Philippe Gamache, profile picture
Uploaded byPhilippe Gamache
610 views

Browser Serving Your Web Application Security - NorthEast PHP 2017

The document provides guidelines for enhancing web application security, covering topics such as protecting sites against various attacks, improving code quality, and implementing critical security headers like Content Security Policy and X-Frame-Options. It emphasizes the need for proper server configuration and directives to safeguard against vulnerabilities such as clickjacking and cross-site scripting (XSS). Additionally, the document discusses session and cookie protection, and the importance of using HTTPS and other measures to secure data in transit.

Download to read offline
BROWSER SERVING YOUR WEB APPLICATION SECURITY ALL YOU NEED TO KNOW
ABOUT ME HI I’M PHILIPPE I’m a Developer Evangelist for kuzzle.io. Long-time internet developer, author, screen caster, podcaster and speaker. I’m specializes in PHP, Symfony, Kuzzle, security, code quality, performance, real time and geolocation. • Sécurité PHP 5 et MySQL 5 • OWASP Montreal • PHP Quebec • Table Top Game Developer • Pen & Paper RPG Writer
PURPOSE OF THE PRESENTATION • Improve the code of your website • Protect your site against certain attacks • Protect your users from certain attacks • Protect your development sites WHY WE ARE TALKING ABOUT THIS?
PROTECT YOUR DEV SITES • Dev/test/qa/regression servers • If they are available via the web • Robots.txt is not enough • forget • File compliance AVOID LEEKS
META NAME=ROBOTS CODE <meta name="robots” content="noindex” />
PROTECT YOUR SITES • name • robots for all robots • specific: • Googlebot: Googlebot-News, Googlebot-Image, Googlebot-Video, Googlebot- Mobile, Mediapartners-Google, Mediapartners, AdsBot-Google, AdsBot- Google-Mobile-Apps • slurp • msnbot, bingbot • teoma META NAME=ROBOTS
PROTECT YOUR SITES • content • all • index • follow META NAME=ROBOTS
PROTECT YOUR SITES • content • none • noindex • noarchive • nocache • nofollow META NAME=ROBOTS
PROTECT YOUR SITES • content • nosnippet • noodp • noydir • notranslate • noimageindex • unavailable_after: [RFC-850 date/time] META NAME=ROBOTS
HEADER : X-ROBOTS-TAG APACHE EXAMPLE #apache <IfModule mod_headers.c> Header set X-Robots-Tag “noindex, nofollow, noarchive" <FilesMatch “.(doc|pdf|png|jpe?g|gif)$”> Header set X-Robots-Tag “noindex, noarchive, nosnippet" </FilesMatch> <IfModule>
HEADER : X-ROBOTS-TAG PHP EXAMPLE <?php header(“X-Robots-Tag : noindex”, true);
HEADER : X-ROBOTS-TAG EXAMPLES X-Robots-Tag: noarchive X-Robots-Tag: unavailable_after: 25 Jun 2010 15:00:00 PST X-Robots-Tag: googlebot: nofollow X-Robots-Tag: otherbot: noindex, nofollow
IMPROVE YOUR CODE • Normally, for IE8 + • Requests IE to use the latest render engines or a particular version. • Should use the ChromeFrame renderer (for IE6 and IE7) • Does not validate • Reduce the display speed of the site if it needs to change mode • Does not work in a conditional comment ( <!--[if lt IE 7]> ) META/HEADER : X-UA-COMPATIBLE
META: X-UA-COMPATIBLE CODE <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1"> <meta http-equiv="X-UA-Compatible” content="IE=9">
HEADER: X-UA-COMPATIBLE CODE PHP <?php header (“X-UA-Compatible : IE=Edge,chrome=1”, true);
HEADER: X-UA-COMPATIBLE APACHE EXAMPLE #apache <IfModule mod_headers.c> Header set X-UA-Compatible “IE=Edge,chrome=1” # Mod_headers Does not use the content type, # but we do not want to send this header <FilesMatch “.(js|css|gif|png|jpe?g|pdf|xml|oga|ogg|m4a|ogv|mp4| m4v|webm|svg|svgz|eot|ttf|otf|woff|ico|webp|appcache|manifest|htc| crx|oex|xpi|safariextz|vcf)$” > Header unset X-UA-Compatible </FilesMatch> </IfModule>
CLICKJACKING PROTECTION • “Clickjacking” protection • <frame> • <iframe> • <object> • Value • DENY • SAMEORIGIN • ALLOW-FROM uri META/HEADER : X-FRAME-OPTIONS
META/HEADER : X-FRAME-OPTIONS BROWSER SUPPORT Android Chrome Edge Firefox Internet Explorer Opera Safari X-Frame-Option 4+ 4+ 12+ 4+ 8+ 10.5+ 4.0+ Allow-from N/A N/A* N/A* 18+ 9+ N/A N/A* *Use CSP frame-ancestors directive instead
HEADER : X-FRAME-OPTIONS APACHE EXAMPLE #apache <IfModule mod_headers.c> Header set X-Frame-Options “deny” </IfModule>
HEADER : X-FRAME-OPTIONS PHP CODE <?php header(“X-Frame-Options: deny”, true);
META : X-FRAME-OPTIONS CODE <meta http-equiv="X-Frame-Options” content="deny">
PROTECT AGAINS DRIVE-BY ATTAQUE • Only one value: nosniff HEADER : X-CONTENT-TYPE-OPTIONS Android Chrome Edge Firefox Internet Explorer Opera Safari nosniff 3+ 1.0+* 11+ 50+** 8+ 13+ N/A * during download ** or with NoScript
HEADER : X-CONTENT-TYPE-OPTIONS APACHE EXAMPLE #apache <IfModule mod_headers.c> Header set X-Content-Type-Options “nosniff” </IfModule>
HEADER : X-CONTENT-TYPE-OPTIONS PHP CODE <?php header(“X-Content-Type-Options: nosniff”, true);
XSS PROTECTION • Automatic protection against XSS • mode=block • report=<reporting-URI> META/HEADER : X-XSS-PROTECTION Android Chrome Edge Firefox Internet Explorer Opera Safari X-XSS-Protection (Yes) 4+ 11+ N/A* 8+ Yes 4+ report No Chromium No No No No No * yes with NoScript
HEADER : X-XSS-PROTECTION APACHE EXAMPLE #apache <IfModule mod_headers.c> Header set X-XSS-Protection “1; mode=block” </IfModule>
HEADER : X-XSS-PROTECTION PHP CODE <?php header(“X-XSS-Protection: 0”, true);
META : X-XSS-PROTECTION EXAMPLE <meta http-equiv="X-XSS-Protection" content="1"> <meta http-equiv="X-XSS-Protection" content="1; mode=block"> <meta http-equiv="X-XSS-Protection” content="0"> <!-- Chromium only --> <meta http-equiv="X-XSS-Protection” content="1; report=<url>">
SUPER PROTECTION • 3 level of specification • Specification 1.0 Recommendation • http://w3c.org/TR/CSP1 • Specification 2.0 Recommendation • http://w3c.org/TR/CSP2 • Specification 3.0 Working Draft • http://w3c.org/TR/CSP3 META/HEADER : CONTENT-SECURITY-POLICY
SUPER PROTECTION META/HEADER : CONTENT-SECURITY-POLICY Android Chrome Edge Firefox Internet Explorer Opera Safari Recommendation 1 4.4+ 25+ 12+ 23+ 11+ 7+ X-Content-Security-Policy 12+* 4+ 10+ X-WebKit-CSP 14+ 5.1+ Recommendation 2 53+ 40+ 15+ 31+** 27+ 10+ Working Draft 3 * Limited ** Partial
META/HEADER : CONTENT-SECURITY-POLICY • default-src (csp 1, 2, 3) • child-src (csp 2, 3) • connect-src (csp 1, 2, 3) • font-src (csp 1, 2, 3) • frame-src (csp 1, 3) • img-src (csp 1, 2, 3) • manifest-src (csp 3) • media-src (csp 1, 2) • object-src (csp 1, 2) • script-src (csp 1, 2) • style-src (csp 1, 2) • worker-src (csp 3) FETCH DIRECTIVES
META/HEADER : CONTENT-SECURITY-POLICY • * (csp 1, 2, 3) • 'self' (csp 1, 2, 3) • 'none' (csp 1, 2, 3) • uri (csp 1, 2, 3) • media1.example.com • *.cdn.example.com • protocol • https: (csp 1, 2, 3) • http: (csp 1, 2, 3) • data: (csp 1, 2, 3) • mediastream: (csp 2, 3) • blob: (csp 2, 3) • filesystem: (csp 2, 3) • unsafe-inline (csp 1, 2, 3) • unsafe-eval (csp 1, 2, 3) • 'nonce-<base64-value>' (csp 2, 3) • <hash-source> (csp 2, 3) • 'strict-dynamic' (csp 2, 3) FETCH DIRECTIVES VALUES
META/HEADER : CONTENT-SECURITY-POLICY • Document Directives • base-uri (csp 2, 3) • disown-opener (csp 3) • plugin-types (csp 2, 3) • sandbox (csp 1, 2, 3) • Navigation Directives • form-action (csp 2, 3) • frame-ancestors (csp 2, 3) • Directives Defined in Other Documents • block-all-mixed-content (csp 3) • require-sri-for (csp 3) • upgrade-insecure-requests (csp 3) DIRECTIVES
META/HEADER: CONTENT-SECURITY-POLICY • allow-forms • allow-modals • allow-orientation-lock • allow-pointer-lock • allow-popups • allow-popups-to-escape-sandbox • allow-presentation • allow-same-origin • allow-scripts • allow-top-navigation SANDBOX VALUE
HEADER: CONTENT-SECURITY-POLICY APACHE EXAMPLE #apache <IfModule mod_headers.c> Header set Content-Security-Policy “default-src ‘self’;” </IfModule>
HEADER: CONTENT-SECURITY-POLICY PHP CODE <?php header(“Content-Security-Policy: default-src ‘self’;”, true);
META: CONTENT-SECURITY-POLICY CODE <meta http-equiv="Content-Security-Policy" content="default-src https:">
META/HEADER: CONTENT-SECURITY-POLICY EXAMPLES default-src 'self'; script-src 'self'; script-src 'self' www.google-analytics.com ajax.googleapis.com; default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self'; default-src 'self'; img-src *; object-src media1.example.com media2.example.com *.cdn.example.com; script-src trustedscripts.example.com default-src https: 'unsafe-inline' 'unsafe-eval' default-src *; script-src https://example.com/js/;” default-src *; sandbox allow-scripts
META/HEADER: CONTENT-SECURITY-POLICY EXAMPLES default-src 'self'; frame-ancestors 'none' base-uri 'self' object-src 'none' plugin-types application/x-shockwave-flash plugin-types application/x-java-applet form-action 'none' default-src 'self'; require-sri-for script style block-all-mixed-content upgrade-insecure-requests; default-src https:
META/HEADER : CONTENT-SECURITY-POLICY • Reporting Directives • report-uri (CSP 1, 2, 3) • report-to (CSP 3) • Meta/Header • Content-Security-Policy-Report-Only REPORT
HEADER : CONTENT-SECURITY-POLICY APACHE EXAMPLE REPORT Content-Security-Policy “default-src ‘self’; report-uri http://example.org/csp-report.php” http://evil.example.com/image.png
META/HEADER : CONTENT-SECURITY-POLICY RESPONSE { “csp-report”: { “document-uri”: “http://example.org/page.html", “referrer”: “http://evil.example.com/haxor.html", “blocked-uri”: “http://evil.example.com/image.png", “violated-directive”: “default-src ‘self’”, “original-policy”: “default-src ‘self’; report-uri http://example.org/csp-report.cgi” } }
CROSS-ORIGIN RESOURCE SHARING • Access-Control-Allow-Credentials • Access-Control-Allow-Headers • Access-Control-Allow-Methods • Access-Control-Allow-Origin • Access-Control-Expose-Headers • Access-Control-Max-Age • Access-Control-Request-Headers • Access-Control-Request-Method META/HEADER: ACCESS-CONTROL-*
CROSS-ORIGIN RESOURCE SHARING META/HEADER: ACCESS-CONTROL-* Android Chrome Edge Firefox Internet Explorer Opera Safari Access-Control-* 2.1+ 4+ 12+ 3.5+ 10+ 12+ 4+
META: ACCESS-CONTROL-* CODE <meta http-equiv="Access-Control-Allow-Origin” content="*"> <meta http-equiv="Access-Control-Allow-Origin” content="http://kuzzle.io"> <meta http-equiv="Access-Control-Allow-Credentials” content="true"> <meta http-equiv="Access-Control-Allow-Headers” content="Content-Length, X-Powered-By"> <meta http-equiv="Access-Control-Allow-Methods” content="POST, GET, OPTIONS"> <meta http-equiv="Access-Control-Expose-Headers” content="Content-Length, X-Powered-By"> <meta http-equiv="Access-Control-Max-Age” content="600"> <meta http-equiv="Access-Control-Request-Headers” content="Content-Length, X-Powered-By"> <meta http-equiv="Access-Control-Request-Methods” content="POST">
HEADER: ACCESS-CONTROL-* APACHE EXAMPLE #apache <IfModule mod_headers.c> Header set Access-Control-Allow-Origin “http://kuzzle.io” Header set Access-Control-Allow-Credentials “true” Header set Access-Control-Allow-Headers “Content-Length, X-Powered-By” Header set Access-Control-Allow-Methods “POST, GET, OPTIONS” Header set Access-Control-Expose-Headers “Content-Length, X-Powered-By” Header set Access-Control-Max-Age “60” Header set Access-Control-Request-Headers “Content-Length, X-Powered-By” Header set Access-Control-Request-Methods “POST” </IfModule>
HEADER: ACCESS-CONTROL-* PHP CODE <?php header(“Access-Control-Allow-Origin: http://kuzzle.io”, true); header(“Access-Control-Allow-Credentials: true”, true); header(“Access-Control-Allow-Headers: Content-Length, X-Powered-By”, true); header(“Access-Control-Allow-Methods: POST, GET, OPTIONS”, true); header(“Access-Control-Expose-Headers: Content-Length, X-Powered-By”, true); header(“Access-Control-Max-Age: 60”, true); header(“Access-Control-Request-Headers: Content-Length, X-Powered-By”, true); header(“Access-Control-Request-Methods: POST”, true);
PROTECT YOUR SESSIONS • Stealing session (session cookie) is quite simple. • Use HTTPS on your server if you use sessions. • But it is not enough... PHP CONFIGURATION
PROTECT YOUR SESSIONS PHP CONFIGURATION session.use_cookies “1” session.use_only_cookies “1” session.cookie_secure “1” session.cookie_httponly “1”
PROTECT YOUR COOKIES • Secure • HttpOnly • SameSite SETCOOKIE Android Chrome Edge Firefox Internet Explorer Opera Safari Secure 1+ 1+ 10+ 3+ 9+ 11+ 5+ HttpOnly 1+ 1+ 10+ 3+ 9+ 11+ 5+ SameSite 51+ 51+ N/A N/A N/A 39+ N/A
PROTECT YOUR COOKIES PHP CODE bool setcookie ( string $name [, string $value = "" [, int $expire = 0 [, string $path = "" [, string $domain = "" [, bool $secure = false [, bool $httponly = false ]]]]]] )
PROTECT IN TRANSIT DATA • Require the browser to use a site in SSL (and retains the information) HTTP STRICT TRANSPORT SECURITY Android Chrome Edge Firefox Internet Explorer Opera Safari Strict-Transport- Security 4.4+ 4+ 12+ 4+ 11+ 12+ 7+
HTTP STRICT TRANSPORT SECURITY EXAMPLES Strict-Transport-Security: max-age=<expire-time> Strict-Transport-Security: max-age=<expire-time>; includeSubDomains Strict-Transport-Security: max-age=<expire-time>; preload Strict-Transport-Security: max-age=<expire-time>; includeSubDomains; preload
HTTP STRICT TRANSPORT SECURITY APACHE EXAMPLE #apache <VirtualHost *:80> ServerAlias * RewriteEngine On RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [redirect=301] </VirtualHost> <VirtualHost *:443> ServerAlias * ... <IfModule mod_headers.c> Header set Strict-Transport-Security “max-age=16070400; preload" </IfModule> </VirtualHost>
HTTP STRICT TRANSPORT SECURITY PHP EXAMPLE <?php // IIS defines the HTTPS protocol to be “off” for non-SSL requests if (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] != 'off') { header(’Strict-Transport-Security: max-age=16070400’); } else { header('Location: https://’.$_SERVER[’HTTP_HOST'] . $_SERVER['REQUEST_URI'], true, 301); exit; }
PROTECT IN TRANSIT DATA • Tells a Web client to associate a specific public cryptographic public key to a Web server to reduce the risk of MITM attacks with falsified certificates. HTTP PUBLIC KEY PINNING (HPKP) Android Chrome Edge Firefox Internet Explorer Opera Safari Public-Key-Pins 38+ 38+ N/A 35+ N/A 25+ N/A Report-uri 46+ 46+ N/A N/A N/A 33+ N/A
HTTP PUBLIC KEY PINNING (HPKP) EXAMPLES Public-Key-Pins: pin-sha256=<base64==>; max-age=<expireTime>; Public-Key-Pins: pin-sha256=<base64==>; max-age=<expireTime>; includeSubDomains Public-Key-Pins: pin-sha256=<base64==>; max-age=<expireTime>; report-uri=<reportURI> Public-Key-Pins-Report-Only: pin-sha256=<base64==>; max-age=<expireTime>; report- uri=<reportURI>
PROTECT IMPORTED FILES INTEGRITIES • Verify extracted files are delivered without unexpected manipulation. • Uses a cryptographic hash. • <script>, <link> • Base64 of • sha256 • sha384 • sha512 SUBRESOURCE INTEGRITY
SUBRESOURCE INTEGRITY EXAMPLES <script src="https://example.com/example-framework.js" integrity="sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxy9rx7HNQlGYl1kPzQho1wx4JwY8wC" crossorigin="anonymous"></script> <link rel="stylesheet” href="https://site53.example.net/style.css" integrity="sha384-+/M6kredJcxdsqkczBUjMLvqyHb1K/JThDXWsBVxMEeZHEaMKEOEct339VItX1zB" crossorigin="anonymous"> cat example-framework.js | openssl dgst -sha384 -binary | openssl enc -base64 -A
PROTECT YOUR • Allows you to specify when the browser will define a Referer header.no- referrer • no-referrer • no-referrer-when-downgrade • origin • origin-when-cross-origin • same-origin • strict-origin • strict-origin-when-cross-origin • unsafe-url HEADER: REFERRER-POLICY
HEADER: REFERRER-POLICY COMPATIBILITY Android Chrome Edge Firefox Internet Explorer Opera Safari Referrer-Policy 56+ 56+ N/A 50+ N/A 43+ N/A same-origin N/A N/A N/A 52+ N/A N/A N/A strict-origin N/A N/A N/A 52+ N/A N/A N/A strict-origin- when-cross- origin N/A N/A N/A 52+ N/A N/A N/A
ANY QUESTIONS? THANK YOU! If you want to talk more, feel free to contact me. http://kuzzle.io This presentation was created using Keynote. The text is set in Oswald and Ubuntu. The source code is set in Ubuntu Mono. The iconography is provided by Keynote, kuzzle.io and Font Awesome. Unless otherwise noted, all photographs are used by permission under a Creative Commons license. Please refer to the Photo Credits slide for more information. Copyright © This work is licensed under Creative Commons Attribution-ShareAlike 4.0 International. For uses not covered under this license, please contact the author. hello@kuzzle.io @kuzzleio Kuzzle kuzzleio http://kuzzle.io Browser Serving Your Web Application Security 2014-2017 Philippe Gamache GAMACHE, Philippe. “Browser Serving Your Web Application Security” NorthEast PHP Conference. August 10, 2017. Conference presentation. pgamache@kuzzle.io @philoupedia philippegamache joind.in/talk/c5998 Please visit us at:

More Related Content

PDF
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
byPhilippe Gamache
 
PDF
Drupal and Security: What You Need to Know
byAcquia
 
PDF
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)
bynyccamp
 
KEY
Drupal Security Intro
byCash Williams
 
PPT
Top Ten Web Application Defenses v12
byJim Manico
 
ODP
Drupal Security Hardening
byGerald Villorente
 
PPT
Securing Drupal 7: Do not get Hacked or Spammed to death!
byAdelle Frank
 
PDF
Hack Proof Your Drupal Site
byNaveen Valecha
 
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
byPhilippe Gamache
 
Drupal and Security: What You Need to Know
byAcquia
 
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)
bynyccamp
 
Drupal Security Intro
byCash Williams
 
Top Ten Web Application Defenses v12
byJim Manico
 
Drupal Security Hardening
byGerald Villorente
 
Securing Drupal 7: Do not get Hacked or Spammed to death!
byAdelle Frank
 
Hack Proof Your Drupal Site
byNaveen Valecha
 

What's hot

PPTX
Top Ten Java Defense for Web Applications v2
byJim Manico
 
KEY
DVWA BruCON Workshop
bytestuser1223
 
PDF
OWASP SF - Reviewing Modern JavaScript Applications
byLewis Ardern
 
PPT
Top Ten Proactive Web Security Controls v5
byJim Manico
 
PPTX
Cross Site Scripting (XSS) Defense with Java
byJim Manico
 
PDF
Hacking Adobe Experience Manager sites
byMikhail Egorov
 
PDF
OWASP London - So you thought you were safe using AngularJS.. Think again!
byLewis Ardern
 
PDF
Attacking Drupal
byGreg Foss
 
PDF
Web Security - CSP & Web Cryptography
bySamsung Open Source Group
 
PDF
OWASP Portland - OWASP Top 10 For JavaScript Developers
byLewis Ardern
 
PPTX
Deep dive into Java security architecture
byPrabath Siriwardena
 
PPTX
DVWA(Damn Vulnerabilities Web Application)
bySoham Kansodaria
 
PDF
Development Security Framework based on Owasp Esapi for JSF2.0
byRakesh Kachhadiya
 
PDF
Shields Up! Securing React Apps
byZachary Klein
 
PPTX
Java Security Framework's
byMohammed Fazuluddin
 
PDF
Configuring CQ Security
byconnectwebex
 
PDF
DefCamp 2013 - Http header analysis
byDefCamp
 
PDF
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
byLewis Ardern
 
PDF
So you thought you were safe using AngularJS.. Think again!
byLewis Ardern
 
PDF
JavaCro'14 - Securing web applications with Spring Security 3 – Fernando Redo...
byHUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association
 
Top Ten Java Defense for Web Applications v2
byJim Manico
 
DVWA BruCON Workshop
bytestuser1223
 
OWASP SF - Reviewing Modern JavaScript Applications
byLewis Ardern
 
Top Ten Proactive Web Security Controls v5
byJim Manico
 
Cross Site Scripting (XSS) Defense with Java
byJim Manico
 
Hacking Adobe Experience Manager sites
byMikhail Egorov
 
OWASP London - So you thought you were safe using AngularJS.. Think again!
byLewis Ardern
 
Attacking Drupal
byGreg Foss
 
Web Security - CSP & Web Cryptography
bySamsung Open Source Group
 
OWASP Portland - OWASP Top 10 For JavaScript Developers
byLewis Ardern
 
Deep dive into Java security architecture
byPrabath Siriwardena
 
DVWA(Damn Vulnerabilities Web Application)
bySoham Kansodaria
 
Development Security Framework based on Owasp Esapi for JSF2.0
byRakesh Kachhadiya
 
Shields Up! Securing React Apps
byZachary Klein
 
Java Security Framework's
byMohammed Fazuluddin
 
Configuring CQ Security
byconnectwebex
 
DefCamp 2013 - Http header analysis
byDefCamp
 
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
byLewis Ardern
 
So you thought you were safe using AngularJS.. Think again!
byLewis Ardern
 
JavaCro'14 - Securing web applications with Spring Security 3 – Fernando Redo...
byHUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association
 

Similar to Browser Serving Your Web Application Security - NorthEast PHP 2017

PPTX
[Wroclaw #2] Web Application Security Headers
byOWASP
 
PPTX
Lec4-WebClientSideExploitation.pptxdslkjhgfkjdshgfkjfhdkjg
byarfaouisalim
 
PDF
Csp and http headers
bydevObjective
 
PDF
Content-Security-Policy 2018.0
byPhilippe Gamache
 
PDF
Csp and http headers
byColdFusionConference
 
PDF
Browser Wars 2019 - Implementing a Content Security Policy
byGeorge Boobyer
 
PDF
Ch 3: Web Application Technologies
bySam Bowne
 
PDF
HTTP_Header_Security.pdf
byksudhakarreddy5
 
PDF
CNIT 129S - Ch 3: Web Application Technologies
bySam Bowne
 
PPTX
Analysis of HTTP Security Headers in Turkey
byDr. Emin İslam Tatlı
 
PDF
CNIT 129S: Ch 3: Web Application Technologies
bySam Bowne
 
PDF
Web Application Security 2nd Edition (Early Release) Andrew Hoffman
byhaskgeilyn
 
PDF
Web Application Security 2nd Edition (Early Release) Andrew Hoffman
bydirosochaniz
 
PDF
http security response headers for web security
byOlatunji Adetunji
 
PDF
JS Fest 2019. Andrew Betts. Headers for hackers
byJSFestUA
 
PDF
Securing the client side web
bySC5.io
 
PDF
2015-04-25-content-security-policy
bySastry Tumuluri
 
PPTX
CollabSphere SC 103 : Domino on the Web : Yes, It's (Probably) Hackable
byDarren Duke
 
PDF
Securing your web application through HTTP headers
byAndre N. Klingsheim
 
PDF
Tsc summit #2 - HTTP Header Security
byMikal Villa
 
[Wroclaw #2] Web Application Security Headers
byOWASP
 
Lec4-WebClientSideExploitation.pptxdslkjhgfkjdshgfkjfhdkjg
byarfaouisalim
 
Csp and http headers
bydevObjective
 
Content-Security-Policy 2018.0
byPhilippe Gamache
 
Csp and http headers
byColdFusionConference
 
Browser Wars 2019 - Implementing a Content Security Policy
byGeorge Boobyer
 
Ch 3: Web Application Technologies
bySam Bowne
 
HTTP_Header_Security.pdf
byksudhakarreddy5
 
CNIT 129S - Ch 3: Web Application Technologies
bySam Bowne
 
Analysis of HTTP Security Headers in Turkey
byDr. Emin İslam Tatlı
 
CNIT 129S: Ch 3: Web Application Technologies
bySam Bowne
 
Web Application Security 2nd Edition (Early Release) Andrew Hoffman
byhaskgeilyn
 
Web Application Security 2nd Edition (Early Release) Andrew Hoffman
bydirosochaniz
 
http security response headers for web security
byOlatunji Adetunji
 
JS Fest 2019. Andrew Betts. Headers for hackers
byJSFestUA
 
Securing the client side web
bySC5.io
 
2015-04-25-content-security-policy
bySastry Tumuluri
 
CollabSphere SC 103 : Domino on the Web : Yes, It's (Probably) Hackable
byDarren Duke
 
Securing your web application through HTTP headers
byAndre N. Klingsheim
 
Tsc summit #2 - HTTP Header Security
byMikal Villa
 

More from Philippe Gamache

PDF
Browser Serving Your We Application Security - ZendCon 2017
byPhilippe Gamache
 
PDF
Cryptographie 101 Pour les programmeurs (PHP)
byPhilippe Gamache
 
PDF
Kaizen ou l'amélioration continue
byPhilippe Gamache
 
PDF
Browser Serving Your Web Application Security - Madison PHP 2017
byPhilippe Gamache
 
PDF
Loi 25 - Loi modernisant des dispositions législatives en matière de protecti...
byPhilippe Gamache
 
PDF
Mentor et votre équipe
byPhilippe Gamache
 
PDF
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
byPhilippe Gamache
 
PDF
Une application en une heure avec symfony - Collège de Mainsonneuve
byPhilippe Gamache
 
PDF
Multi Factor Authetification - ZendCon 2017
byPhilippe Gamache
 
PDF
One hour application - PHP Quebec Conference 2009
byPhilippe Gamache
 
PDF
Une application en deux heure - PHP Québec Janvier 2009
byPhilippe Gamache
 
PDF
Entreprise Security API - ConFoo 2011
byPhilippe Gamache
 
PDF
Entreprise Security API - OWASP Montreal
byPhilippe Gamache
 
PDF
Auditing and securing PHP applications - FRHACK 2009
byPhilippe Gamache
 
PDF
Laboratoire sécurité : audit de code PHP - Conférence PHP Québec 2009
byPhilippe Gamache
 
PDF
Audit de code PHP - PHP Code Audit - HackFest.ca 2009
byPhilippe Gamache
 
PDF
Strong authetification - ConFoo 2011
byPhilippe Gamache
 
Browser Serving Your We Application Security - ZendCon 2017
byPhilippe Gamache
 
Cryptographie 101 Pour les programmeurs (PHP)
byPhilippe Gamache
 
Kaizen ou l'amélioration continue
byPhilippe Gamache
 
Browser Serving Your Web Application Security - Madison PHP 2017
byPhilippe Gamache
 
Loi 25 - Loi modernisant des dispositions législatives en matière de protecti...
byPhilippe Gamache
 
Mentor et votre équipe
byPhilippe Gamache
 
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
byPhilippe Gamache
 
Une application en une heure avec symfony - Collège de Mainsonneuve
byPhilippe Gamache
 
Multi Factor Authetification - ZendCon 2017
byPhilippe Gamache
 
One hour application - PHP Quebec Conference 2009
byPhilippe Gamache
 
Une application en deux heure - PHP Québec Janvier 2009
byPhilippe Gamache
 
Entreprise Security API - ConFoo 2011
byPhilippe Gamache
 
Entreprise Security API - OWASP Montreal
byPhilippe Gamache
 
Auditing and securing PHP applications - FRHACK 2009
byPhilippe Gamache
 
Laboratoire sécurité : audit de code PHP - Conférence PHP Québec 2009
byPhilippe Gamache
 
Audit de code PHP - PHP Code Audit - HackFest.ca 2009
byPhilippe Gamache
 
Strong authetification - ConFoo 2011
byPhilippe Gamache
 

Recently uploaded

PPTX
Enhancing Web Security: Key Concepts & Strategies.pptx
byParham Abolghasemi
 
PDF
Revolutionizing SQL Database Design for the Modern Era.pdf
bySQL DBM
 
PDF
Database Performance at Scale: The TL;DR
byScyllaDB
 
PDF
PDF Security Intelligence Platform | Cybersecurity Project by Ashish Patil
byAshishPatil495087
 
PDF
Transparency Exchange API: How Do You Find the SBOM for a Smart Light Bulb?
byPavel Shukhman
 
PDF
Access Linux File System in RHEL - RHCSA (RH124).pdf
byLinuxCert Guru
 
PDF
MathML Core in WebKit
byIgalia
 
PDF
Do more with the HP Z2 Mini G1a
byPrincipled Technologies
 
PDF
Analyze and Store Logs - RHCSA (RH124).pdf
byLinuxCert Guru
 
PDF
Manage Files Using CLI - RHCSA (RH124).pdf
byLinuxCert Guru
 
PDF
Wrapping up unowned UTF8 C strings: CStringView
byIgalia
 
PDF
Control Access to Files - RHCSA (RH124).pdf
byLinuxCert Guru
 
PPTX
GenAI GraphTalk - Kuala Lumpur - 4 Nov 2025
bygourisachdeva2
 
PDF
Install and Update Software - RHCSA (RH124).pdf
byLinuxCert Guru
 
PDF
Dr. Robert Krug - Specializes In Predictive Modeling
byDr. Robert Krug
 
PPTX
Sephora UAE API Service Real-Time Product & Price Data Access.pptx
bycreativeclicks1733
 
PDF
Q3'25 Financial Results and Earnings Presentation
byDropbox
 
PDF
Cybersecurity in ASEAN and Singapore Columbia SIPA 2025.pdf
byBenjamin Ang
 
PPTX
AI and Linux in 2025 - Jay LaCroix, Learn Linux TV
byAll Things Open
 
PDF
"Visual Guide to DSA: Big O Notation, Data Structures, and Algorithms Fundame...
byNusrat Gulbarga
 
Enhancing Web Security: Key Concepts & Strategies.pptx
byParham Abolghasemi
 
Revolutionizing SQL Database Design for the Modern Era.pdf
bySQL DBM
 
Database Performance at Scale: The TL;DR
byScyllaDB
 
PDF Security Intelligence Platform | Cybersecurity Project by Ashish Patil
byAshishPatil495087
 
Transparency Exchange API: How Do You Find the SBOM for a Smart Light Bulb?
byPavel Shukhman
 
Access Linux File System in RHEL - RHCSA (RH124).pdf
byLinuxCert Guru
 
MathML Core in WebKit
byIgalia
 
Do more with the HP Z2 Mini G1a
byPrincipled Technologies
 
Analyze and Store Logs - RHCSA (RH124).pdf
byLinuxCert Guru
 
Manage Files Using CLI - RHCSA (RH124).pdf
byLinuxCert Guru
 
Wrapping up unowned UTF8 C strings: CStringView
byIgalia
 
Control Access to Files - RHCSA (RH124).pdf
byLinuxCert Guru
 
GenAI GraphTalk - Kuala Lumpur - 4 Nov 2025
bygourisachdeva2
 
Install and Update Software - RHCSA (RH124).pdf
byLinuxCert Guru
 
Dr. Robert Krug - Specializes In Predictive Modeling
byDr. Robert Krug
 
Sephora UAE API Service Real-Time Product & Price Data Access.pptx
bycreativeclicks1733
 
Q3'25 Financial Results and Earnings Presentation
byDropbox
 
Cybersecurity in ASEAN and Singapore Columbia SIPA 2025.pdf
byBenjamin Ang
 
AI and Linux in 2025 - Jay LaCroix, Learn Linux TV
byAll Things Open
 
"Visual Guide to DSA: Big O Notation, Data Structures, and Algorithms Fundame...
byNusrat Gulbarga
 

Browser Serving Your Web Application Security - NorthEast PHP 2017

  • 1.
    BROWSER SERVING YOURWEB APPLICATION SECURITY ALL YOU NEED TO KNOW
  • 2.
    ABOUT ME HI I’MPHILIPPE I’m a Developer Evangelist for kuzzle.io. Long-time internet developer, author, screen caster, podcaster and speaker. I’m specializes in PHP, Symfony, Kuzzle, security, code quality, performance, real time and geolocation. • Sécurité PHP 5 et MySQL 5 • OWASP Montreal • PHP Quebec • Table Top Game Developer • Pen & Paper RPG Writer
  • 3.
    PURPOSE OF THEPRESENTATION • Improve the code of your website • Protect your site against certain attacks • Protect your users from certain attacks • Protect your development sites WHY WE ARE TALKING ABOUT THIS?
  • 4.
    PROTECT YOUR DEVSITES • Dev/test/qa/regression servers • If they are available via the web • Robots.txt is not enough • forget • File compliance AVOID LEEKS
  • 5.
  • 6.
    PROTECT YOUR SITES •name • robots for all robots • specific: • Googlebot: Googlebot-News, Googlebot-Image, Googlebot-Video, Googlebot- Mobile, Mediapartners-Google, Mediapartners, AdsBot-Google, AdsBot- Google-Mobile-Apps • slurp • msnbot, bingbot • teoma META NAME=ROBOTS
  • 7.
    PROTECT YOUR SITES •content • all • index • follow META NAME=ROBOTS
  • 8.
    PROTECT YOUR SITES •content • none • noindex • noarchive • nocache • nofollow META NAME=ROBOTS
  • 9.
    PROTECT YOUR SITES •content • nosnippet • noodp • noydir • notranslate • noimageindex • unavailable_after: [RFC-850 date/time] META NAME=ROBOTS
  • 10.
    HEADER : X-ROBOTS-TAG APACHE EXAMPLE #apache <IfModulemod_headers.c> Header set X-Robots-Tag “noindex, nofollow, noarchive" <FilesMatch “.(doc|pdf|png|jpe?g|gif)$”> Header set X-Robots-Tag “noindex, noarchive, nosnippet" </FilesMatch> <IfModule>
  • 11.
  • 12.
    HEADER : X-ROBOTS-TAG EXAMPLES X-Robots-Tag: noarchive X-Robots-Tag:unavailable_after: 25 Jun 2010 15:00:00 PST X-Robots-Tag: googlebot: nofollow X-Robots-Tag: otherbot: noindex, nofollow
  • 13.
    IMPROVE YOUR CODE •Normally, for IE8 + • Requests IE to use the latest render engines or a particular version. • Should use the ChromeFrame renderer (for IE6 and IE7) • Does not validate • Reduce the display speed of the site if it needs to change mode • Does not work in a conditional comment ( <!--[if lt IE 7]> ) META/HEADER : X-UA-COMPATIBLE
  • 14.
    META: X-UA-COMPATIBLE CODE <meta http-equiv="X-UA-Compatible"content="IE=edge,chrome=1"> <meta http-equiv="X-UA-Compatible” content="IE=9">
  • 15.
    HEADER: X-UA-COMPATIBLE CODE PHP <?php header(“X-UA-Compatible : IE=Edge,chrome=1”, true);
  • 16.
    HEADER: X-UA-COMPATIBLE APACHE EXAMPLE #apache <IfModulemod_headers.c> Header set X-UA-Compatible “IE=Edge,chrome=1” # Mod_headers Does not use the content type, # but we do not want to send this header <FilesMatch “.(js|css|gif|png|jpe?g|pdf|xml|oga|ogg|m4a|ogv|mp4| m4v|webm|svg|svgz|eot|ttf|otf|woff|ico|webp|appcache|manifest|htc| crx|oex|xpi|safariextz|vcf)$” > Header unset X-UA-Compatible </FilesMatch> </IfModule>
  • 17.
    CLICKJACKING PROTECTION • “Clickjacking”protection • <frame> • <iframe> • <object> • Value • DENY • SAMEORIGIN • ALLOW-FROM uri META/HEADER : X-FRAME-OPTIONS
  • 18.
    META/HEADER : X-FRAME-OPTIONS BROWSER SUPPORT AndroidChrome Edge Firefox Internet Explorer Opera Safari X-Frame-Option 4+ 4+ 12+ 4+ 8+ 10.5+ 4.0+ Allow-from N/A N/A* N/A* 18+ 9+ N/A N/A* *Use CSP frame-ancestors directive instead
  • 19.
    HEADER : X-FRAME-OPTIONS APACHE EXAMPLE #apache <IfModulemod_headers.c> Header set X-Frame-Options “deny” </IfModule>
  • 20.
  • 21.
  • 22.
    PROTECT AGAINS DRIVE-BYATTAQUE • Only one value: nosniff HEADER : X-CONTENT-TYPE-OPTIONS Android Chrome Edge Firefox Internet Explorer Opera Safari nosniff 3+ 1.0+* 11+ 50+** 8+ 13+ N/A * during download ** or with NoScript
  • 23.
    HEADER : X-CONTENT-TYPE-OPTIONS APACHE EXAMPLE #apache <IfModulemod_headers.c> Header set X-Content-Type-Options “nosniff” </IfModule>
  • 24.
  • 25.
    XSS PROTECTION • Automaticprotection against XSS • mode=block • report=<reporting-URI> META/HEADER : X-XSS-PROTECTION Android Chrome Edge Firefox Internet Explorer Opera Safari X-XSS-Protection (Yes) 4+ 11+ N/A* 8+ Yes 4+ report No Chromium No No No No No * yes with NoScript
  • 26.
    HEADER : X-XSS-PROTECTION APACHE EXAMPLE #apache <IfModulemod_headers.c> Header set X-XSS-Protection “1; mode=block” </IfModule>
  • 27.
  • 28.
    META : X-XSS-PROTECTION EXAMPLE <meta http-equiv="X-XSS-Protection"content="1"> <meta http-equiv="X-XSS-Protection" content="1; mode=block"> <meta http-equiv="X-XSS-Protection” content="0"> <!-- Chromium only --> <meta http-equiv="X-XSS-Protection” content="1; report=<url>">
  • 29.
    SUPER PROTECTION • 3level of specification • Specification 1.0 Recommendation • http://w3c.org/TR/CSP1 • Specification 2.0 Recommendation • http://w3c.org/TR/CSP2 • Specification 3.0 Working Draft • http://w3c.org/TR/CSP3 META/HEADER : CONTENT-SECURITY-POLICY
  • 30.
    SUPER PROTECTION META/HEADER : CONTENT-SECURITY-POLICY AndroidChrome Edge Firefox Internet Explorer Opera Safari Recommendation 1 4.4+ 25+ 12+ 23+ 11+ 7+ X-Content-Security-Policy 12+* 4+ 10+ X-WebKit-CSP 14+ 5.1+ Recommendation 2 53+ 40+ 15+ 31+** 27+ 10+ Working Draft 3 * Limited ** Partial
  • 31.
    META/HEADER : CONTENT-SECURITY-POLICY • default-src(csp 1, 2, 3) • child-src (csp 2, 3) • connect-src (csp 1, 2, 3) • font-src (csp 1, 2, 3) • frame-src (csp 1, 3) • img-src (csp 1, 2, 3) • manifest-src (csp 3) • media-src (csp 1, 2) • object-src (csp 1, 2) • script-src (csp 1, 2) • style-src (csp 1, 2) • worker-src (csp 3) FETCH DIRECTIVES
  • 32.
    META/HEADER : CONTENT-SECURITY-POLICY • *(csp 1, 2, 3) • 'self' (csp 1, 2, 3) • 'none' (csp 1, 2, 3) • uri (csp 1, 2, 3) • media1.example.com • *.cdn.example.com • protocol • https: (csp 1, 2, 3) • http: (csp 1, 2, 3) • data: (csp 1, 2, 3) • mediastream: (csp 2, 3) • blob: (csp 2, 3) • filesystem: (csp 2, 3) • unsafe-inline (csp 1, 2, 3) • unsafe-eval (csp 1, 2, 3) • 'nonce-<base64-value>' (csp 2, 3) • <hash-source> (csp 2, 3) • 'strict-dynamic' (csp 2, 3) FETCH DIRECTIVES VALUES
  • 33.
    META/HEADER : CONTENT-SECURITY-POLICY • DocumentDirectives • base-uri (csp 2, 3) • disown-opener (csp 3) • plugin-types (csp 2, 3) • sandbox (csp 1, 2, 3) • Navigation Directives • form-action (csp 2, 3) • frame-ancestors (csp 2, 3) • Directives Defined in Other Documents • block-all-mixed-content (csp 3) • require-sri-for (csp 3) • upgrade-insecure-requests (csp 3) DIRECTIVES
  • 34.
    META/HEADER: CONTENT-SECURITY-POLICY • allow-forms •allow-modals • allow-orientation-lock • allow-pointer-lock • allow-popups • allow-popups-to-escape-sandbox • allow-presentation • allow-same-origin • allow-scripts • allow-top-navigation SANDBOX VALUE
  • 35.
    HEADER: CONTENT-SECURITY-POLICY APACHE EXAMPLE #apache <IfModulemod_headers.c> Header set Content-Security-Policy “default-src ‘self’;” </IfModule>
  • 36.
  • 37.
  • 38.
    META/HEADER: CONTENT-SECURITY-POLICY EXAMPLES default-src 'self'; script-src'self'; script-src 'self' www.google-analytics.com ajax.googleapis.com; default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self'; default-src 'self'; img-src *; object-src media1.example.com media2.example.com *.cdn.example.com; script-src trustedscripts.example.com default-src https: 'unsafe-inline' 'unsafe-eval' default-src *; script-src https://example.com/js/;” default-src *; sandbox allow-scripts
  • 39.
    META/HEADER: CONTENT-SECURITY-POLICY EXAMPLES default-src 'self';frame-ancestors 'none' base-uri 'self' object-src 'none' plugin-types application/x-shockwave-flash plugin-types application/x-java-applet form-action 'none' default-src 'self'; require-sri-for script style block-all-mixed-content upgrade-insecure-requests; default-src https:
  • 40.
    META/HEADER : CONTENT-SECURITY-POLICY • ReportingDirectives • report-uri (CSP 1, 2, 3) • report-to (CSP 3) • Meta/Header • Content-Security-Policy-Report-Only REPORT
  • 41.
    HEADER : CONTENT-SECURITY-POLICY APACHE EXAMPLEREPORT Content-Security-Policy “default-src ‘self’; report-uri http://example.org/csp-report.php” http://evil.example.com/image.png
  • 42.
    META/HEADER : CONTENT-SECURITY-POLICY RESPONSE { “csp-report”: { “document-uri”:“http://example.org/page.html", “referrer”: “http://evil.example.com/haxor.html", “blocked-uri”: “http://evil.example.com/image.png", “violated-directive”: “default-src ‘self’”, “original-policy”: “default-src ‘self’; report-uri http://example.org/csp-report.cgi” } }
  • 43.
    CROSS-ORIGIN RESOURCE SHARING •Access-Control-Allow-Credentials • Access-Control-Allow-Headers • Access-Control-Allow-Methods • Access-Control-Allow-Origin • Access-Control-Expose-Headers • Access-Control-Max-Age • Access-Control-Request-Headers • Access-Control-Request-Method META/HEADER: ACCESS-CONTROL-*
  • 44.
    CROSS-ORIGIN RESOURCE SHARING META/HEADER:ACCESS-CONTROL-* Android Chrome Edge Firefox Internet Explorer Opera Safari Access-Control-* 2.1+ 4+ 12+ 3.5+ 10+ 12+ 4+
  • 45.
    META: ACCESS-CONTROL-* CODE <meta http-equiv="Access-Control-Allow-Origin”content="*"> <meta http-equiv="Access-Control-Allow-Origin” content="http://kuzzle.io"> <meta http-equiv="Access-Control-Allow-Credentials” content="true"> <meta http-equiv="Access-Control-Allow-Headers” content="Content-Length, X-Powered-By"> <meta http-equiv="Access-Control-Allow-Methods” content="POST, GET, OPTIONS"> <meta http-equiv="Access-Control-Expose-Headers” content="Content-Length, X-Powered-By"> <meta http-equiv="Access-Control-Max-Age” content="600"> <meta http-equiv="Access-Control-Request-Headers” content="Content-Length, X-Powered-By"> <meta http-equiv="Access-Control-Request-Methods” content="POST">
  • 46.
    HEADER: ACCESS-CONTROL-* APACHE EXAMPLE #apache <IfModulemod_headers.c> Header set Access-Control-Allow-Origin “http://kuzzle.io” Header set Access-Control-Allow-Credentials “true” Header set Access-Control-Allow-Headers “Content-Length, X-Powered-By” Header set Access-Control-Allow-Methods “POST, GET, OPTIONS” Header set Access-Control-Expose-Headers “Content-Length, X-Powered-By” Header set Access-Control-Max-Age “60” Header set Access-Control-Request-Headers “Content-Length, X-Powered-By” Header set Access-Control-Request-Methods “POST” </IfModule>
  • 47.
    HEADER: ACCESS-CONTROL-* PHP CODE <?php header(“Access-Control-Allow-Origin:http://kuzzle.io”, true); header(“Access-Control-Allow-Credentials: true”, true); header(“Access-Control-Allow-Headers: Content-Length, X-Powered-By”, true); header(“Access-Control-Allow-Methods: POST, GET, OPTIONS”, true); header(“Access-Control-Expose-Headers: Content-Length, X-Powered-By”, true); header(“Access-Control-Max-Age: 60”, true); header(“Access-Control-Request-Headers: Content-Length, X-Powered-By”, true); header(“Access-Control-Request-Methods: POST”, true);
  • 48.
    PROTECT YOUR SESSIONS •Stealing session (session cookie) is quite simple. • Use HTTPS on your server if you use sessions. • But it is not enough... PHP CONFIGURATION
  • 49.
    PROTECT YOUR SESSIONS PHPCONFIGURATION session.use_cookies “1” session.use_only_cookies “1” session.cookie_secure “1” session.cookie_httponly “1”
  • 50.
    PROTECT YOUR COOKIES •Secure • HttpOnly • SameSite SETCOOKIE Android Chrome Edge Firefox Internet Explorer Opera Safari Secure 1+ 1+ 10+ 3+ 9+ 11+ 5+ HttpOnly 1+ 1+ 10+ 3+ 9+ 11+ 5+ SameSite 51+ 51+ N/A N/A N/A 39+ N/A
  • 51.
    PROTECT YOUR COOKIES PHPCODE bool setcookie ( string $name [, string $value = "" [, int $expire = 0 [, string $path = "" [, string $domain = "" [, bool $secure = false [, bool $httponly = false ]]]]]] )
  • 52.
    PROTECT IN TRANSITDATA • Require the browser to use a site in SSL (and retains the information) HTTP STRICT TRANSPORT SECURITY Android Chrome Edge Firefox Internet Explorer Opera Safari Strict-Transport- Security 4.4+ 4+ 12+ 4+ 11+ 12+ 7+
  • 53.
    HTTP STRICT TRANSPORTSECURITY EXAMPLES Strict-Transport-Security: max-age=<expire-time> Strict-Transport-Security: max-age=<expire-time>; includeSubDomains Strict-Transport-Security: max-age=<expire-time>; preload Strict-Transport-Security: max-age=<expire-time>; includeSubDomains; preload
  • 54.
    HTTP STRICT TRANSPORTSECURITY APACHE EXAMPLE #apache <VirtualHost *:80> ServerAlias * RewriteEngine On RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [redirect=301] </VirtualHost> <VirtualHost *:443> ServerAlias * ... <IfModule mod_headers.c> Header set Strict-Transport-Security “max-age=16070400; preload" </IfModule> </VirtualHost>
  • 55.
    HTTP STRICT TRANSPORTSECURITY PHP EXAMPLE <?php // IIS defines the HTTPS protocol to be “off” for non-SSL requests if (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] != 'off') { header(’Strict-Transport-Security: max-age=16070400’); } else { header('Location: https://’.$_SERVER[’HTTP_HOST'] . $_SERVER['REQUEST_URI'], true, 301); exit; }
  • 56.
    PROTECT IN TRANSITDATA • Tells a Web client to associate a specific public cryptographic public key to a Web server to reduce the risk of MITM attacks with falsified certificates. HTTP PUBLIC KEY PINNING (HPKP) Android Chrome Edge Firefox Internet Explorer Opera Safari Public-Key-Pins 38+ 38+ N/A 35+ N/A 25+ N/A Report-uri 46+ 46+ N/A N/A N/A 33+ N/A
  • 57.
    HTTP PUBLIC KEYPINNING (HPKP) EXAMPLES Public-Key-Pins: pin-sha256=<base64==>; max-age=<expireTime>; Public-Key-Pins: pin-sha256=<base64==>; max-age=<expireTime>; includeSubDomains Public-Key-Pins: pin-sha256=<base64==>; max-age=<expireTime>; report-uri=<reportURI> Public-Key-Pins-Report-Only: pin-sha256=<base64==>; max-age=<expireTime>; report- uri=<reportURI>
  • 58.
    PROTECT IMPORTED FILESINTEGRITIES • Verify extracted files are delivered without unexpected manipulation. • Uses a cryptographic hash. • <script>, <link> • Base64 of • sha256 • sha384 • sha512 SUBRESOURCE INTEGRITY
  • 59.
    SUBRESOURCE INTEGRITY EXAMPLES <script src="https://example.com/example-framework.js" integrity="sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxy9rx7HNQlGYl1kPzQho1wx4JwY8wC" crossorigin="anonymous"></script> <linkrel="stylesheet” href="https://site53.example.net/style.css" integrity="sha384-+/M6kredJcxdsqkczBUjMLvqyHb1K/JThDXWsBVxMEeZHEaMKEOEct339VItX1zB" crossorigin="anonymous"> cat example-framework.js | openssl dgst -sha384 -binary | openssl enc -base64 -A
  • 60.
    PROTECT YOUR • Allowsyou to specify when the browser will define a Referer header.no- referrer • no-referrer • no-referrer-when-downgrade • origin • origin-when-cross-origin • same-origin • strict-origin • strict-origin-when-cross-origin • unsafe-url HEADER: REFERRER-POLICY
  • 61.
    HEADER: REFERRER-POLICY COMPATIBILITY Android ChromeEdge Firefox Internet Explorer Opera Safari Referrer-Policy 56+ 56+ N/A 50+ N/A 43+ N/A same-origin N/A N/A N/A 52+ N/A N/A N/A strict-origin N/A N/A N/A 52+ N/A N/A N/A strict-origin- when-cross- origin N/A N/A N/A 52+ N/A N/A N/A
  • 62.
    ANY QUESTIONS? THANK YOU! Ifyou want to talk more, feel free to contact me. http://kuzzle.io This presentation was created using Keynote. The text is set in Oswald and Ubuntu. The source code is set in Ubuntu Mono. The iconography is provided by Keynote, kuzzle.io and Font Awesome. Unless otherwise noted, all photographs are used by permission under a Creative Commons license. Please refer to the Photo Credits slide for more information. Copyright © This work is licensed under Creative Commons Attribution-ShareAlike 4.0 International. For uses not covered under this license, please contact the author. hello@kuzzle.io @kuzzleio Kuzzle kuzzleio http://kuzzle.io Browser Serving Your Web Application Security 2014-2017 Philippe Gamache GAMACHE, Philippe. “Browser Serving Your Web Application Security” NorthEast PHP Conference. August 10, 2017. Conference presentation. pgamache@kuzzle.io @philoupedia philippegamache joind.in/talk/c5998 Please visit us at: