Ben Toews (Head of Application Security at GitHub) and I have been doing a round of talks discussing the state of the union in web application and browser security. There is a whole slew of new technology and standards coming out that actually really do make the web more secure. I wanted to take a second and dive into a few of the proposed and accepted standards that are helping make things better:
Forcing browsers to use SSL
Companies like Google, Facebook, and Twitter are using a technology called HTTP Strict Transport Security (HSTS) to force browsers over SSL. For example, when a user types www.google.com into a browser, the request automatically goes over SSL, making the browsing user experience more secure at the transport layer and helping to mitigate man-in-the-middle attacks. This is an awesome technology that is very easy to implement. Simply add the following header on the web server:
This forces the browser to only access content via SSL.
Mitigating cross-site scripting
I’m working with Patrick Thomas on collecting a bunch of information on Content-Security Policy and we will be presenting some metrics and tools on the technology at a Chicago Security Meetup in July. More details to follow!
Rendering browser content only as explicitly stated
Preventing clickjacking attacks
Clickjacking attacks take advantage of embedded content in iframes by placing elements over those frames and tricking users into clicking actions that seem innocuous, but may be performing malicious actions on the attacker’s behalf. Companies like Google, Facebook, Twitter, Paypal, Ebay, and Live.com are using the X-Frame-Options HTTP response header, which either permits or denies the rendering of a page in a frame or iframe element. Since this can block content from being embedded into other sites, it can prevent clickjacking attacks.
This is just a subset of the technologies Ben and I will be covering at our talk at http://shakacon.org/.