Daniel Gartmann

Zuhlke Engineering

Harness the power of HTTP headers to secure your web apps

Nowadays almost everyone uses web browsers on a daily basis for various tasks such as reading emails, surfing on social networks or purchasing goods on ecommerce shops. Despite this, web developers often tend to forget that a browser is a piece of software that has deliberately been designed as a remote code execution engine, which is the dream spec for any attacker. The focus of this talk is to explain how some of the newly introduced headers (HSTS, HPKP, CSP) can help to easily add an extra layer of security in order to defend your web apps against common web security vulnerabilities.

Full abstract

Security flaws on websites are very widespread and depending on the nature of the website can lead to severe consequences. One of the reason why securing web apps can be challenging is that many security aspects such as client side security, transport security and server side security have to be considered during design, implementation and operation. Another fundamental problem of the web is the web browser that has deliberately been designed as remote code execution engine which is the dream platform for any attacker wanting, for instance, to inject malicious code either by exploiting an Cross-Site Scripting (XSS) vulnerability or by mounting a man-in-the-middle attack. Since a browser executes JavaScript and HTML on the fly with 'almost' no security checks it is important to be able to identify the origin of the content and to take advantage of the available means to restrict how the browser executes the web app. This is exactly what this talk is about! I will start with brief overview about what is wrong with the web and especially with web browsers. Then I will explain why secure transport is so important and point out the different guarantees that HTTPS provides, such as confidentiality, authenticity and integrity and why there is no valid reason for not using it over HTTP. I will show you how to get a free certificate for your website and how to test the HTTPS configuration. The main focus of this talk are the newly introduced headers, such as HTTP Strict Transport Security (HSTS), HTTP Public Key Pinning (HPKP) and Content Security Policy (CSP). I will explain how HSTS and HPKP help to harden HTTPS against various attacks but also present the best practices for avoiding the common pitfalls. I will continue by explaining CSP and its capabilities, such as preventing Cross-Site Scripting (XSS) or Clickjacking attacks. I will also give best practices about deriving the CSP policies without having negative side effects on your website and present tools that will make your CSP journey as easy as pie. All the aforementioned headers offer security “for free” in the defence of your web apps so start using them today!