
Simple ways to improve the security of a web app - mdirolf
http://blog.fiesta.cc/post/13896457582/three-simple-ways-to-improve-the-security-of-your-web
======
mike-cardwell
Your Strict-Transport-Security definition is missing the "includeSubDomains"
flag. STS is a lot more effective if you use that flag.

You should discuss how X-Frame-Options prevents sites legitimately loading
your pages inside frames too. I believe Reddit does this amongst others in
order to displays a small control panel at the top of the page. X-Frame-
Options is appropriate for many sites, but perhaps not for blogs.

You should talk about how CSP prevents most bookmarklets from working. For
example readability and instapaper. I really like CSP, but people should be
made aware of this.

~~~
mdirolf
Yeah, I decided not to get into all of the options of each header. Partially
because I was writing from a plane without wifi and partially because the
response I was hoping for was "these things exist - I'll go read the docs on
them".

That said, your points about X-Frame-Options and CSP are definitely important
for usability. Maybe I'll update the post w/ some of those details.

------
alexchamberlain
I wasn't expecting much from yet another "How to secure your website..."
article, but those headers are completely new to me.

------
rwolf
I came in swinging to tear apart yet another oblivious security article, but
you actually taught me something.

Looking up X-Frame-Options and X-Content-Security-Policy now--thanks!

~~~
mdirolf
Glad you enjoyed it.

~~~
alpb
Learned a lot for my next startup. Thanks a lot for this post. I really
appreciate.

------
cmer
This is one of the best article I've seen in a long time! Great job Mike and
best of luck with your new startup!

~~~
mdirolf
Thanks!

------
noblethrasher
It's articles like this that make me doubt that I've "probably read
enough"[1].

[1] <http://news.ycombinator.com/item?id=3326210>

------
dtwwtd
Chrome 15+ supports CSP. In 15 it uses an old syntax I believe but if you use
16+ then you should be able to use the same headers as in Firefox.

I didn't realize FF had CSP working as well. Thanks!

~~~
mdirolf
Good to know - thanks. More support is better, but the thing I really like
about CSP is how it is still useful as a canary even with only partial browser
support.

------
david_a_r_kemp
I may be going over old ground, but don't the CSP violations reports ( see
[https://developer.mozilla.org/en/Security/CSP/Using_CSP_viol...](https://developer.mozilla.org/en/Security/CSP/Using_CSP_violation_reports)
) open up another attack vector?

I know people who actually implement this are going to have their heads
screwed on around the right way, but having a page where you know you can
generate server processing, and that is potentially not going to have much
security around it screams out to me to be a good place to start an attack
from.

Especially as the spec is a bit vague about exactly what happens when (no head
specified for example, doesn't say about including cookies or any other
information). Also, fiesta.cc's CSP Report URI returns a response that says to
keep the connection open.

And, if you manage to get a script injected to a popular page, the site itself
acts as a distribution system to enable distribution to multiple users.

Something about this says it's not been thoroughly thought through to me.

~~~
mike-cardwell
On that page you'll notice it mentions "request-headers". That was in FF4 and
FF5, but was removed in FF6 because of something I reported.

The headers sent in the report included "Proxy-Authorization", so it was
possible to steal web proxy credentials by forcing a policy violation on your
site. Chromes implementation didn't include the headers from the start. For
more info:

[https://grepular.com/Mozilla_Security_Bug_Reveals_Web_Proxy_...](https://grepular.com/Mozilla_Security_Bug_Reveals_Web_Proxy_Credentials)

And the original report (which was recently "unclassified"):

<https://bugzilla.mozilla.org/show_bug.cgi?id=664983>

------
ajtaylor
I had never heard of these HTTP headers before. Thank you for the pointers.

~~~
mdirolf
No problem - I definitely recommend reading the linked Mozilla docs on them.

------
CaveTech
Now only if we could combine this with improving the reliability of a web app.

From the comments it sounds like a great article, but I've been trying to read
this for about 8 hours now with no luck.

~~~
mdirolf
Sorry about that - we use Tumblr to host the blog and have had some issues
before. I just converted to a pastebin for you, unfortunately didn't think to
include any of the comments but here you go: <http://pastebin.com/yHw7L0Fy>

~~~
CaveTech
Thanks!

------
makmanalp
[http://www.theregister.co.uk/2011/06/21/startssl_security_br...](http://www.theregister.co.uk/2011/06/21/startssl_security_breach/)

Yeah, fuck that. Like hell am I going to use a free CA as suggested. They have
no incentive to keep things secure or in working order at all.

Great article otherwise though!

~~~
icehawk
That doesn't really follow.

"The hackers behind the attack on StartCom failed to obtain any certificates
that would allow them to spoof websites in a similar fashion, and they were
also unsuccessful in generating an intermediate certificate that would allow
them to act as their own certificate authority, Nigg said in an email."

As opposed to the Comodo breach where the attackers successfully managed to
get fake certificates for several high-profile sites.

