Security Headers Explained
Security Headers Explained
scottsauber
Agenda
• What are HTTP Security Headers?
• Why do they matter?
• HSTS, XFO, XSS, CSP, CTO, RH, FP
• What are they
• What do they do
• Demo
• Impact on existing apps
scottsauber
Goals
• Expose you to security headers that are out there
• Why they are needed
• Write down ones you need to look into when you’re back at work
scottsauber
Who am I?
• Director of Engineering at Lean TECHniques
• Co-organizer of Iowa .NET User Group
• Friend of Redgate
• Blog at scottsauber.com
• Not a security expert… but…
scottsauber
What are HTTP Headers?
• Allows both the client and server to pass additional data along to the
request or response to exchange information and inform the other
party.
• Request header examples:
• Cookies
• Accept-language: en-us
• Response header examples:
• Date
• Content-type: text/html or application/json
• Security-related headers
scottsauber
What are HTTP Security Headers?
• Response headers that the server responds with to instruct the
browser what security rules to enforce when it handles your website’s
content.
• Key value pairs
• In general, the more security headers you opt-in to sending, the more
secure your website is.
• Most security headers come with multiple options you can configure
to tweak the behavior to what you want.
scottsauber
scottsauber
HTTP Strict Transport Security
(HSTS)
• What is it?
• It allows websites to tell web browsers to only request this site over HTTPS,
not over HTTP.
scottsauber
Without HSTS
scottsauber
What’s the issue?
scottsauber
What’s the issue?
scottsauber
What can happen?
scottsauber
With HSTS
scottsauber
HSTS Options
Example:
• max-age
• The number of seconds the browser should enforce HSTS. 31,536,000 (1 year)
is really common. Adds your site to its internal list for this # of seconds.
• includeSubDomains
• Apply the HSTS policy to all subdomains.
• preload
• Instructs the browser to be on the preload list… more on that in the next
slide.
• max-age is required. The other two are not. scottsauber
HSTS Preload List
• List maintained by Google, but used by all browsers.
• If you ARE NOT on the list, then the first HTTP request will 301 and
opens up for chance of MITM
• If you ARE on this list, then the HTTP request will 307 internal
redirect, not 301, even if you’ve never visited the site before
• Guarantees no chance of basic MITM attack.
• Submit your domain to the list here: https://hstspreload.org/
• Add the preload option to your header to confirm your submission.
scottsauber
HSTS
Demo
HSTS Gotchas
• You probably don’t want this running when running locally on
localhost… unless every website you run locally is HTTPS
• HTTP and HTTPS often listen on different ports like localhost:5000 for
HTTP and localhost:5001 for HTTPS.
• If running for localhost:5000 it will redirect to https://localhost:5000 which
will not bind
scottsauber
HSTS Impact of Retrofitting on
Existing App
• Is everything really HTTPS?
• Subdomains
• If you’re planning on going from HTTPS to HTTP in the future for some
reason
• IDK why though
scottsauber
Quick word on HTTPS
• A good idea even if your site is internal
• Network topology may change
• Perception to users thanks to Chrome
scottsauber
HSTS
Questions
X-Frame-Options (XFO)
• What is it?
• Used to tell a browser whether or not a page should be rendered in a frame
or iframe.
scottsauber
X-Frame-Options (XFO) Options
Example:
scottsauber
XFO
Demo
XFO Impact of Retrofitting to
Existing App
• Do you know which sites should be iframing your app?
• I imagine most could just do DENY or at least SAMEORIGIN
scottsauber
XFO
Questions
Cross-Site Scripting (XSS)
• What is it?
• A vulnerability in a trusted website where malicious scripts can be injected.
• XSS can be used to harvest cookies, tokens, etc. since the script that is loaded
appears to be legit.
• Often it comes from input from the user that is not validated or encoded and then
re-displaying that to the user.
• Examples:
• Taking input from user, save it in a DB and others can see (Twitter, Facebook, etc.)
• “Contact Us” or “Feedback” form on your page
• Can you put in <script>//something malicious here</script> and does it get loaded by your email
client?
XSS
Demo
XSS Final Note
• Most modern frameworks help you out here.
• ASP.NET Core for instance, I have to call Html.Raw() since it encodes
by default.
• React escapes non-props characters by default
scottsauber
XSS
Questions
Cross-Site Scripting (XSS)
• Can be prevented with Content-Security-Policy (CSP)
• Among other attacks not just XSS
• Old X-XSS-Protection security header is no longer honored by any maj
or browser
• Edge in 2018
• Chrome in 2019
scottsauber
Content Security Policy (CSP)
• What is it?
• Gives the browser an allowlist of sources to load static resources like JS, CSS,
images, etc. from. This allowlist can specify how the resource is loaded (i.e.
disabling inline scripts) and where the resource can be loaded from.
scottsauber
Content Security Policy (CSP)
Options
Example:
scottsauber
Content Security Policy (CSP)
Options
• There are other ones just like script-src that behave similarly such as:
• style-src
• media-src
• frame-src
• font-src
• And more
• All take in domains to allow
• unsafe-inline also works with styles
• none works with all
• i.e. if you want no one to frame your content
scottsauber
CSP
Demo
CSP Impacting of Retrofitting to
Existing App
• HUGE
• This is an allowlist
• You must know what your app is doing (inline scripts/styles or not),
where it’s loading from (CDN’s, other sources, or not), etc.
• Configuring this wrong will break your app.
• Compromise
• Set to report only (via Content-Security-Policy-Report-Only instead of
Content-Security-Policy), collect data and what your app does, and tweak CSP
to that accordingly after a certain period of time.
• Start converting inline scripts and the like.
scottsauber
Content Security Policy (CSP)
• CSP can override the need for other headers
• frame-ancestors ‘none’ means no one can embed the page in a
frame/iframe.
• This eliminates the need for X-Frame-Options: DENY
• However, auditors probably still want to see it
scottsauber
CSP
Questions
Browser Sniffing Protection (X-Content-
Type-Options)
• What is it?
• Tells a browser to not “sniff” the response and try and determine what’s in
the response. Instead, look at the content-type header and render it
according to that. So if it says it’s text/plain, render it as text/plain
scottsauber
Browser Sniffing Protection (X-Content-
Type-Options)
Example:
• nosniff
• Does not have the browser sniff the contents of the response to try and
determine what to display
• Instead, it just looks at the content-type header and renders it as that.
scottsauber
XCTO Impact of Retrofitting to
Existing App
• Very minimal
• Note: most modern browsers will not sniff by default now.
• IE in compatibility view will still sniff
• Still shows up on audits
scottsauber
XCTO
Questions
Referer Header background
• When a link is clicked, the browser will send the previous page’s URL
in the Referer Request Header. Allows the server to do something
with that data.
• Useful for tracking a user’s flow through an app
• Yes it’s misspelled
• Yes that’s actually how it shows up in the browser
scottsauber
I’ve seen this on my blog
…and even JIRA/Confluence/OWA
Referrer-Policy
• What is it?
• Tells a browser what should be sent in the Referer header
scottsauber
Referrer-Policy
Example:
• no-referrer
• Referer header is omitted entirely. Most secure.
• origin
• Only send the domain (i.e. sends example.com instead of
example.com/index.html)
• same-origin
• Only send when going to the same domain
• And more
scottsauber
RP Impact of Retrofitting to Existing
App
• Minimal with the right config
scottsauber
RP
Questions
Feature-Policy (Working Draft)
• What is it?
• Tells a browser to allow or deny the use of browser features, and allowing
granularity of being able to specify specific domains
scottsauber
FP
Demo
FP Impact of Retrofitting to Existing
App
• Pretty big
• Know what your site is doing
scottsauber
Permissions-Policy
Example:
scottsauber
Permissions-Policy is a Working Draft
FP/PP
Questions
How do I test my website?
• https://securityheaders.com
• Run by security expert Scott Helme
scottsauber
SecurityHeaders.com
SecurityHeaders.com
SecurityHeaders.com
SecurityHeaders.com
Note
• If you’re using a WAF (Cloudflare, Incapsula, etc.) they may be adding
these for you.
• Personally, I’d rather let the app add them, avoid vendor-lock in, and
get localhost running as close to prod as possible.
• Sometimes this is hard to do if doing JAM stack
• Lambda@Edge
scottsauber
Takeaways
• HTTP Security Header Awareness
• At least one HTTP Header or option written down to look into at work
• There are more Security Headers out there and more coming
• SecurityHeaders.com
• The web is a scary place
scottsauber
Resources
• https://securityheaders.com/
• MDN: https://developer.mozilla.org/en-US/docs/Web/HTTP/
• Http Security on the left
• Code from demos: https://github.com/scottsauber/talks
• Troy Hunt Pluralsight on Security Headers
• This slide deck is intentionally left detailed
scottsauber
Questions?
scottsauber
Thanks!
scottsauber