43

Securing websites with HTTP headesr

Embed Size (px)

Citation preview

Page 1: Securing websites with HTTP headesr
Page 2: Securing websites with HTTP headesr
https://ee.linkedin.com/in/konstantinroot
https://twitter.com/konstantin_root
Page 3: Securing websites with HTTP headesr
Page 4: Securing websites with HTTP headesr
https://www.ietf.org/rfc/rfc2616.txt
https://www.ietf.org/rfc/rfc5246.txt
https://tools.ietf.org/html/draft-ietf-tls-tls13-16
https://tools.ietf.org/rfc/rfc7034.txt
https://tools.ietf.org/html/rfc6265
https://tools.ietf.org/html/draft-ietf-httpbis-cookie-same-site-00
https://tools.ietf.org/html/draft-ietf-httpbis-cookie-prefixes-00
https://tools.ietf.org/rfc/rfc6797.txt
https://tools.ietf.org/rfc/rfc7469.txt
https://www.w3.org/TR/2012/CR-CSP-20121115/
https://www.w3.org/TR/CSP2/
https://www.w3.org/TR/CSP3/
https://www.w3.org/TR/SRI/
Page 5: Securing websites with HTTP headesr
Page 6: Securing websites with HTTP headesr
Page 7: Securing websites with HTTP headesr
Page 8: Securing websites with HTTP headesr

Feature Chrome Edge FirefoxInternet

ExplorerOpera Safari Servo

Basic Support 1.0 (Yes) 51 8.0 13 No support (Yes)

Desktop

Mobile

Feature AndroidChrome for

AndroidEdge Mobile

Firefox for

AndroidIE Mobile Opera Mobile Safari Mobile

Basic Support (Yes) (Yes) (Yes) 51 (Yes) (Yes) No support

Page 9: Securing websites with HTTP headesr
https://blogs.msdn.microsoft.com/ie/2009/01/27/ie8-security-part-vii-clickjacking-defenses/
Page 10: Securing websites with HTTP headesr
Page 11: Securing websites with HTTP headesr
Page 12: Securing websites with HTTP headesr
Page 13: Securing websites with HTTP headesr
Page 14: Securing websites with HTTP headesr
Page 15: Securing websites with HTTP headesr
Page 16: Securing websites with HTTP headesr
Page 17: Securing websites with HTTP headesr
https://www.eff.org/https-everywhere
Page 18: Securing websites with HTTP headesr
Page 19: Securing websites with HTTP headesr
Page 20: Securing websites with HTTP headesr
Page 21: Securing websites with HTTP headesr
Page 22: Securing websites with HTTP headesr
Page 23: Securing websites with HTTP headesr
Page 24: Securing websites with HTTP headesr
http://site.com/
https://*site2.com/
Page 25: Securing websites with HTTP headesr
Page 26: Securing websites with HTTP headesr
Page 27: Securing websites with HTTP headesr
Page 28: Securing websites with HTTP headesr
Page 29: Securing websites with HTTP headesr
Page 30: Securing websites with HTTP headesr
Page 31: Securing websites with HTTP headesr
http://www.w3.org/TR/cors/#user-credentials
Page 32: Securing websites with HTTP headesr
Page 33: Securing websites with HTTP headesr
Page 34: Securing websites with HTTP headesr

Domains 548567

"x-content-type-options" 64643

"x-frame-options" 71772

"x-xss-protection" 31404

HSTS 20113

HSTS (report only) 0

HPKP 365

HPKP (report only) 34

CSP 5833

Page 35: Securing websites with HTTP headesr

0.00%

2.00%

4.00%

6.00%

8.00%

10.00%

12.00%

14.00%

0

10000

20000

30000

40000

50000

60000

70000

80000

"x-content-type-options" "x-frame-options" "x-xss-protection"

Security headers

Series1 Series2

Page 36: Securing websites with HTTP headesr

0.00%

0.50%

1.00%

1.50%

2.00%

2.50%

3.00%

3.50%

4.00%

0

5000

10000

15000

20000

25000

HSTS HSTS (report only) HPKP HPKP (report only) CSP

New security headers

Series1 Series2

Page 37: Securing websites with HTTP headesr
Page 38: Securing websites with HTTP headesr
https://github.com/diracdeltas/sniffly
Page 39: Securing websites with HTTP headesr
https://github.com/cyph/appsec-glory
http://www.radicalresearch.co.uk/lab/hstssupercookies
Page 40: Securing websites with HTTP headesr
Page 41: Securing websites with HTTP headesr
http://www.caniuse.com/
https://securityheaders.io/
https://blog.mozilla.org/security/2016/08/26/mitigating-mime-confusion-attacks-in-firefox/
https://www.troyhunt.com/clickjack-attack-hidden-threat-right-in/
http://blog.innerht.ml/the-misunderstood-x-xss-protection/
https://www.igvita.com/2016/08/26/stop-cross-site-timing-attacks-with-samesite-cookies/
Page 42: Securing websites with HTTP headesr
https://hstspreload.appspot.com/
https://cs.chromium.org/chromium/src/net/http/transport_security_state_static.json
https://noncombatant.org/2015/05/01/about-http-public-key-pinning/
https://scotthelme.co.uk/csp-cheat-sheet/
https://report-uri.io/home/generate
https://scotthelme.co.uk/using-security-features-to-do-bad-things/
Page 43: Securing websites with HTTP headesr
mailto:[email protected]

Securing websites

Securing websites

Documents
Http://nlm.nih.gov. From MedlinePlus – Health Day News WHY? According to the study, 43.5 percent of the websites provided accurate information. But just

Http://nlm.nih.gov. From MedlinePlus – Health Day News WHY? According to the study, 43.5 percent of the websites provided accurate information. But just

Documents
Securing Websites and Web Services

Securing Websites and Web Services

Documents
Securing Microservices using Play and Akka HTTP

Securing Microservices using Play and Akka HTTP

Technology
The Cracked Cookie Jar: HTTP Cookie Hijacking and the ...€¦ · HSTS. The HTTP Strict Transport Security mecha-nism [12] allows websites to instruct browsers to only ini-tiate communication

The Cracked Cookie Jar: HTTP Cookie Hijacking and the ...€¦ · HSTS. The HTTP Strict Transport Security mecha-nism [12] allows websites to instruct browsers to only ini-tiate communication

Documents
Securing Buy-in Step 5: Securing Buy-in. Securing Buy-in Securing Buy-in Our Roadmap

Securing Buy-in Step 5: Securing Buy-in. Securing Buy-in Securing Buy-in Our Roadmap

Documents
User Interface Toolkit Mechanisms for Securing Interface ... · of interface designers. Consider the popular Facebook “Like” button, which can be embedded by websites as an iframe

User Interface Toolkit Mechanisms for Securing Interface ... · of interface designers. Consider the popular Facebook “Like” button, which can be embedded by websites as an iframe

Documents
Securing Enterprise Securing Enterprise Securing Enterprise

Securing Enterprise Securing Enterprise Securing Enterprise

Technology
Ancient China - University of Oxford · Ancient China Ashmolean Museum http ... .nga.gov/education/chinatp_bze.shtm ... Western http http http http n_zhou_dynasty Horses http http

Ancient China - University of Oxford · Ancient China Ashmolean Museum http ... .nga.gov/education/chinatp_bze.shtm ... Western http http http http n_zhou_dynasty Horses http http

Documents
Freezing the Web: A Study of ReDoS Vulnerabilities in ......using Node.js ReDoS analysis of websites Payloads using HTTP requests List of vulner-able websites (Phase 3) Local machines

Freezing the Web: A Study of ReDoS Vulnerabilities in ......using Node.js ReDoS analysis of websites Payloads using HTTP requests List of vulner-able websites (Phase 3) Local machines

Documents
Securing the SSL/TLS channel against man-in-the-middle ... · Securing the SSL/TLS channel against man-in-the-middle attacks: Future technologies - HTTP Strict Transport Security

Securing the SSL/TLS channel against man-in-the-middle ... · Securing the SSL/TLS channel against man-in-the-middle attacks: Future technologies - HTTP Strict Transport Security

Documents
zondervanacademic-cdn.sfo2.digitaloceanspaces.com · Web viewthe conversion process. Other Media Sources/Websites. . see Broughton Knox, “What is the Gospel?” http

zondervanacademic-cdn.sfo2.digitaloceanspaces.com · Web viewthe conversion process. Other Media Sources/Websites. . see Broughton Knox, “What is the Gospel?” http

Documents
Picasa - Personal Websites | Personal Websites

Picasa - Personal Websites | Personal Websites

Documents
Securing your SCADA and Industrial Control ... - ICS-CERTAGA-12: Cryptographic Protection of SCADA Communications General Recommendations" HTTP ICS . SCADA . Technical Support Working

Securing your SCADA and Industrial Control ... - ICS-CERTAGA-12: Cryptographic Protection of SCADA Communications General Recommendations" HTTP ICS . SCADA . Technical Support Working

Documents
HELP Websites - Integrated Catchment Management · Web viewMurrumbidgee basin, Australia: Basin page: CSIRO Land and Water – Research and Development Organisation: http://

HELP Websites - Integrated Catchment Management · Web viewMurrumbidgee basin, Australia: Basin page: CSIRO Land and Water – Research and Development Organisation: http://

Documents
zondervanacademic-cdn.sfo2.digitaloceanspaces.com€¦  · Web viewthe conversion process. Other Media Sources/Websites. . see Broughton Knox, “What is the Gospel?” http

zondervanacademic-cdn.sfo2.digitaloceanspaces.com€¦  · Web viewthe conversion process. Other Media Sources/Websites. . see Broughton Knox, “What is the Gospel?” http

Documents
Securing the IP Multimedia Subsystem with IPsec and HTTP

Securing the IP Multimedia Subsystem with IPsec and HTTP

Documents
Cest Qui??? French 1441 Chapître 1 Leçon 1.2. USEFULL WEBSITES!!! Http:// Click on Companion Website Then at the top, pick a

Cest Qui??? French 1441 Chapître 1 Leçon 1.2. USEFULL WEBSITES!!! Http:// Click on Companion Website Then at the top, pick a

Documents
Securing Browser Interactions - Mozilla › images › 6 › 61 › Korea.pdf · • Strict Transport Security: Proposed mechanism to let websites allow communication only over HTTPS

Securing Browser Interactions - Mozilla › images › 6 › 61 › Korea.pdf · • Strict Transport Security: Proposed mechanism to let websites allow communication only over HTTPS

Documents
Securing and Managing the Oracle HTTP Server

Securing and Managing the Oracle HTTP Server

Technology
Developed and Hosted by: Platinum Sponsor · Insurance, Managing Reputation ¥ Vulnerability Risk Management - Penetration Testing; Human Engineering, Securing Websites ¥ Securing

Developed and Hosted by: Platinum Sponsor · Insurance, Managing Reputation ¥ Vulnerability Risk Management - Penetration Testing; Human Engineering, Securing Websites ¥ Securing

Documents
Securing your web application through HTTP headers

Securing your web application through HTTP headers

Technology
 · 350 http.//cooked.com http.//blog.chefhariom.com http.//ayrt-indo.com http.//ameblo.jp/kashiwan/ http.//thegoldexp.blog99.fc2.com http.//e-food.jp/travellsouth-india

 · 350 http.//cooked.com http.//blog.chefhariom.com http.//ayrt-indo.com http.//ameblo.jp/kashiwan/ http.//thegoldexp.blog99.fc2.com http.//e-food.jp/travellsouth-india

Documents
CNIT 129S: Securing Web Applications › 129S › lec › 129s-ch3.pdfCNIT 129S: Securing Web Applications Ch 3: Web Application Technologies Updated 1-24-18 HTTP Hypertext Transfer

CNIT 129S: Securing Web Applications › 129S › lec › 129s-ch3.pdfCNIT 129S: Securing Web Applications Ch 3: Web Application Technologies Updated 1-24-18 HTTP Hypertext Transfer

Documents
QRG - Securing Apache HTTP with mod ssl for Linux - Stewing Home

QRG - Securing Apache HTTP with mod ssl for Linux - Stewing Home

Documents
Automatically generated PDF from existing images.1)(a)_Board-Meeting-Advertisement... · further details visit websites :om and http: ... Email: tci@mtnl.net.in Website: SEB! 2015

Automatically generated PDF from existing images.1)(a)_Board-Meeting-Advertisement... · further details visit websites :om and http: ... Email: [email protected] Website: SEB! 2015

Documents
Module 4: Securing the Web Server 1. Overview Securing IIS Securing Apache 2

Module 4: Securing the Web Server 1. Overview Securing IIS Securing Apache 2

Documents
Websites Unlimited - Pay Monthly Websites

Websites Unlimited - Pay Monthly Websites

Internet
Preventing & Responding to Child Identity Theft€¦ · • Talk to your child about internet safety and securing personal information online. • Review the websites your family

Preventing & Responding to Child Identity Theft€¦ · • Talk to your child about internet safety and securing personal information online. • Review the websites your family

Documents
ANTEPROGRAMADAPROVADEENDURO*EQUESTREDO*DIA*27.06.2015 ... · Os!três!primeiros!colocados!de!cada!categoria!serão ... disponível para download nos websites da CBH! (http ... (dois)!anéis,!como!segue:!

ANTEPROGRAMADAPROVADEENDURO*EQUESTREDO*DIA*27.06.2015 ... · Os!três!primeiros!colocados!de!cada!categoria!serão ... disponível para download nos websites da CBH! (http ... (dois)!anéis,!como!segue:!

Documents