Headers and Cookies - digi.ninja · Main Headers • X-Content-Type-Options • X-Frame-Options •...
Transcript of Headers and Cookies - digi.ninja · Main Headers • X-Content-Type-Options • X-Frame-Options •...
![Page 1: Headers and Cookies - digi.ninja · Main Headers • X-Content-Type-Options • X-Frame-Options • X-XSS-Protection • Referrer-Policy • Strict-Transport-Security • Content-Security-Policy](https://reader034.fdocuments.net/reader034/viewer/2022052100/6039d78e1694c628536e6e11/html5/thumbnails/1.jpg)
https://digi.ninjahttps://digi.ninja
Headers and Cookies
![Page 2: Headers and Cookies - digi.ninja · Main Headers • X-Content-Type-Options • X-Frame-Options • X-XSS-Protection • Referrer-Policy • Strict-Transport-Security • Content-Security-Policy](https://reader034.fdocuments.net/reader034/viewer/2022052100/6039d78e1694c628536e6e11/html5/thumbnails/2.jpg)
https://digi.ninjahttps://digi.ninja
Who Am I?
Robin Wood
https://digi.ninja
@digininja
![Page 3: Headers and Cookies - digi.ninja · Main Headers • X-Content-Type-Options • X-Frame-Options • X-XSS-Protection • Referrer-Policy • Strict-Transport-Security • Content-Security-Policy](https://reader034.fdocuments.net/reader034/viewer/2022052100/6039d78e1694c628536e6e11/html5/thumbnails/3.jpg)
https://digi.ninjahttps://digi.ninja
Background• Started work as desktop app developer in 1996
• Moved to web app in 2003
• Moved to security testing in 2009
• Freelance tester and consultant
• Still do bits of web dev on the side
• Published over 50 security tools
![Page 4: Headers and Cookies - digi.ninja · Main Headers • X-Content-Type-Options • X-Frame-Options • X-XSS-Protection • Referrer-Policy • Strict-Transport-Security • Content-Security-Policy](https://reader034.fdocuments.net/reader034/viewer/2022052100/6039d78e1694c628536e6e11/html5/thumbnails/4.jpg)
https://digi.ninjahttps://digi.ninja
HTTP Headers
![Page 5: Headers and Cookies - digi.ninja · Main Headers • X-Content-Type-Options • X-Frame-Options • X-XSS-Protection • Referrer-Policy • Strict-Transport-Security • Content-Security-Policy](https://reader034.fdocuments.net/reader034/viewer/2022052100/6039d78e1694c628536e6e11/html5/thumbnails/5.jpg)
https://digi.ninjahttps://digi.ninja
![Page 6: Headers and Cookies - digi.ninja · Main Headers • X-Content-Type-Options • X-Frame-Options • X-XSS-Protection • Referrer-Policy • Strict-Transport-Security • Content-Security-Policy](https://reader034.fdocuments.net/reader034/viewer/2022052100/6039d78e1694c628536e6e11/html5/thumbnails/6.jpg)
https://digi.ninjahttps://digi.ninja
Main Headers• X-Content-Type-Options
• X-Frame-Options
• X-XSS-Protection
• Referrer-Policy
• Strict-Transport-Security
• Content-Security-Policy
• Public-Key-Pins
• Expect-CT
![Page 7: Headers and Cookies - digi.ninja · Main Headers • X-Content-Type-Options • X-Frame-Options • X-XSS-Protection • Referrer-Policy • Strict-Transport-Security • Content-Security-Policy](https://reader034.fdocuments.net/reader034/viewer/2022052100/6039d78e1694c628536e6e11/html5/thumbnails/7.jpg)
https://digi.ninjahttps://digi.ninja
X-Content-Type-OptionsPrevents a browser from trying to guess the file type of content
Protects against download attacks where browser makes bad choices
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
![Page 8: Headers and Cookies - digi.ninja · Main Headers • X-Content-Type-Options • X-Frame-Options • X-XSS-Protection • Referrer-Policy • Strict-Transport-Security • Content-Security-Policy](https://reader034.fdocuments.net/reader034/viewer/2022052100/6039d78e1694c628536e6e11/html5/thumbnails/8.jpg)
https://digi.ninjahttps://digi.ninja
X-Content-Type-OptionsNo header – browser can sniff
One options:
• nosniff – honour the type specified*
* Recommended
![Page 9: Headers and Cookies - digi.ninja · Main Headers • X-Content-Type-Options • X-Frame-Options • X-XSS-Protection • Referrer-Policy • Strict-Transport-Security • Content-Security-Policy](https://reader034.fdocuments.net/reader034/viewer/2022052100/6039d78e1694c628536e6e11/html5/thumbnails/9.jpg)
https://digi.ninjahttps://digi.ninja
X-Content-Type-OptionsExample header:
x-content-type-options: nosniff
![Page 10: Headers and Cookies - digi.ninja · Main Headers • X-Content-Type-Options • X-Frame-Options • X-XSS-Protection • Referrer-Policy • Strict-Transport-Security • Content-Security-Policy](https://reader034.fdocuments.net/reader034/viewer/2022052100/6039d78e1694c628536e6e11/html5/thumbnails/10.jpg)
https://digi.ninjahttps://digi.ninja
X-Frame-OptionsSpecifies how a site can be (or cannot be) used in frames and iframes
Protects against Clickjacking*
Demo https://vuln-demo.com/clickjack/
* https://www.owasp.org/index.php/Clickjacking
![Page 11: Headers and Cookies - digi.ninja · Main Headers • X-Content-Type-Options • X-Frame-Options • X-XSS-Protection • Referrer-Policy • Strict-Transport-Security • Content-Security-Policy](https://reader034.fdocuments.net/reader034/viewer/2022052100/6039d78e1694c628536e6e11/html5/thumbnails/11.jpg)
https://digi.ninjahttps://digi.ninja
X-Frame-OptionsNo header – any site can frame this one
Three options:
• ALLOW-FROM – specify domains which can frame this one
• SAMEORIGIN – this site can frame itself
• DENY – nothing can frame this site*
* Recommended
![Page 12: Headers and Cookies - digi.ninja · Main Headers • X-Content-Type-Options • X-Frame-Options • X-XSS-Protection • Referrer-Policy • Strict-Transport-Security • Content-Security-Policy](https://reader034.fdocuments.net/reader034/viewer/2022052100/6039d78e1694c628536e6e11/html5/thumbnails/12.jpg)
https://digi.ninjahttps://digi.ninja
X-Frame-OptionsExample headers:
x-frame-options: sameorigin
x-frame-options: deny
![Page 13: Headers and Cookies - digi.ninja · Main Headers • X-Content-Type-Options • X-Frame-Options • X-XSS-Protection • Referrer-Policy • Strict-Transport-Security • Content-Security-Policy](https://reader034.fdocuments.net/reader034/viewer/2022052100/6039d78e1694c628536e6e11/html5/thumbnails/13.jpg)
https://digi.ninjahttps://digi.ninja
X-XSS-ProtectionEnable or disable a browsers built in Cross-Site Scripting protections
Affects Chrome and IE/Edge
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
![Page 14: Headers and Cookies - digi.ninja · Main Headers • X-Content-Type-Options • X-Frame-Options • X-XSS-Protection • Referrer-Policy • Strict-Transport-Security • Content-Security-Policy](https://reader034.fdocuments.net/reader034/viewer/2022052100/6039d78e1694c628536e6e11/html5/thumbnails/14.jpg)
https://digi.ninjahttps://digi.ninja
X-XSS-ProtectionNo header – default browser behaviour
Four options:
• 0 – disable protections
• 1 – enable protections and sanitize output
• 1; report=<reporting-uri>*
• 1; mode=block – enable protections and block malicious content*
* Recommended
![Page 15: Headers and Cookies - digi.ninja · Main Headers • X-Content-Type-Options • X-Frame-Options • X-XSS-Protection • Referrer-Policy • Strict-Transport-Security • Content-Security-Policy](https://reader034.fdocuments.net/reader034/viewer/2022052100/6039d78e1694c628536e6e11/html5/thumbnails/15.jpg)
https://digi.ninjahttps://digi.ninja
X-XSS-ProtectionExample headers:
x-xss-protection: 0
x-xss-protection: 1; mode=block
![Page 16: Headers and Cookies - digi.ninja · Main Headers • X-Content-Type-Options • X-Frame-Options • X-XSS-Protection • Referrer-Policy • Strict-Transport-Security • Content-Security-Policy](https://reader034.fdocuments.net/reader034/viewer/2022052100/6039d78e1694c628536e6e11/html5/thumbnails/16.jpg)
https://digi.ninjahttps://digi.ninja
Referrer-PolicyNewest header on the block
Specifies when a browser should pass a referer header
Useful when you have sensitive data in querystrings
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
![Page 17: Headers and Cookies - digi.ninja · Main Headers • X-Content-Type-Options • X-Frame-Options • X-XSS-Protection • Referrer-Policy • Strict-Transport-Security • Content-Security-Policy](https://reader034.fdocuments.net/reader034/viewer/2022052100/6039d78e1694c628536e6e11/html5/thumbnails/17.jpg)
https://digi.ninjahttps://digi.ninja
Referrer-PolicyNo header – default browser behaviour, usually just pass the header
Eight options:
• no-referrer
• no-referrer-when-downgrade
• origin
• origin-when-cross-origin
• same-origin
• strict-origin
• strict-origin-when-cross-origin*
• unsafe-url
* Recommended
https://www.w3.org/TR/referrer-policy/
![Page 18: Headers and Cookies - digi.ninja · Main Headers • X-Content-Type-Options • X-Frame-Options • X-XSS-Protection • Referrer-Policy • Strict-Transport-Security • Content-Security-Policy](https://reader034.fdocuments.net/reader034/viewer/2022052100/6039d78e1694c628536e6e11/html5/thumbnails/18.jpg)
https://digi.ninjahttps://digi.ninja
Referrer-PolicyExample headers:
referrer-policy: strict-origin-when-cross-origin
referrer-policy: origin
![Page 19: Headers and Cookies - digi.ninja · Main Headers • X-Content-Type-Options • X-Frame-Options • X-XSS-Protection • Referrer-Policy • Strict-Transport-Security • Content-Security-Policy](https://reader034.fdocuments.net/reader034/viewer/2022052100/6039d78e1694c628536e6e11/html5/thumbnails/19.jpg)
https://digi.ninjahttps://digi.ninja
Referrer-PolicyCan break tracking/logging software
Obviously breaks referrer programs if not done right
![Page 20: Headers and Cookies - digi.ninja · Main Headers • X-Content-Type-Options • X-Frame-Options • X-XSS-Protection • Referrer-Policy • Strict-Transport-Security • Content-Security-Policy](https://reader034.fdocuments.net/reader034/viewer/2022052100/6039d78e1694c628536e6e11/html5/thumbnails/20.jpg)
https://digi.ninjahttps://digi.ninja
Strict-Transport-SecurityAlso known as HSTS
Enforces HTTPS on all requests
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/strict-transport-security
![Page 21: Headers and Cookies - digi.ninja · Main Headers • X-Content-Type-Options • X-Frame-Options • X-XSS-Protection • Referrer-Policy • Strict-Transport-Security • Content-Security-Policy](https://reader034.fdocuments.net/reader034/viewer/2022052100/6039d78e1694c628536e6e11/html5/thumbnails/21.jpg)
https://digi.ninjahttps://digi.ninja
Strict-Transport-SecurityNo header – traffic can use HTTP or HTTPS
Three options:
• max-age=<expire-time>
• max-age=<expire-time>; includeSubDomains*
• max-age=<expire-time>; preload
* Recommended
![Page 22: Headers and Cookies - digi.ninja · Main Headers • X-Content-Type-Options • X-Frame-Options • X-XSS-Protection • Referrer-Policy • Strict-Transport-Security • Content-Security-Policy](https://reader034.fdocuments.net/reader034/viewer/2022052100/6039d78e1694c628536e6e11/html5/thumbnails/22.jpg)
https://digi.ninjahttps://digi.ninja
Strict-Transport-SecurityExample headers:
strict-transport-security: max-age=31536000; includeSubDomains
strict-transport-security: max-age=0;
![Page 23: Headers and Cookies - digi.ninja · Main Headers • X-Content-Type-Options • X-Frame-Options • X-XSS-Protection • Referrer-Policy • Strict-Transport-Security • Content-Security-Policy](https://reader034.fdocuments.net/reader034/viewer/2022052100/6039d78e1694c628536e6e11/html5/thumbnails/23.jpg)
https://digi.ninjahttps://digi.ninja
Strict-Transport-SecuritySite still vulnerable on first load
Can be mitigated with preloading
Submit at https://hstspreload.org/
https://src.chromium.org/viewvc/chrome/trunk/src/net/http/transport_security_state_static.json
![Page 24: Headers and Cookies - digi.ninja · Main Headers • X-Content-Type-Options • X-Frame-Options • X-XSS-Protection • Referrer-Policy • Strict-Transport-Security • Content-Security-Policy](https://reader034.fdocuments.net/reader034/viewer/2022052100/6039d78e1694c628536e6e11/html5/thumbnails/24.jpg)
https://digi.ninjahttps://digi.ninja
Content-Security-PolicyHardest one on the list to implement
Locks down how and what resources can be used by a site by use of whitelisting
Two modes, enabled and report only
![Page 25: Headers and Cookies - digi.ninja · Main Headers • X-Content-Type-Options • X-Frame-Options • X-XSS-Protection • Referrer-Policy • Strict-Transport-Security • Content-Security-Policy](https://reader034.fdocuments.net/reader034/viewer/2022052100/6039d78e1694c628536e6e11/html5/thumbnails/25.jpg)
https://digi.ninjahttps://digi.ninja
Content-Security-PolicyMozilla scrapes Google’s list for Firefox
https://blog.mozilla.org/security/2012/11/01/preloading-hsts/
Mozilla’s Guide
https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
Publishers Guide
https://content-security-policy.com/
![Page 26: Headers and Cookies - digi.ninja · Main Headers • X-Content-Type-Options • X-Frame-Options • X-XSS-Protection • Referrer-Policy • Strict-Transport-Security • Content-Security-Policy](https://reader034.fdocuments.net/reader034/viewer/2022052100/6039d78e1694c628536e6e11/html5/thumbnails/26.jpg)
https://digi.ninjahttps://digi.ninja
Content-Security-PolicyExample header:
Content-Security-Policy: default-src https:
Content-Security-Policy: default-src site.com
Content-Security-Policy: default-srchttps://site.com
![Page 27: Headers and Cookies - digi.ninja · Main Headers • X-Content-Type-Options • X-Frame-Options • X-XSS-Protection • Referrer-Policy • Strict-Transport-Security • Content-Security-Policy](https://reader034.fdocuments.net/reader034/viewer/2022052100/6039d78e1694c628536e6e11/html5/thumbnails/27.jpg)
https://digi.ninjahttps://digi.ninja
Content-Security-PolicyExample header:
Content-Security-Policy: default-src ‘none’; script-src https://site.com; style-src https://site.com https://image.site.com
![Page 28: Headers and Cookies - digi.ninja · Main Headers • X-Content-Type-Options • X-Frame-Options • X-XSS-Protection • Referrer-Policy • Strict-Transport-Security • Content-Security-Policy](https://reader034.fdocuments.net/reader034/viewer/2022052100/6039d78e1694c628536e6e11/html5/thumbnails/28.jpg)
https://digi.ninjahttps://digi.ninja
Content-Security-Policychild-src
connect-src
default-src
font-src
form-action
frame-ancestors
frame-src*
img-src
media-src
object-src
plugin-types
report-uri
sandbox
script-src
style-src
* frame-src is deprecated, use child-src
![Page 29: Headers and Cookies - digi.ninja · Main Headers • X-Content-Type-Options • X-Frame-Options • X-XSS-Protection • Referrer-Policy • Strict-Transport-Security • Content-Security-Policy](https://reader034.fdocuments.net/reader034/viewer/2022052100/6039d78e1694c628536e6e11/html5/thumbnails/29.jpg)
https://digi.ninjahttps://digi.ninja
Content-Security-Policy
![Page 30: Headers and Cookies - digi.ninja · Main Headers • X-Content-Type-Options • X-Frame-Options • X-XSS-Protection • Referrer-Policy • Strict-Transport-Security • Content-Security-Policy](https://reader034.fdocuments.net/reader034/viewer/2022052100/6039d78e1694c628536e6e11/html5/thumbnails/30.jpg)
https://digi.ninjahttps://digi.ninja
Content-Security-PolicyReporting of failures can be done by adding the following to the header
report-uri https://report-uri.com
e.g.
Content-Security-Policy: default-srchttps://site.com; report-uri https://report-uri.com/
![Page 31: Headers and Cookies - digi.ninja · Main Headers • X-Content-Type-Options • X-Frame-Options • X-XSS-Protection • Referrer-Policy • Strict-Transport-Security • Content-Security-Policy](https://reader034.fdocuments.net/reader034/viewer/2022052100/6039d78e1694c628536e6e11/html5/thumbnails/31.jpg)
https://digi.ninjahttps://digi.ninja
Content-Security-PolicyStrongly recommend setting up an account with Report URI and sending reports there
https://report-uri.com/
Just remember to monitor them!
![Page 32: Headers and Cookies - digi.ninja · Main Headers • X-Content-Type-Options • X-Frame-Options • X-XSS-Protection • Referrer-Policy • Strict-Transport-Security • Content-Security-Policy](https://reader034.fdocuments.net/reader034/viewer/2022052100/6039d78e1694c628536e6e11/html5/thumbnails/32.jpg)
https://digi.ninjahttps://digi.ninja
Content-Security-Policy
![Page 33: Headers and Cookies - digi.ninja · Main Headers • X-Content-Type-Options • X-Frame-Options • X-XSS-Protection • Referrer-Policy • Strict-Transport-Security • Content-Security-Policy](https://reader034.fdocuments.net/reader034/viewer/2022052100/6039d78e1694c628536e6e11/html5/thumbnails/33.jpg)
https://digi.ninjahttps://digi.ninja
Public Key PinningShort version – Specify in a header which CAs can sign your certificates
Longer version is a bit more complicated than that
https://developer.mozilla.org/en-US/docs/Web/HTTP/Public_Key_Pinning
![Page 34: Headers and Cookies - digi.ninja · Main Headers • X-Content-Type-Options • X-Frame-Options • X-XSS-Protection • Referrer-Policy • Strict-Transport-Security • Content-Security-Policy](https://reader034.fdocuments.net/reader034/viewer/2022052100/6039d78e1694c628536e6e11/html5/thumbnails/34.jpg)
https://digi.ninjahttps://digi.ninja
Public Key Pinning
Current advice – Don’t do it!
![Page 35: Headers and Cookies - digi.ninja · Main Headers • X-Content-Type-Options • X-Frame-Options • X-XSS-Protection • Referrer-Policy • Strict-Transport-Security • Content-Security-Policy](https://reader034.fdocuments.net/reader034/viewer/2022052100/6039d78e1694c628536e6e11/html5/thumbnails/35.jpg)
https://digi.ninjahttps://digi.ninja
Public Key Pinning
Deprecated by Google in Chrome 67
https://www.theregister.co.uk/2017/10/30/google_hpkp/
![Page 36: Headers and Cookies - digi.ninja · Main Headers • X-Content-Type-Options • X-Frame-Options • X-XSS-Protection • Referrer-Policy • Strict-Transport-Security • Content-Security-Policy](https://reader034.fdocuments.net/reader034/viewer/2022052100/6039d78e1694c628536e6e11/html5/thumbnails/36.jpg)
https://digi.ninjahttps://digi.ninja
Public Key Pinning
PKP Suicide
https://www.smashingmagazine.com/be-afraid-of-public-key-pinning/
![Page 37: Headers and Cookies - digi.ninja · Main Headers • X-Content-Type-Options • X-Frame-Options • X-XSS-Protection • Referrer-Policy • Strict-Transport-Security • Content-Security-Policy](https://reader034.fdocuments.net/reader034/viewer/2022052100/6039d78e1694c628536e6e11/html5/thumbnails/37.jpg)
https://digi.ninjahttps://digi.ninja
Public Key Pinning
Replaced by…
![Page 38: Headers and Cookies - digi.ninja · Main Headers • X-Content-Type-Options • X-Frame-Options • X-XSS-Protection • Referrer-Policy • Strict-Transport-Security • Content-Security-Policy](https://reader034.fdocuments.net/reader034/viewer/2022052100/6039d78e1694c628536e6e11/html5/thumbnails/38.jpg)
https://digi.ninjahttps://digi.ninja
Expect-CTReplaces Key Pinning
Tells the browser to only accept a certificate if there is an entry for it in the certificate transparency register
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Expect-CT
![Page 39: Headers and Cookies - digi.ninja · Main Headers • X-Content-Type-Options • X-Frame-Options • X-XSS-Protection • Referrer-Policy • Strict-Transport-Security • Content-Security-Policy](https://reader034.fdocuments.net/reader034/viewer/2022052100/6039d78e1694c628536e6e11/html5/thumbnails/39.jpg)
https://digi.ninjahttps://digi.ninja
Expect-CTNo header – browser dependent
One options:
• enforce – Only accept the cert if CT found
• max-age – The number of seconds to honour the header
• report-uri – URI to report failures to
![Page 40: Headers and Cookies - digi.ninja · Main Headers • X-Content-Type-Options • X-Frame-Options • X-XSS-Protection • Referrer-Policy • Strict-Transport-Security • Content-Security-Policy](https://reader034.fdocuments.net/reader034/viewer/2022052100/6039d78e1694c628536e6e11/html5/thumbnails/40.jpg)
https://digi.ninjahttps://digi.ninja
Expect-CTExample headers:
Expect-CT: max-age=0, report-uri=“<report URI>“
Expect-CT: enforce, max-age=60, report-uri=“<report URI>"
![Page 41: Headers and Cookies - digi.ninja · Main Headers • X-Content-Type-Options • X-Frame-Options • X-XSS-Protection • Referrer-Policy • Strict-Transport-Security • Content-Security-Policy](https://reader034.fdocuments.net/reader034/viewer/2022052100/6039d78e1694c628536e6e11/html5/thumbnails/41.jpg)
https://digi.ninjahttps://digi.ninja
Expect-CTCheck CT logs here
https://crt.sh
Facebook monitoring
https://www.facebook.com/notes/protect-the-graph/introducing-our-certificate-transparency-monitoring-tool/1811919779048165/
![Page 42: Headers and Cookies - digi.ninja · Main Headers • X-Content-Type-Options • X-Frame-Options • X-XSS-Protection • Referrer-Policy • Strict-Transport-Security • Content-Security-Policy](https://reader034.fdocuments.net/reader034/viewer/2022052100/6039d78e1694c628536e6e11/html5/thumbnails/42.jpg)
https://digi.ninjahttps://digi.ninja
Expect-CT
![Page 43: Headers and Cookies - digi.ninja · Main Headers • X-Content-Type-Options • X-Frame-Options • X-XSS-Protection • Referrer-Policy • Strict-Transport-Security • Content-Security-Policy](https://reader034.fdocuments.net/reader034/viewer/2022052100/6039d78e1694c628536e6e11/html5/thumbnails/43.jpg)
https://digi.ninjahttps://digi.ninja
Cookies
![Page 44: Headers and Cookies - digi.ninja · Main Headers • X-Content-Type-Options • X-Frame-Options • X-XSS-Protection • Referrer-Policy • Strict-Transport-Security • Content-Security-Policy](https://reader034.fdocuments.net/reader034/viewer/2022052100/6039d78e1694c628536e6e11/html5/thumbnails/44.jpg)
https://digi.ninjahttps://digi.ninja
The Flags
![Page 45: Headers and Cookies - digi.ninja · Main Headers • X-Content-Type-Options • X-Frame-Options • X-XSS-Protection • Referrer-Policy • Strict-Transport-Security • Content-Security-Policy](https://reader034.fdocuments.net/reader034/viewer/2022052100/6039d78e1694c628536e6e11/html5/thumbnails/45.jpg)
https://digi.ninjahttps://digi.ninja
The Flags• Secure
• HttpOnly
• SameSite
![Page 46: Headers and Cookies - digi.ninja · Main Headers • X-Content-Type-Options • X-Frame-Options • X-XSS-Protection • Referrer-Policy • Strict-Transport-Security • Content-Security-Policy](https://reader034.fdocuments.net/reader034/viewer/2022052100/6039d78e1694c628536e6e11/html5/thumbnails/46.jpg)
https://digi.ninjahttps://digi.ninja
SecureEnsures the cookie is only sent over HTTPS
Stops cookies being sniffed while in transit
Should be set on all session cookies
https://www.owasp.org/index.php/SecureFlag
![Page 47: Headers and Cookies - digi.ninja · Main Headers • X-Content-Type-Options • X-Frame-Options • X-XSS-Protection • Referrer-Policy • Strict-Transport-Security • Content-Security-Policy](https://reader034.fdocuments.net/reader034/viewer/2022052100/6039d78e1694c628536e6e11/html5/thumbnails/47.jpg)
https://digi.ninjahttps://digi.ninja
SecureNot needed if no HTTP:// site exists?
http://site.com:443/page
![Page 48: Headers and Cookies - digi.ninja · Main Headers • X-Content-Type-Options • X-Frame-Options • X-XSS-Protection • Referrer-Policy • Strict-Transport-Security • Content-Security-Policy](https://reader034.fdocuments.net/reader034/viewer/2022052100/6039d78e1694c628536e6e11/html5/thumbnails/48.jpg)
https://digi.ninjahttps://digi.ninja
HttpOnlyPrevents JavaScript from accessing the cookie
Blocks session hijacking through cookie theft
Should be set on all session cookies
https://www.owasp.org/index.php/HttpOnly
![Page 49: Headers and Cookies - digi.ninja · Main Headers • X-Content-Type-Options • X-Frame-Options • X-XSS-Protection • Referrer-Policy • Strict-Transport-Security • Content-Security-Policy](https://reader034.fdocuments.net/reader034/viewer/2022052100/6039d78e1694c628536e6e11/html5/thumbnails/49.jpg)
https://digi.ninjahttps://digi.ninja
SameSiteNew flag from around November 2017
Chrome 62 onwards, Firefox 59 onwards
Not in IE, Edge or Safari
https://www.owasp.org/index.php/SameSite
![Page 50: Headers and Cookies - digi.ninja · Main Headers • X-Content-Type-Options • X-Frame-Options • X-XSS-Protection • Referrer-Policy • Strict-Transport-Security • Content-Security-Policy](https://reader034.fdocuments.net/reader034/viewer/2022052100/6039d78e1694c628536e6e11/html5/thumbnails/50.jpg)
https://digi.ninjahttps://digi.ninja
SameSiteCookie only sent with a request if the request comes from the same site
Designed to prevent Cross-Site Request Forgery (CSRF) attacks
![Page 51: Headers and Cookies - digi.ninja · Main Headers • X-Content-Type-Options • X-Frame-Options • X-XSS-Protection • Referrer-Policy • Strict-Transport-Security • Content-Security-Policy](https://reader034.fdocuments.net/reader034/viewer/2022052100/6039d78e1694c628536e6e11/html5/thumbnails/51.jpg)
https://digi.ninjahttps://digi.ninja
SameSiteNo header – no restriction on cookies
Two options:
• strict – never send the cookie unless the request originates same site
• lax – send the cookie for “Safe” methods (GET, HEAD, OPTIONS, TRACE)*
* Recommended
![Page 52: Headers and Cookies - digi.ninja · Main Headers • X-Content-Type-Options • X-Frame-Options • X-XSS-Protection • Referrer-Policy • Strict-Transport-Security • Content-Security-Policy](https://reader034.fdocuments.net/reader034/viewer/2022052100/6039d78e1694c628536e6e11/html5/thumbnails/52.jpg)
https://digi.ninjahttps://digi.ninja
Any Questions?
Robin Wood
https://digi.ninja
@digininja