ab09328b45e9/html5/thumbnails/24.jpg)
Session Expired
Username:
Password:
Log back in!
esnowden
**********
![Page 25: Getting Browsers to Improve the Security of Your Webapp](https://reader031.vdocument.in/reader031/viewer/2022022413/58ed3cb41a28ab09328b45e9/html5/thumbnails/25.jpg)
My Account
● Change my address● Change my billing card● Reset my password● Delete my account
● Watch some cute kittens!
![Page 26: Getting Browsers to Improve the Security of Your Webapp](https://reader031.vdocument.in/reader031/viewer/2022022413/58ed3cb41a28ab09328b45e9/html5/thumbnails/26.jpg)
solutions
![Page 27: Getting Browsers to Improve the Security of Your Webapp](https://reader031.vdocument.in/reader031/viewer/2022022413/58ed3cb41a28ab09328b45e9/html5/thumbnails/27.jpg)
<a href=”...” target=”_blank”>
![Page 28: Getting Browsers to Improve the Security of Your Webapp](https://reader031.vdocument.in/reader031/viewer/2022022413/58ed3cb41a28ab09328b45e9/html5/thumbnails/28.jpg)
<a href=”...” target=”_blank” rel=”noopener”>
![Page 29: Getting Browsers to Improve the Security of Your Webapp](https://reader031.vdocument.in/reader031/viewer/2022022413/58ed3cb41a28ab09328b45e9/html5/thumbnails/29.jpg)
window.opener == null
![Page 30: Getting Browsers to Improve the Security of Your Webapp](https://reader031.vdocument.in/reader031/viewer/2022022413/58ed3cb41a28ab09328b45e9/html5/thumbnails/30.jpg)
Referrer Policy
mechanism for trimmingthe Referer header
![Page 31: Getting Browsers to Improve the Security of Your Webapp](https://reader031.vdocument.in/reader031/viewer/2022022413/58ed3cb41a28ab09328b45e9/html5/thumbnails/31.jpg)
![Page 32: Getting Browsers to Improve the Security of Your Webapp](https://reader031.vdocument.in/reader031/viewer/2022022413/58ed3cb41a28ab09328b45e9/html5/thumbnails/32.jpg)
http://example.com/search?q=serious+medical+condition
Click here for the cheapest
insurance around!
Bla bla bla, bla bla, bla bla bla bla. Bla bla bla, bla bla, bla bla bla bla. Bla bla bla, bla bla, bla bla bla bla.
Bla bla bla, bla bla, bla bla bla bla. Bla bla bla, bla bla, bla bla bla bla. Bla bla bla, bla bla, bla bla bla bla. Bla bla bla, bla bla, bla bla bla bla. Bla bla bla, bla bla, bla bla bla bla. Bla bla bla, bla bla, bla bla bla bla. Bla bla bla, bla bla, bla bla bla bla.
![Page 34: Getting Browsers to Improve the Security of Your Webapp](https://reader031.vdocument.in/reader031/viewer/2022022413/58ed3cb41a28ab09328b45e9/html5/thumbnails/34.jpg)
Referrer-Policy: no-referrer
<meta name="referrer" content="origin">
<a href="http://example.com" referrer="origin">
![Page 35: Getting Browsers to Improve the Security of Your Webapp](https://reader031.vdocument.in/reader031/viewer/2022022413/58ed3cb41a28ab09328b45e9/html5/thumbnails/35.jpg)
Referrer-Policy: no-referrer
<meta name="referrer" content="no-referrer">
<a href="http://example.com" referrer="origin">
![Page 36: Getting Browsers to Improve the Security of Your Webapp](https://reader031.vdocument.in/reader031/viewer/2022022413/58ed3cb41a28ab09328b45e9/html5/thumbnails/36.jpg)
Referrer-Policy: no-referrer
<meta name="referrer" content="no-referrer">
<a href="http://example.com" referrerPolicy="no-referrer">
![Page 37: Getting Browsers to Improve the Security of Your Webapp](https://reader031.vdocument.in/reader031/viewer/2022022413/58ed3cb41a28ab09328b45e9/html5/thumbnails/37.jpg)
no-referrer
no-referrer-when-downgrade
same-origin
strict-origin
strict-origin-when-cross-origin
![Page 38: Getting Browsers to Improve the Security of Your Webapp](https://reader031.vdocument.in/reader031/viewer/2022022413/58ed3cb41a28ab09328b45e9/html5/thumbnails/38.jpg)
no-referrer
no-referrer-when-downgrade
same-origin
strict-origin
strict-origin-when-cross-origin
![Page 39: Getting Browsers to Improve the Security of Your Webapp](https://reader031.vdocument.in/reader031/viewer/2022022413/58ed3cb41a28ab09328b45e9/html5/thumbnails/39.jpg)
no-referrer
no-referrer-when-downgrade
same-origin
strict-origin
strict-origin-when-cross-origin
![Page 40: Getting Browsers to Improve the Security of Your Webapp](https://reader031.vdocument.in/reader031/viewer/2022022413/58ed3cb41a28ab09328b45e9/html5/thumbnails/40.jpg)
no-referrer
no-referrer-when-downgrade
same-origin
strict-origin-when-cross-origin
![Page 41: Getting Browsers to Improve the Security of Your Webapp](https://reader031.vdocument.in/reader031/viewer/2022022413/58ed3cb41a28ab09328b45e9/html5/thumbnails/41.jpg)
no-referrer
no-referrer-when-downgrade
same-origin
strict-origin-when-cross-origin
https://developer.mozilla.org/docs/Web/HTTP/Headers/Referrer-Policy
![Page 42: Getting Browsers to Improve the Security of Your Webapp](https://reader031.vdocument.in/reader031/viewer/2022022413/58ed3cb41a28ab09328b45e9/html5/thumbnails/42.jpg)
usercontent
![Page 43: Getting Browsers to Improve the Security of Your Webapp](https://reader031.vdocument.in/reader031/viewer/2022022413/58ed3cb41a28ab09328b45e9/html5/thumbnails/43.jpg)
Sandboxed iframes
mechanism for restrictingembedded documents
![Page 44: Getting Browsers to Improve the Security of Your Webapp](https://reader031.vdocument.in/reader031/viewer/2022022413/58ed3cb41a28ab09328b45e9/html5/thumbnails/44.jpg)
<iframe src=”resume.html”>
![Page 45: Getting Browsers to Improve the Security of Your Webapp](https://reader031.vdocument.in/reader031/viewer/2022022413/58ed3cb41a28ab09328b45e9/html5/thumbnails/45.jpg)
window.parent
![Page 46: Getting Browsers to Improve the Security of Your Webapp](https://reader031.vdocument.in/reader031/viewer/2022022413/58ed3cb41a28ab09328b45e9/html5/thumbnails/46.jpg)
seriousapp.com
seriousappusercontent.com
![Page 47: Getting Browsers to Improve the Security of Your Webapp](https://reader031.vdocument.in/reader031/viewer/2022022413/58ed3cb41a28ab09328b45e9/html5/thumbnails/47.jpg)
<iframe src=”resume.html” sandbox=””>
![Page 48: Getting Browsers to Improve the Security of Your Webapp](https://reader031.vdocument.in/reader031/viewer/2022022413/58ed3cb41a28ab09328b45e9/html5/thumbnails/48.jpg)
scripts
popups
forms
![Page 49: Getting Browsers to Improve the Security of Your Webapp](https://reader031.vdocument.in/reader031/viewer/2022022413/58ed3cb41a28ab09328b45e9/html5/thumbnails/49.jpg)
scripts
popups
forms
https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe#attr-sandbox
![Page 50: Getting Browsers to Improve the Security of Your Webapp](https://reader031.vdocument.in/reader031/viewer/2022022413/58ed3cb41a28ab09328b45e9/html5/thumbnails/50.jpg)
X-Content-Type-Options
mechanism for disablingcontent type sniffing
![Page 51: Getting Browsers to Improve the Security of Your Webapp](https://reader031.vdocument.in/reader031/viewer/2022022413/58ed3cb41a28ab09328b45e9/html5/thumbnails/51.jpg)
![Page 52: Getting Browsers to Improve the Security of Your Webapp](https://reader031.vdocument.in/reader031/viewer/2022022413/58ed3cb41a28ab09328b45e9/html5/thumbnails/52.jpg)
Review Papers
● Witty-Title.pdf● Serious-Sounding-Topic.pdf● Series-of-buzzwords.pdf● Celebrity-Paper.pdf● Half-Ass-Paper.pdf
![Page 53: Getting Browsers to Improve the Security of Your Webapp](https://reader031.vdocument.in/reader031/viewer/2022022413/58ed3cb41a28ab09328b45e9/html5/thumbnails/53.jpg)
%PDF-1.5<html><body> <script> ... </script></body></html>
![Page 54: Getting Browsers to Improve the Security of Your Webapp](https://reader031.vdocument.in/reader031/viewer/2022022413/58ed3cb41a28ab09328b45e9/html5/thumbnails/54.jpg)
%PDF-1.5<html><body> <script> ... </script></body></html>
![Page 55: Getting Browsers to Improve the Security of Your Webapp](https://reader031.vdocument.in/reader031/viewer/2022022413/58ed3cb41a28ab09328b45e9/html5/thumbnails/55.jpg)
<form action=”review.cgi”><input type=”hidden”
name=”paper-id”value=”42”>
<input type=”hidden”name=”score”value=”100”>
</form>
![Page 56: Getting Browsers to Improve the Security of Your Webapp](https://reader031.vdocument.in/reader031/viewer/2022022413/58ed3cb41a28ab09328b45e9/html5/thumbnails/56.jpg)
X-Content-Type-Options: nosniff
![Page 57: Getting Browsers to Improve the Security of Your Webapp](https://reader031.vdocument.in/reader031/viewer/2022022413/58ed3cb41a28ab09328b45e9/html5/thumbnails/57.jpg)
Content Security Policyaka CSP
mechanism for preventing XSS
![Page 58: Getting Browsers to Improve the Security of Your Webapp](https://reader031.vdocument.in/reader031/viewer/2022022413/58ed3cb41a28ab09328b45e9/html5/thumbnails/58.jpg)
telling the browser the contentthat is allowed to load
![Page 59: Getting Browsers to Improve the Security of Your Webapp](https://reader031.vdocument.in/reader031/viewer/2022022413/58ed3cb41a28ab09328b45e9/html5/thumbnails/59.jpg)
Hi y'all<script>alert('p0wned');</script>!
Tweet!
What's on your mind?
![Page 60: Getting Browsers to Improve the Security of Your Webapp](https://reader031.vdocument.in/reader031/viewer/2022022413/58ed3cb41a28ab09328b45e9/html5/thumbnails/60.jpg)
without CSP
![Page 61: Getting Browsers to Improve the Security of Your Webapp](https://reader031.vdocument.in/reader031/viewer/2022022413/58ed3cb41a28ab09328b45e9/html5/thumbnails/61.jpg)
Hi y'all!John Doe - just moments ago
p0wnedOk
![Page 62: Getting Browsers to Improve the Security of Your Webapp](https://reader031.vdocument.in/reader031/viewer/2022022413/58ed3cb41a28ab09328b45e9/html5/thumbnails/62.jpg)
with CSP
![Page 63: Getting Browsers to Improve the Security of Your Webapp](https://reader031.vdocument.in/reader031/viewer/2022022413/58ed3cb41a28ab09328b45e9/html5/thumbnails/63.jpg)
Hi y'all!John Doe - just moments ago
![Page 64: Getting Browsers to Improve the Security of Your Webapp](https://reader031.vdocument.in/reader031/viewer/2022022413/58ed3cb41a28ab09328b45e9/html5/thumbnails/64.jpg)
Content-Security-Policy:
script-src 'self'
https://cdn.example.com
![Page 65: Getting Browsers to Improve the Security of Your Webapp](https://reader031.vdocument.in/reader031/viewer/2022022413/58ed3cb41a28ab09328b45e9/html5/thumbnails/65.jpg)
script-srcobject-srcstyle-srcimg-src
media-srcfont-src
connect-src...
![Page 66: Getting Browsers to Improve the Security of Your Webapp](https://reader031.vdocument.in/reader031/viewer/2022022413/58ed3cb41a28ab09328b45e9/html5/thumbnails/66.jpg)
script-srcobject-srcstyle-srcimg-src
media-srcfont-src
connect-src...
https://developer.mozilla.org/docs/Web/HTTP/CSP
![Page 67: Getting Browsers to Improve the Security of Your Webapp](https://reader031.vdocument.in/reader031/viewer/2022022413/58ed3cb41a28ab09328b45e9/html5/thumbnails/67.jpg)
cookies
![Page 68: Getting Browsers to Improve the Security of Your Webapp](https://reader031.vdocument.in/reader031/viewer/2022022413/58ed3cb41a28ab09328b45e9/html5/thumbnails/68.jpg)
![Page 69: Getting Browsers to Improve the Security of Your Webapp](https://reader031.vdocument.in/reader031/viewer/2022022413/58ed3cb41a28ab09328b45e9/html5/thumbnails/69.jpg)
1234
![Page 70: Getting Browsers to Improve the Security of Your Webapp](https://reader031.vdocument.in/reader031/viewer/2022022413/58ed3cb41a28ab09328b45e9/html5/thumbnails/70.jpg)
Set-Cookie: sessionid=1234
![Page 71: Getting Browsers to Improve the Security of Your Webapp](https://reader031.vdocument.in/reader031/viewer/2022022413/58ed3cb41a28ab09328b45e9/html5/thumbnails/71.jpg)
1234
![Page 72: Getting Browsers to Improve the Security of Your Webapp](https://reader031.vdocument.in/reader031/viewer/2022022413/58ed3cb41a28ab09328b45e9/html5/thumbnails/72.jpg)
1234
![Page 73: Getting Browsers to Improve the Security of Your Webapp](https://reader031.vdocument.in/reader031/viewer/2022022413/58ed3cb41a28ab09328b45e9/html5/thumbnails/73.jpg)
document.cookie
![Page 74: Getting Browsers to Improve the Security of Your Webapp](https://reader031.vdocument.in/reader031/viewer/2022022413/58ed3cb41a28ab09328b45e9/html5/thumbnails/74.jpg)
Cookie options
mechanism for restrictingthe scope of cookies
![Page 75: Getting Browsers to Improve the Security of Your Webapp](https://reader031.vdocument.in/reader031/viewer/2022022413/58ed3cb41a28ab09328b45e9/html5/thumbnails/75.jpg)
Set-Cookie: sessionid=1234;httponly
![Page 76: Getting Browsers to Improve the Security of Your Webapp](https://reader031.vdocument.in/reader031/viewer/2022022413/58ed3cb41a28ab09328b45e9/html5/thumbnails/76.jpg)
document.cookie == null
![Page 77: Getting Browsers to Improve the Security of Your Webapp](https://reader031.vdocument.in/reader031/viewer/2022022413/58ed3cb41a28ab09328b45e9/html5/thumbnails/77.jpg)
Set-Cookie: sessionid=1234;secure
![Page 78: Getting Browsers to Improve the Security of Your Webapp](https://reader031.vdocument.in/reader031/viewer/2022022413/58ed3cb41a28ab09328b45e9/html5/thumbnails/78.jpg)
1234
![Page 79: Getting Browsers to Improve the Security of Your Webapp](https://reader031.vdocument.in/reader031/viewer/2022022413/58ed3cb41a28ab09328b45e9/html5/thumbnails/79.jpg)
![Page 80: Getting Browsers to Improve the Security of Your Webapp](https://reader031.vdocument.in/reader031/viewer/2022022413/58ed3cb41a28ab09328b45e9/html5/thumbnails/80.jpg)
good, but not great
![Page 81: Getting Browsers to Improve the Security of Your Webapp](https://reader031.vdocument.in/reader031/viewer/2022022413/58ed3cb41a28ab09328b45e9/html5/thumbnails/81.jpg)
1234
![Page 82: Getting Browsers to Improve the Security of Your Webapp](https://reader031.vdocument.in/reader031/viewer/2022022413/58ed3cb41a28ab09328b45e9/html5/thumbnails/82.jpg)
Set-Cookie: sessionid=1234
![Page 83: Getting Browsers to Improve the Security of Your Webapp](https://reader031.vdocument.in/reader031/viewer/2022022413/58ed3cb41a28ab09328b45e9/html5/thumbnails/83.jpg)
1234
![Page 84: Getting Browsers to Improve the Security of Your Webapp](https://reader031.vdocument.in/reader031/viewer/2022022413/58ed3cb41a28ab09328b45e9/html5/thumbnails/84.jpg)
666
![Page 85: Getting Browsers to Improve the Security of Your Webapp](https://reader031.vdocument.in/reader031/viewer/2022022413/58ed3cb41a28ab09328b45e9/html5/thumbnails/85.jpg)
666
![Page 86: Getting Browsers to Improve the Security of Your Webapp](https://reader031.vdocument.in/reader031/viewer/2022022413/58ed3cb41a28ab09328b45e9/html5/thumbnails/86.jpg)
Cookie prefixes
mechanism for enforcingcookie restrictions
![Page 87: Getting Browsers to Improve the Security of Your Webapp](https://reader031.vdocument.in/reader031/viewer/2022022413/58ed3cb41a28ab09328b45e9/html5/thumbnails/87.jpg)
Set-Cookie: __Secure-sessionid=1234;secure
![Page 88: Getting Browsers to Improve the Security of Your Webapp](https://reader031.vdocument.in/reader031/viewer/2022022413/58ed3cb41a28ab09328b45e9/html5/thumbnails/88.jpg)
__Secure-sessionid=666
![Page 89: Getting Browsers to Improve the Security of Your Webapp](https://reader031.vdocument.in/reader031/viewer/2022022413/58ed3cb41a28ab09328b45e9/html5/thumbnails/89.jpg)
![Page 90: Getting Browsers to Improve the Security of Your Webapp](https://reader031.vdocument.in/reader031/viewer/2022022413/58ed3cb41a28ab09328b45e9/html5/thumbnails/90.jpg)
encryption
![Page 91: Getting Browsers to Improve the Security of Your Webapp](https://reader031.vdocument.in/reader031/viewer/2022022413/58ed3cb41a28ab09328b45e9/html5/thumbnails/91.jpg)
HTTPS
mechanism for securinginformation in transit
![Page 92: Getting Browsers to Improve the Security of Your Webapp](https://reader031.vdocument.in/reader031/viewer/2022022413/58ed3cb41a28ab09328b45e9/html5/thumbnails/92.jpg)
if you're not using it, now is the time to start :)
![Page 94: Getting Browsers to Improve the Security of Your Webapp](https://reader031.vdocument.in/reader031/viewer/2022022413/58ed3cb41a28ab09328b45e9/html5/thumbnails/94.jpg)
HTTPS is not enough
you need to do it properly
![Page 95: Getting Browsers to Improve the Security of Your Webapp](https://reader031.vdocument.in/reader031/viewer/2022022413/58ed3cb41a28ab09328b45e9/html5/thumbnails/95.jpg)
RC4
![Page 96: Getting Browsers to Improve the Security of Your Webapp](https://reader031.vdocument.in/reader031/viewer/2022022413/58ed3cb41a28ab09328b45e9/html5/thumbnails/96.jpg)
SHA-1
RC4
![Page 97: Getting Browsers to Improve the Security of Your Webapp](https://reader031.vdocument.in/reader031/viewer/2022022413/58ed3cb41a28ab09328b45e9/html5/thumbnails/97.jpg)
SHA-11024-bit certificates
RC4
![Page 98: Getting Browsers to Improve the Security of Your Webapp](https://reader031.vdocument.in/reader031/viewer/2022022413/58ed3cb41a28ab09328b45e9/html5/thumbnails/98.jpg)
SHA-11024-bit certificates
RC4 weak DH parameters
![Page 100: Getting Browsers to Improve the Security of Your Webapp](https://reader031.vdocument.in/reader031/viewer/2022022413/58ed3cb41a28ab09328b45e9/html5/thumbnails/100.jpg)
https://mozilla.github.io/server-side-tls/ssl-config-generator/
![Page 102: Getting Browsers to Improve the Security of Your Webapp](https://reader031.vdocument.in/reader031/viewer/2022022413/58ed3cb41a28ab09328b45e9/html5/thumbnails/102.jpg)
Strict Transport Securityaka HSTS
mechanism for preventingHTTPS to HTTP downgrades
![Page 103: Getting Browsers to Improve the Security of Your Webapp](https://reader031.vdocument.in/reader031/viewer/2022022413/58ed3cb41a28ab09328b45e9/html5/thumbnails/103.jpg)
telling the browser that your siteshould never be reached over HTTP
![Page 104: Getting Browsers to Improve the Security of Your Webapp](https://reader031.vdocument.in/reader031/viewer/2022022413/58ed3cb41a28ab09328b45e9/html5/thumbnails/104.jpg)
![Page 105: Getting Browsers to Improve the Security of Your Webapp](https://reader031.vdocument.in/reader031/viewer/2022022413/58ed3cb41a28ab09328b45e9/html5/thumbnails/105.jpg)
GET bank.com 301→
GET https://bank.com 200→
no HSTS, no sslstrip
![Page 106: Getting Browsers to Improve the Security of Your Webapp](https://reader031.vdocument.in/reader031/viewer/2022022413/58ed3cb41a28ab09328b45e9/html5/thumbnails/106.jpg)
GET bank.com → 200
no HSTS, with sslstrip
![Page 107: Getting Browsers to Improve the Security of Your Webapp](https://reader031.vdocument.in/reader031/viewer/2022022413/58ed3cb41a28ab09328b45e9/html5/thumbnails/107.jpg)
what does HSTS look like?
![Page 108: Getting Browsers to Improve the Security of Your Webapp](https://reader031.vdocument.in/reader031/viewer/2022022413/58ed3cb41a28ab09328b45e9/html5/thumbnails/108.jpg)
Strict-Transport-Security: max-age=31536000
![Page 109: Getting Browsers to Improve the Security of Your Webapp](https://reader031.vdocument.in/reader031/viewer/2022022413/58ed3cb41a28ab09328b45e9/html5/thumbnails/109.jpg)
with HSTS, with sslstrip
GET https://bank.com 200→
![Page 110: Getting Browsers to Improve the Security of Your Webapp](https://reader031.vdocument.in/reader031/viewer/2022022413/58ed3cb41a28ab09328b45e9/html5/thumbnails/110.jpg)
no HTTP traffic forsslstrip to tamper with
![Page 112: Getting Browsers to Improve the Security of Your Webapp](https://reader031.vdocument.in/reader031/viewer/2022022413/58ed3cb41a28ab09328b45e9/html5/thumbnails/112.jpg)
referrer policysubresource integrity
noopener
cookie prefixescookie options
sandboxed iframesx-content-type-optionscontent security policy
httpsstrict transport
security
![Page 113: Getting Browsers to Improve the Security of Your Webapp](https://reader031.vdocument.in/reader031/viewer/2022022413/58ed3cb41a28ab09328b45e9/html5/thumbnails/113.jpg)
Questions?
feedback:
[email protected]@fmariermozilla.dev.security
© 2017 François Marier <[email protected]>This work is licensed under aCreative Commons Attribution-ShareAlike 4.0 License.
![Page 114: Getting Browsers to Improve the Security of Your Webapp](https://reader031.vdocument.in/reader031/viewer/2022022413/58ed3cb41a28ab09328b45e9/html5/thumbnails/114.jpg)
photo credits:
explosion: https://www.flickr.com/photos/-cavin-/2313239884/kittens: https://www.flickr.com/photos/londonlooks/5693093073cookie: https://www.flickr.com/photos/amagill/34754258/