protec'ng java ee web apps with secure http headers

7/27/2019 Protec'ng Java EE Web Apps with Secure HTTP Headers

1/46

!"#$%&'() +,-, .. /%0 1223

45$6 7%&8"% 9::! 9%,;%"3

+,-,?=

?


2/46

10#8$

@",(A B5CD#(38E$,($F :65(A7%&18$6#"F 71G7 7%&8"% D#;5() 5( +,-,71G7 122E5&,'#( 7%&8"5$H D8""5&8E8C I%,;

76#8$ #8$:6,(A3 $# +,3#( I,C 46# J,8$6#"%; $6%3% 3E5;%3

=


3/46

+,-,


4/46


5/46

D"#33J75$% 7&"52'() QM77R


6/46

M77 U%C#

X


7/46

9Y2


8/46

MJM77J!"#$%&'#(

_E#&A3 CC#( "%T%&$%; M77.(,0E%; 0H ;%S,8E$ 5( [.F 7,S,"5F D6"#C%G#$ 3822#"$%; 0H @5"%S#^

_8) W=`XX? #2%( $# ,;;"%33 MJM77J!"#$%&'#(a ?

_"#43%" C#;5]%3 $6% "%32#(3% $# 0E#&A M77

MJM77J!"#$%&'#(a >U53,0E%3 $6% M77 ]E$%"

MJM77J!"#$%&'#(a ?b C#;%c0E#&A!"%-%($3 "%(;%"5() #S $6% 2,)% %('"%EH

`


9/46

+,-, D#;%

MJM77J!"#$%&'#(a ?response.addHeader("X-XSS-Protection", "1");

MJM77J!"#$%&'#(a >response.addHeader("X-XSS-Protection", "0"); MJM77J!"#$%&'#(a ?b C#;%c0E#&Aresponse.addHeader("X-XSS-Protection", "1; mode=block");

d


10/46

MJM77J!"#$%&'#( U%C#

?>


11/46

D#($%($ 7%&8"5$H !#E5&H

9%E23 C5'),$% "%T%&$%; M77


12/46

D7! K%h85"%C%($3

G# 5(E5(% 3&"52$3D,(i$ 28$ % 5( 0E#&A3

D,(i$ ;# 5(E5(% %-%($ 6,(;E%"3 E5A%

G# 5(E5(% 3$HE%3D,(i$ 4"5$% 3$HE%3 5(E5(%

?=


13/46

D7! U5"%&'-%3

;%S,8E$J3"& 3&"52$J3"& #0N%&$J3"& 3$HE%J3"& 5C)J3"& C%;5,J3"& S",C%J3"& S#($J3"& ((%&$J3"&

?L


14/46

D7! .^,C2E%3?R


15/46

K%2#"$


16/46

D#($%($ 7%&8"5$H !#E5&H U%C#

?X


17/46


18/46

7%335#( 95N,&A5()

Public WiFi

Network

CH0,(AZC

j5&'C

1Y,&A%"

Internet

!" $%&'( )*+, -* (./0123&*( 4%0 5667

?`


19/46

7%335#( 95N,&A5()

Public WiFi

Network

CH0,(AZC

j5&'C

1Y,&A%"

Internet

8" 9:0&2+; ,1%?/@%& A%B 1+-A*;2 01C

,-+0@, -=+ DEFEEGHIGJ

?d


20/46

7%335#( 95N,&A5()

Public WiFi

Network

CH0,(AZC

j5&'C

1Y,&A%"

Internet

K" 9:0&2+; ?,+, -=+ ,-*@+1 DEFEEGHIGJ

-* 0&&+,, -=+ 4%&'(L, ,+,,%*1

=>


21/46

7%&8"% @E,)

.(38"%3 $6,$ $6% D##A5% 53 #(EH 3%($ -5, 77I D#(])8"% 5( 4%0Z^CE ,3 #S 7%"-E%$ LZ>

true

!"#)",CC,'&,EEHCookie cookie = new Cookie("mycookie", "test");

cookie.setSecure(true);

=?


22/46

7$"5&$J:",(32#"$J7%&8"5$H

:%EE3 0"#43%" $# #(EH $,EA $# $6% 3%"-%" -5, 9::!7@5"3$ 'C% H#8" 35$% ,&&%33%; -5, 9::!7 !"#$6% 6%,;%"

53 83%; $6% 0"#43%" 3$#"%3 $6% &%"']&,$% 5(S#

7803%h8%($ "%h8%3$3 $# 9::! ,8$#C,'&,EEH 83% 9::!7 7822#"$%; 0"#43%"3

[C2E%C%($%; 5( @5"%S#^ ,(; D6"#C%

D8""%($EH ,( [.:@ ;",fStrict-Transport-Security: max-age=seconds

[; includeSubdomains]

==


23/46


24/46

DE5&AN,&A5()

:"5&A3 $6% 83%" 5($# &E5&A5() , 65;;%( 08Y#(O3%" 6,3 (# 5;%, $6% 08Y#( 4,3 &E5&A%;

/#"A3 0H (&%,E5() $6% $,")%$ 35$% 35$%j5&'C 35$% 2E,&%; 5( ,( 5(-5350E% 5S",C%1Y,&A%" 35$% #-%"E,H3 $6% -5&'C 35$%

[C,)% 3#8"&%a 6Y2agg3%&E,0Z3$,(S#";Z%;8g4%03%&gS",C%083'()gS",C%083$Z2;S


25/46

DE5&AN,&A5() U%C#

=W


26/46

DE5&AN,&A5() D#;%

!8$ $6% -5&'C 5( ,( 5(-5350E% 5S",C%

=X


27/46

1;#0% @E,36 .^,C2E%

DE5&AN,&A5() ;53-%"%; 0H +%"%C5,6 k"#33C,(l K#0%"$ mK3(,A%m 9,(3%(

76#4%; 6#4 $# 83% @E,36 $# 32H #( 83%"3O3% DE5&AN,&A5() $# $"5&A 83%"3 5($# %(,0E5() $6%

C5& ,(; &,C%", -5, @E,36

=\


28/46

@,&%0##A .^,C2E%

:6% m0%3$ 2,332#"$ ,22E5&,'#( "%N%&'#( 5(653$#"Hm 0%&,C% 2#28E," #( @,&%0##A

=`


29/46

@,&%0##A I5A% D#;%

7#8"&%a 6Y23agg53&Z3,(3Z%;8g;5,"HZ6$CEn3$#"H5;c``dL


30/46

@,&%0##A I5A% D#;%



31/46

@,&%0##A I5A% D#;%



32/46

@,&%0##A I5A% D#;%



33/46

I5A% _8Y#( U%C#

LL


34/46

I5A% _8Y#( D#;%

var like = document.createElement('iframe');

...

function mouseMove(e) {

if (IE) {tempX = event.clientX + document.body.scrollLeft;

tempY = event.clientY + document.body.scrollTop;} else {

tempX = e.pageX;tempY = e.pageY;

}

if (tempX < 0) tempX = 0;if (tempY < 0) tempY = 0;

like.style.top = (tempY - 8) + 'px';

like.style.left = (tempX - 25) + 'px';

return true}

7#8"&%a 6Y2agg%"5&A%""ZCgE5A%J&E5&AN,&A5()

I5A% 08Y#( C#-%3

45$6 &8"3#"


35/46

/6H I5A%N,&A5()n

7%(; -5&'C3 $# %-5E 35$%3 45$6 C,E4,"% :"5&A 83%"3 5($# 35)(5() 82 S#" 8(4,($%;

3803&"52'#( 3%"-5&%3

U"5-% $",o& $# 35$%3 $# 5(&"%,3% ,; "%-%(8% 1;3&%(; V%;5,

1EE%)%; $# 6,-% C,;% 82 $# p?Z= C5EE5#( 2%"C#($6 -5, DE5&AN,&A5()

@,&%0##A ,(; /,365()$#( 7$,$% ]E%; E,4385$3,),5(3$ $6%C 5( +,(8,"H =>?=

LW


36/46

9#4 $# @5^n

O3% MJ@",C%J


37/46

+,-, D#;%

U.Gqresponse.addHeader("X-Frame-Options", "DENY");

71V.


38/46

MJ@",C%J


39/46

O35() MJ@",C%J


40/46

@",C% _83'() D#;%

/6,$ ,0#8$ #E;%" 0"#43%"3 $6,$ ;#(i$ 3822#"$MJ@",C%J


41/46

7#C% 1('J@",C% _83'() :%&6(5h8%3

[. r5S",C% 3%&8"5$Hc"%3$"5&$%;sU53,0E%3 +,-,7&"52$ 45$65( $6% 5S",C%

#(_%S#"%O(E#,; J =>P @E8365()K%2%,$%;EH 3%(; , =>P QG# D#($%($R "%32#(3% 3#

$6% #(_%S#"%O(E#,; 6,(;E%" )%$3 &,(&%E%;

_"#43%" M77 @5E$%"3

D6"#C% M7718;5$#" ]E$%" &,(&%E3 5(E5(% 3&"52$3 5S$6%H ,"% ,E3# S#8(; ,3 , 2,",C%$%"

P?


42/46


43/46

78CC,"H

O3% $6% S#EE#45() 9::! K%32#(3% 9%,;%"3! 7%$JD##A5% 9Y2


44/46

PP


45/46

@",(A B5CS",(At$65(A3%&ZC

t$65(A3%& t3,(3,223%&

PW


46/46

K%S%"%(&%3

D#($%($ 7%&8"5$H !#E5&H 6Y23agg;-&3Z4LZ#")g6)g($%($J3%&8"5$HJ2#E5&Hg",4J]E%g'2g&32J

32%&5]&,'#(Z;%-Z6$CE

_83'() @",C% _83'()a 1 7$8;H #S DE5&AN,&A5() j8E(%",05E5'%3 #(!#28E," 75$%3 6Y2agg3%&E,0Z3$,(S#";Z%;8g4%03%&gS",C%083'()gS",C%083$Z2;S

I5A% DE5&AN,&A5() 6Y2agg%"5&A%""ZCgE5A%J&E5&AN,&A5()

DE5&AN,&A5() 1Y,&A3 #( @,&%0##Ai3 I5A% !E8)5( 6Y23agg53&Z3,(3Z%;8g;5,"HZ6$CEn3$#"H5;c``dL

I%33#(3 S"#C @,&%0##Ai3 7%&8"5$H _8) _#8($H !"#)",C 6Y23agg(%,E2##E%ZCg0E#)g=>??g>`gE%33#(3JS"#CJS,&%0##A3J

3%&8"5$HJ08)J0#8($HJ2"#)",Cg

k##)E%u k%$3 , mu?m S#" _"#43%" 7%&8"5$H 6Y2agg444Z0,"",&8;,E,03ZCg4#";2"%33g5(;%^Z262g=>??g>\g=?g

)##)E%J)%$3J,J?JS#"J0"#43%"J3%&8"5$HJLg

PX

protec'ng java ee web apps with secure http headers

Documents