A brief look at the history of the implementation of secure web headers and an overview of creating and monitoring a content security policy (CSP).
It used to be that browsers were something we fought against to get our sites viewed the way we wanted; now they are our allies.
Far from being dumb proprietary clients that just parse our HTML the way they want, they have evolved into complex software applications.
They provide powerful security controls to make decisions about what to display and debugging tools to enable us to investigate their actions.
It is increasingly common to find malicious exploits targeting web pages within the browser; running crypto-miners, stealing credentials and forging requests.
By implementing a set of headers to be delivered alongside our web pages, we can now work with browsers to protect our site visitors from malicious content
and control what is displayed and included on our pages.
In this session we will touch on what threats face our web pages out in the wild and what measures we can employ to work with browsers to protect them.
We will focus on implementing security headers and building a Content Security Policy, and will cover
- implementation of essential security headers;
- the initial investigation and building of a Content Security Policy (CSP);
- implementation and observation of the CSP in the wild;
- monitoring of the CSP once live;
- evidence of its effectiveness (threats thwarted).
Hopefully attendees will be convinced as to why security headers and CSP are invaluable and why projects should build in time and resources to implement them.
4. CONTENT SECURITY POLICY
†Bit of history
†Security Headers
†Why do we need a CSP?
†How to create a simple CSP
†Take a slightly deeper dive into CSP
†Look at some issues (e.g. Drupal)
†Look at some live threats that CSP defends against
†Wider adoption and support
9. THE START OF THE SECOND WAR
<script language=JavaScript>
<!--
if (top != self) {
top.location = location
}
// -->
</script>
10. THE START OF THE SECOND WAR
<script language=JavaScript>
<!--
if (top != self) {
top.location = location
}
// -->
</script>
Clickjacking
Cross site scripting attacks
Cross-site request forgery - CSRF
XSS Auditorâš
to find reflections from the request to the response body
11. THE START OF THE SECOND WAR
<script language=JavaScript>
<!--
if (top != self) {
top.location = location
}
// -->
</script>
<iframe src="http://www.victim.com/?v=<script>if''>
Clickjacking
Cross site scripting attacks
Cross-site request forgery - CSRF
XSS Auditorâš
to find reflections from the request to the response body
12. THE START OF THE SECOND WAR
<script language=JavaScript>
<!--
if (top != self) {
top.location = location
}
// -->
</script>
<iframe src="http://www.victim.com/?v=<script>if''>
Clickjacking
Cross site scripting attacks
Cross-site request forgery - CSRF
XSS Auditorâš
to find reflections from the request to the response body
†X-Frame-Options: DENYâš
Provides Clickjacking protection
†X-Xss-Protection: 1; mode=blockâš
ConïŹgures the XSS audit facilities in IE & Chrome
13. XSS AS A THREAT
⣠bit.ly/bb-owasp10https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
14. BROWSER WARS 2019
†Chrome and Mozilla take the initiative to secure against XSS
and other threats.
†Browsers are functional IDEsâš
with XSS auditing, debugging, network auditing...
†A rich set of conïŹgurable headers are available to work with
the browser to safeguard the end user
†The browser itself makes decisions about the security impact
of web pages and their resources
†Cross site scripting XSS is one of the most prevalent forms of
attacking websites
23. †X-Content-Type-Options: nosniïŹâš
Guards against "drive-by download attacks" by
preventing IE & Chrome from MIME-sniïŹng a
response away from the declared content-type.
†X-Frame-Options: DENYâš
Provides Clickjacking protection. âš
Use SAMEORIGIN or domain.
†X-Xss-Protection: 1; mode=blockâš
ConïŹgures the XSS audit facilities in IE & Chrome
†Strict-Transport-Security: max-age=31536000;
includeSubDomains; âš
Informs the UA that all communications should be
treated as HTTPS. Prevents MiTM & SSL-stripping
attacks
SECURITY IN THE BROWSER
beware the consequences!
preload
24. †Referrer-Policyâš
HTTP Referrer Policy allows sites to have ïŹne-
grained control over how and when browsers
transmit the HTTPÂ Referer (sic)Â header.
NEW HEADERS
25. †Featureâš
The HTTP Feature-Policy header provides a mechanism to allow
and deny the use of browser features in its own frame, and in
iframes that it embeds. Feature-Policy: vibrate 'none'; geolocation 'none'
†Referrer-Policyâš
HTTP Referrer Policy allows sites to have ïŹne-
grained control over how and when browsers
transmit the HTTPÂ Referer (sic)Â header.
NEW HEADERS
26. †Featureâš
The HTTP Feature-Policy header provides a mechanism to allow
and deny the use of browser features in its own frame, and in
iframes that it embeds. Feature-Policy: vibrate 'none'; geolocation 'none'
†Expect CTâš
The Expect-CT header allows sites to opt in to reporting
and/or enforcement of CertiïŹcate Transparency
requirements, which prevents the use of misissued
certiïŹcates for that site from going unnoticed.
†Referrer-Policyâš
HTTP Referrer Policy allows sites to have ïŹne-
grained control over how and when browsers
transmit the HTTPÂ Referer (sic)Â header.
NEW HEADERS
27. †Featureâš
The HTTP Feature-Policy header provides a mechanism to allow
and deny the use of browser features in its own frame, and in
iframes that it embeds. Feature-Policy: vibrate 'none'; geolocation 'none'
†Expect CTâš
The Expect-CT header allows sites to opt in to reporting
and/or enforcement of CertiïŹcate Transparency
requirements, which prevents the use of misissued
certiïŹcates for that site from going unnoticed.
†Referrer-Policyâš
HTTP Referrer Policy allows sites to have ïŹne-
grained control over how and when browsers
transmit the HTTPÂ Referer (sic)Â header.
NEW HEADERS
28. †Featureâš
The HTTP Feature-Policy header provides a mechanism to allow
and deny the use of browser features in its own frame, and in
iframes that it embeds. Feature-Policy: vibrate 'none'; geolocation 'none'
†Expect CTâš
The Expect-CT header allows sites to opt in to reporting
and/or enforcement of CertiïŹcate Transparency
requirements, which prevents the use of misissued
certiïŹcates for that site from going unnoticed.
†Referrer-Policyâš
HTTP Referrer Policy allows sites to have ïŹne-
grained control over how and when browsers
transmit the HTTPÂ Referer (sic)Â header.
NEW HEADERS
29. SECURE HEADERS
†Subresource Integrityâš
Provide SHA hash of inline or CDN scripts.
See https://securityheaders.com
†Content-Security-Policy:âš
Provides details about the sources of resources the browser
can trust. e.g. Images, scripts, CSS, frames (both ancestors &
children)
30. HOW DO I ADD A RESPONSE HEADER
†Apache (server conïŹg, virtual host, directory, .htaccess)âš
Header set <headername> <value>âš
Header set X-Content-Type-Options "nosniff"
Header set X-Frame-Options "SAMEORIGIN"
Header set X-Xss-Protection "1; mode=block"
Header set always Strict-Transport-Security "max-age=63072000;
includeSubdomains;"
add_header X-Content-Type-Options nosniff;âš
add_header X-Frame-Options SAMEORIGIN;âš
add_header X-XSS-Protection "1; mode=block";âš
add_header Strict-Transport-Security "max-age=63072000;
includeSubdomains;" always;
†NGINX âš
add_header set <headername> <value>âš
33. KNOW YOUR NETWORK
†Audit what resources your site uses / references
†Start with a restrictive policy
†Set the script and styles srcs
†Set any others (images, frames etc)
36. WHAT IF IT WASN'T THAT SIMPLE
†It's not all about an A+ - Job done
†Are we blocking things we need? (analytics for example)
†What about dependency chains?
†Need to be sure that the policy is always in place
†Monitoring and updating
†Unlikely to get an A+ with Drupal at the moment
†Inline styles and scripts e.g. Drupal Settings
37. HOW TO WORK WITH THE BROWSER
†Add security headers
†Monitor the eïŹect of your policy
38. YOUR SITE IS PART OF A BIGGER NETWORK
Your page is everyone's canvas
<iframe><script>
<style> <font>
<img> <connect>
39. DEVELOPING YOUR CONTENT SECURITY POLICY
†Add security headers
†Audit dependencies
3rd party js
CSS
Images
Frames
fonts†Monitor your CSP
âą Set CSP to Report (start with report-only)
âą Set up report collection - âš
e.g. report-uri.com or seckit module or bespoke
âą when conïŹdent set to enforce
âą trial report and enforced together
43. WHAT IF I AM USING A PAAS
Content-Security-Policy: default-src 'self'; upgrade-insecure-requests; report-uri https://
yourdomain.report-uri.com/r/d/csp/enforce
†I can't set headers on my platform!
<meta http-equiv="Content-Security-Policy" content="default-src 'self';script-src cdn.report-uri.com
connect-src yourdomain.report-uri.com; upgrade-insecure-requests">
<script type="text/json" id="csp-report-uri">
{"keys" : ["blockedURI", "columnNumber", "disposition", "documentURI", "effectiveDirective", "lineNumber",
"originalPolicy", "referrer", "sample", "sourceFile", "statusCode", "violatedDirective"],
"reportUri" : "https://yourdomain.report-uri.com/r/d/csp/enforce"}
</script>
<script src="https://cdn.report-uri.com/libs/report-uri-js/1.0.1/report-uri-js.min.js"âš
integrity="sha256-Cng8gUe98XCqh5hc8nAM3y5I1iQHBjzOl8X3/iAd4jE=" crossorigin="anonymous"></script>
†No frame-ancestors directive
†Unfortunately no reporting! - Use report-uri-js
<meta http-equiv="Content-Security-Policy" content="default-src 'self'; âš
upgrade-insecure-requests">
†Set CSP using metatags (set them early)
44. CONTENT SECURITY POLICY AND DRUPAL
Drupal Modules
https://www.drupal.org/project/seckit
https://www.drupal.org/project/csp
unsafe-inline
SRI - Sub-resource Integrity
Drupal Issues WRT CSP
45. HOW TO WORK WITH THE BROWSER
†Add security headers
†Monitor their eïŹect
†Protect yourself from malicious activity
46. â
Looking back on these golden years, I canât
believe that people exert so much eïŹort messing
around with cross-site scripting just to get code
into a single site. Itâs so easy to ship malicious
code to thousands of websites, with a little help
from my web developer friends.
- David Gilbertsonâš
âšIâm harvesting credit card numbers and passwords from your site. Hereâs how.âš
http://bit.ly/hncchack
47. YOUR BIGGER NETWORK MAY BE AT RISK
Set a sub resource integrity hash for third party resources
<script   src="http://code.jquery.com/jquery-3.3.1.min.js" âš
integrity="sha256-FgpCb/KJQlLNfOu91ta32o/
NMZxltwRo8QtmkMRdAu8=" crossorigin="anonymous"></script>
48. YOUR BIGGER NETWORK MAY BE AT RISK
Set a sub resource integrity hash for third party resources
<script   src="http://code.jquery.com/jquery-3.3.1.min.js" âš
integrity="sha256-FgpCb/KJQlLNfOu91ta32o/
NMZxltwRo8QtmkMRdAu8=" crossorigin="anonymous"></script>
Dependency Infection âą
52. NEW MINER(S) ON THE BLOCK
March 2019: Coinhive closes
Coinhive was making around $250,000 each month
in Monero at one point in time, and had "a 62% share
of all websites using a JavaScript cryptocurrency
miner" according to researcher Troy Mursch.
Cryptojacking campaigns led to people getting arrested
after deploying malicious Coinhive miners on
thousands of Internet cafe computers from 30
Chinese cities and even sentenced for running illicit
mining operations on other users' computers and
making a measly $45.
https://www.bleepingcomputer.com
https://badpackets.net/
Plenty of others to take their place
54. GOTCHAS AND LIMITATIONS
†Inline scripts - CSP works by whitelisting origins therefore
inline scripts are not covered and they are the biggest attack
vector
†This covers inline script elements, event handlers and
JavaScript: links
†The ideal is to not allow inline scripts and css - you're not
truly hardened with out that
†If you must then use hashes and nonces
55. HOW TO WORK WITH THE BROWSER
†Add security headers
†Monitor the eïŹect of your policy
†Use Subresource Integrity SRI for third party 'versioned'
resources
†Move away from inline styles and scripts
56. ADVANCED CSP JOURNEYS & CSP FOR DRUPAL
†For discussion about how to deal with inline scripts using
strict dynamic and nonces etc âš
See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/
Content-Security-Policy/script-src
†'strict-dynamic'âš
This will allow scripts to load their dependencies without
them having to be whitelisted. Will be introduced in CSP 3
†Hashes or nonces for internal scripts and stylesâš
Nonce for Drupal settings?
†Subresource Integrity (SRI) for external resources
⣠bit.ly/csp-script-src
57. â
IS EVERYONE DOING THIS?
https://pokeinthe.io
Adoption in Alexa âš
top million websites
April King
Despite being available for years,
the usage rates of modern defensive
security technologies was frustratingly
low....
59. BROWSER WARS 2019
†A rich set of conïŹgurable headers are available to work with
the browser as an ally to safeguard the end user
†The browser itself makes decisions about the security impact
of web pages and their resources
†The browser now encourages and soon to enforce HTTPS
60. BROWSER WARS 2019
†A rich set of conïŹgurable headers are available to work with
the browser as an ally to safeguard the end user
†The browser itself makes decisions about the security impact
of web pages and their resources
†The browser now encourages and soon to enforce HTTPS
In July 2018 with the release of Chrome 68, Chrome started to mark all HTTP sites as ânot secureâ.
62. BROWSER WARS 2019
†Google will prevent ad-blockers from running in Chrome
âWhen your browser forces you to
sign in, places cookies that you
canât delete, and seeks
to neutralize ad-blocking and
privacy extensions, somethingâs
gone terribly wrong
- Reda Lemeden
https://redalemeden.com/blog/2019/we-need-chrome-no-more
⣠bit.ly/2XvSwrI