Policies Flashcards
What is SOP (same origin policy)?
The same-origin policy is a web browser security mechanism that aims to prevent websites from attacking each other.
The same-origin policy restricts scripts (JS, does not apply to forms - hence CSRF) on one origin from accessing data from another origin. An origin consists of a URI scheme, domain and port number.
When a browser sends an HTTP request from one origin to another, any cookies, including authentication session cookies, relevant to the other domain are also sent as part of the request. This means that the response will be generated within the user’s session, and include any relevant data that is specific to the user. Without the same-origin policy, if you visited a malicious website, it would be able to read your emails from GMail, private messages from Facebook, etc.
The same-origin policy generally controls the access that JavaScript code has to content that is loaded cross-domain.
CSRF does not violate SOP. This is because SOP prevents reading the response. CSRF does not need to read the response.
What is CSP (content security policy), when should it be used?
https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
Inject headers from the server so the browser knows to protect users from dynamic calls.
Defense against XSS:
- restricts inline scripts executing
- restriction remote script execution
- restricting unsafe javascript
- restricting where HTML forms can submit data to
- restricting objects
Defense in depth
Content-Security-Policy :
Content-Security-Policy-Report-Only : whereby the policy is non-blocking (“fail open”) and a report is sent to the URL designated by the report-uri (or newer report-to) directive. This is often used as a precursor to utilizing CSP in blocking mode (“fail closed”)
CSP Directives:
Fetch directives tell the browser the locations to trust and load resources from.
Preventing framing attacks:
Content-Security-Policy: frame-ancestors ‘none’;
What is CORS?
Cross-origin resource sharing (CORS) is a browser mechanism which enables controlled access to resources located outside of a given domain. It extends and adds flexibility to the same-origin policy (SOP). However, it also provides potential for cross-domain attacks, if a website’s CORS policy is poorly configured and implemented. CORS is not a protection against cross-origin attacks such as cross-site request forgery (CSRF).
The same-origin policy is very restrictive and consequently various approaches have been devised to circumvent the constraints. Many websites interact with subdomains or third-party sites in a way that requires full cross-origin access. A controlled relaxation of the same-origin policy is possible using cross-origin resource sharing (CORS).
The cross-origin resource sharing protocol uses a suite of HTTP headers that define trusted web origins and associated properties such as whether authenticated access is permitted. These are combined in a header exchange between a browser and the cross-origin web site that it is trying to access.
Headers:
Access-Control-Allow-Origin - These headers state that access is allowed from the requesting domain
Access-Control-Allow-Credentials - cross origin requests can include cookies or not
What is HSTS? Why should you use it?
HTTP Strict Transport Security (also named HSTS) is an opt-in security enhancement that is specified by a web application through the use of a special response header. Once a supported browser receives this header that browser will prevent any communications from being sent over HTTP to the specified domain and will instead send all communications over HTTPS.
Prevents man-in-the-middle attacks.
Header: Strict-Transport-Security
X-Frame-Options
Use Content Security Policy (CSP) frame-ancestors directive if possible.
The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame>, <iframe>, <embed></embed> or <object>. Sites can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites.</object></frame>
X-XSS-Protection
The HTTP X-XSS-Protection response header is a feature of Internet Explorer, Chrome, and Safari that stops pages from loading when they detect reflected cross-site scripting (XSS) attacks.
Use a Content Security Policy (CSP) that disables the use of inline JavaScript.
Access-Control-Allow-Origin
if siteA requests a resource from siteB, siteB should indicate in its Access-Control-Allow-Origin header that siteA is allowed to fetch that resource, if not, the access is blocked due to Same Origin Policy (SOP).
