Honing headers for highly hardened highspeed hypertext

Watch the slides of our webinar on “How to secure MongoDB with ClusterControl” and find out about the essential steps necessary to secure MongoDB and how to verify if your MongoDB instance is safe. The recent MongoDB ransom hack caused a lot of damage and outages, while it could have been prevented with maybe two or three simple configuration changes. MongoDB offers a lot of security features out of the box, however it disables them by default. In this webinar, we explain which configuration changes are necessary to enable MongoDB’s security features, and how to test if your setup is secure after enablement. We also demonstrate how ClusterControl enables security on default installations. And we cover how to leverage the ClusterControl advisors and the MongoDB Audit Log to constantly scan your environment, and harden your security even more. AGENDA What is the MongoDB ransom hack? What other security threats are valid for MongoDB? How to enable authentication / authorisation How to secure MongoDB from ransomware How to scan your system ClusterControl MongoDB security advisors Live Demo SPEAKER Art van Scheppingen is a Senior Support Engineer at Severalnines. He’s a pragmatic MySQL and Database expert with over 15 years experience in web development. He previously worked at Spil Games as Head of Database Engineering, where he kept a broad vision upon the whole database environment: from MySQL to Couchbase, Vertica to Hadoop and from Sphinx Search to SOLR. He regularly presents his work and projects at various conferences (Percona Live, FOSDEM) and related meetups.

Businesses today are rapidly moving from being service enabled to being API enabled. Moving into the world of APIs brings with it its own set of complexities and challenges that are tough to tackle. API security, performance, scalability, monitoring and notifications are key areas to be focusing your engineering efforts on. The WSO2 Carbon platform is a complete open source enterprise middleware platform which includes products catering to your various different enterprise needs. This talk will focus on leveraging the extensive feature set and extensible nature of the WSO2 platform to secure, monitor and monetize your APIs. It will also touch upon some of WSO2’s experiences with customers in building API ecosystems that suit modern day enterprises.

Demonstration based session on HTTP headers relevant to security aspect of web applications. Target audience is web developers, and more attention is given to Java language.

This document discusses various tools from the OWASP project for securing modern web applications, including ESAPI and the Java Encoder for output encoding, the Secure Headers Project for response headers, and CSRFGuard for cross-site request forgery protection. It emphasizes using security features like content security policies, strict transport security, and X-frame options headers to help mitigate risks like cross-site scripting and clickjacking attacks. The document also demonstrates cross-site request forgery vulnerabilities using the OWASP 1-Liner application and how to address them with anti-CSRF tokens.

Slides for "HTML5 Security Realities" talk at W3Conf: Practical Standards for Web Professionals 2013. Brad Hill - PayPal @hillbrad

1) The document discusses malware distribution campaigns from 2012 that used dynamically generated domain names and short-lived domains to serve malicious content through advertisement networks and legitimate websites. 2) Malware was distributed by simulating advertisement networks through JavaScript and using short-term disposable domain names that pointed to the same IP addresses. 3) One campaign only rendered malicious content if mouse movement was detected on a page, requiring user interaction to trigger the exploit.

Subresource Integrity (SRI) allows websites to specify a cryptographic hash for external scripts and stylesheets to verify their integrity before loading. A study found 88% of top websites include external JavaScript libraries. SRI helps prevent attacks from compromised CDNs by only loading resources that match the expected hash value. SRI also uses the crossorigin attribute to implement Cross-Origin Resource Sharing (CORS) and prevent data leakage when checking external resources. CORS headers must be present for SRI integrity checks to prevent loading alternative scripts. SRI provides more control over included external content and is supported by libraries like Ember.js.

This document discusses advanced techniques used in modern banking trojans. It describes how trojans operate by hijacking browsers using techniques like hooking browser APIs and modifying encrypted network traffic. It also discusses how trojans evade detection from tools like BankGuard and how their command and control structures have evolved to use peer-to-peer and Tor networks.

Full video available at http://www.securitytube.net/Active-HTTPS-Cookie-Hijacking-(Mike-Defcon-16)-video.aspx

This document discusses common JavaScript security vulnerabilities like cross-site scripting (XSS), cross-site request forgery (CSRF), and clickjacking. It defines these issues and provides examples of real attacks. The document also outlines solutions for developers, including sanitizing input, escaping output, minimizing the attack surface, and designing with the assumption of breaches. Overall it stresses the importance of a holistic, multi-layered approach to JavaScript security.

In this talk, we'll break down how one can exploit an ecosystem that enables management, querying, processing, and storage of, yes you guessed it, copious amounts of data. Hadoop and its many friends have been making their way into companies analyzing (sometimes, after massively collecting...) such data for years now, but they also make it easy to find organizations deploying things internally with security either off by default or otherwise exposed to various critical misconfigurations and access control issues. If you're running engagements, this should also give you a headstart on what to look for, how to attack networks where these products are running along with a few good ways to make them more defendable. Because if you want to defend well, you need to optimize towards mitigating actual risk vs theoretical, and there's no better way to determine if attacks are real than trying them out yourself. Let's say you just want to better understand how to shell out on servers running Apache Cassandra, Drill, Mesos... well, it may add a few pages to your playbook. (FYI this is the version of the slides without a conference template-- hopefully NoConName will share the templated version online as well)

The presentation is based on the book 「Two scoops of Django : Best Practices for Django 1.5」by Daniel Greenfeld and Audrey Roy.

分散型のスキャナーの構築は挑戦のし甲斐があり、実在のブラウザを使って作る場合はなおさらである。 今回紹介するスキャナーでは、ChromiumにJSのライブラリやそのバージョンを得るためのJavaScriptを注入することで、スキャンしたサイトのすべてのHTMLとJavaScript、独自アーキテクチャを必要とするセキュリティヘッダを保存できる。 このスキャナーでトップの100万サイトに対してスキャンを行い、現在のWeb上の状況を調べることが可能となるスケーラブルなシステムを設計する際に克服した課題についてカバーした。 本講演では、データ分析で得られた興味深い点にも触れるつもりである。 --- アイザック・ドーソンIsaac Dawson アイザック・ドーソンは、Veracode社の主要なセキュリティ研究者の一人で、彼の率いる同社の研究開発チームは、Veracode社の動的解析の提供に努めている。 Veracode社の前は@stake社とSymantec社でコンサルタントをしていた。 2004年にアプリケーションセキュリティのコンサルティングチーム発足させるため、日本へやってきた。 Veracode社での勤務が始まった後、彼の中で日本があまりにも快適であることがはっきりしたので、それ以降、滞在し続けることを決めたのだった。 Go言語の熱心なプログラマーであり、分散システムに関心があり、特にWebのスキャニングに強い関心をもっている。

In this presentation you will see a little example in how to use OAuth+OpenID Connect to improve microservices based on authorization and identity

- Vault configuration as code via Terraform was discussed, including deployment, authentication, secrets engines, and integration considerations - Key topics included deploying Vault in AWS using Terraform, configuring LDAP and AWS IAM authentication backends, and using the KV secrets engine for database credentials and temporary AWS credentials - Challenges with keeping Terraform and Vault in sync were noted, such as state issues when Vault values are added outside of Terraform

Thinking of fuzzing applications on OS X can quickly lead to a passing conversation of "ooh exotic Mac stuff", "lets fuzz the kernel" or it can otherwise not be thought of as an exciting target, at least for looking for crashes in stuff other than Safari or the iPhone. While there are some intricacies and nuance involved, workaround for security protections to enable debugging and finding tools that work and work well, this research will detail how it can be done in a reliable way and make the topic more tangible and easier to digest, kind of like how people think about using AFL on Linux: it "just works". We'll explore some of the overlooked attack surface of file parsers and some network services on Mac, how to fuzz userland binaries and introduce a new fuzzer that makes setup and crash triage straightforward while poking at some Apple core apps and clients. Have you ever thought "This thing has got to have some bugs" but think twice because it's only on available on Mac and not worth the effort? If so, you may now find yourself both more motivated and better equipped to do some bug hunting on the sleek and eventually accommodating Mac OS.

Content Security Policies (CSP) are an additional layer of security that you can add to your websites to protect your users from XSS attacks, but it is only used by about 2% of the Internet. This presentation was given at WordCamp Europe 2018 and explains the threats posted to website visitors, how CSPs can help, and how they work. #wceu

Content Security Policies (CSP) are an additional layer of security that you can add to your websites to protect your users from XSS attacks, but it is only used by about 2% of the Internet. This presentation was given at WordCamp Europe 2018 and explains the threats posted to website visitors, how CSPs can help, and how they work. #wceu

The document discusses techniques for optimizing website performance, including making fewer HTTP requests, leveraging browser caching with cache control headers, minimizing component sizes, optimizing asset delivery through techniques like sprites and concatenation, and following front-end performance best practices. It provides examples of how major sites implement various optimizations and shares results from experiments measuring the impact of optimizations on response times.

The document discusses techniques for improving website performance, including: 1. Focusing on front-end optimizations as they account for 80-90% of response time. 2. Following the 80/20 rule - optimizing the 20% of code that affects 80% of response time like assets on the front-end. 3. Using techniques like image sprites, combined scripts and stylesheets, CDNs, caching, gzip compression, and reducing cookie sizes and HTTP requests to improve response times.

The slides here are part of my presentation at the Confraria0day meeting in March 2017. It is an introduction to the various HTTP security headers with some insights about them. It covers HSTS, HPKP, X-Frame-Options, Content Security Policy, X-XSS-Protection, X-Content-Type-Options, Referrer-Policy and Set-Cookie options.

In this session, use metrics and logs from Amazon CloudFront, and tools such as Amazon CloudWatch and third-party performance measurement tools, to measure and improve your web and mobile performance.

Performance optimization is a cyclical process. We are constantly learning new ways to optimize, while simultaneously adopting new technologies and techniques that negatively impact performance. The HTTP Archive provides a great historical record of the technical side of the web, with almost 10 years of history and an ever growing dataset of sites. During this session Paul will provide a brief overview of the HTTP Archive and then dive into some insights into the adoption of common web performance techniques and some of their measurable impacts.

1) The document discusses various ways to secure a website or client's users, including getting an SSL certificate, setting up HTTPS, ensuring strong security practices with headers and configurations. 2) It describes letting's encrypt as a free and easy way to get SSL certificates with automated renewal, and quality testing services like QUALYS to check SSL configuration. 3) Additional security best practices discussed include HTTP headers like HSTS, CSP, and PKP to prevent vulnerabilities and protect against MITM attacks. Regular testing and integrating checks into development processes are recommended.

Estes slides fazem parte da minha apresentação na conferência Confraria0day em Marçod de 2017. É uma introdução aos vários cabeçalhos de segurança HTTP. Cobre HSTS, HPKP, X-Frame-Options, Content Security Policy, X-XSS-Protection, X-Content-Type-Options, Referrer-Policy e Set-Cookie options.

This document discusses HTML5 security threats and defenses. It covers the history of HTML standards, new HTML5 features, and vulnerabilities like XSS, cookie/storage stealing, SQL injection, and more. It also provides tools for analyzing HTML5 threats and examples of real attacks exploiting features like WebSQL, local storage, and cross-origin requests. Defenses include input validation, avoiding sensitive data storage, and configuring CORS headers appropriately.

The presentation is devoted to network and tips of improving Web Performance. Further presentations will dwell on more practical aspects of web applications performance improvement. All 4 presentations will help you reduce latency, enrich optimization of javascript code, discover tricky parts when working with API browser, see best practices of networking and learn lots of other important and interesting things. Enjoy! =)

This document discusses various techniques for improving web performance, including: 1. Using a CDN to reduce latency and enable caching of common assets. 2. Implementing domain sharding to allow for parallel downloading of resources from different domains. 3. Leveraging browser enhancements like prefetching, preloading, and the navigation timing API to prioritize important resources. 4. Adopting new web standards like WebRTC to enable real-time communication directly in the browser.

Log data contains some of the most valuable raw information you can gather and analyze about your infrastructure and applications. Amid the mess of confusing lines of seemingly random text can be hints about performance, security, flaws in code, user access patterns, and other operational data. Without the proper tools, finding insights in these logs can be like searching for a hay-colored needle in a haystack. In this session you learn what practices and patterns you can easily implement that can help you better understand your log files. You see how you can customize web logs to add more information to them, how to digest logs from around your infrastructure, and how to analyze your log files in near real time.

This document discusses benchmarking HTTP/2 using the h2load tool. It provides examples of using h2load to test various HTTP/2 configurations and protocols. The document also summarizes several experiments comparing performance of HTTP/2 with different settings, such as with or without domain sharding, combo handling, and different servers like ATS and nghttpx. It concludes that we need to consider server capacity for HTTP/2 deployments and that h2load is not perfect, providing opportunities for contribution.

The document provides 14 tips for optimizing website performance based on the 80/20 rule. The tips include minimizing HTTP requests by combining files, using a CDN, adding caching headers, gzipping files, optimizing CSS and JS placement, avoiding redirects and duplicate scripts, and making Ajax cacheable. Following these best practices can significantly improve page load times by reducing network requests and making better use of browser caching.

How a new HTTP response header can help increase the depth of your web application defenses. Also includes a few slides on HTTP Strict Transport Security, a header which helps protects HTTPS sites from sslstrip attacks.

Yahoo has developed the de facto standard for building fast front-ends for websites. The bad news: you have to follow 34 rules to get there. The good news: I'll take a subset of those rules, explain them, and show how you can implement those rules in an automated fashion to minimize impact on developers and designers for your high-traffic website.

The document provides instructions for setting up a lab environment to practice HTML5 hacking techniques. It includes details on installing VirtualBox and shared folders, as well as IP addresses to use for the "localvictim" and "evil" servers. The remainder of the document outlines a plan to cover various HTML5-related attacks, including bypassing the same-origin policy, exploiting XSS vectors in HTML5, attacking with cross-origin resource sharing and web messaging, targeting client-side storage, and using web sockets. Disclaimers are provided about the practical nature of the workshops and limited time.

This is an updated version of this talk given at DrupalCamp Atlanta (DCA) This presentation is an overview / case study of things learned by experiencing GDPR Security audits, DoS attacks, brute force login attacks, annoying robot crawlers, and hackers doing security probes. The session will cover the following main topics with tips on how to protected against each of these. An overview of security threats Server Level Attacks Code Level Attacks User Access Attacks Internal Attacks Some suggestions on developing a security plan People attending should come away with useful knowledge (modules, best practices, sites that help, front end tools and the like) that will help secure their sites.

The document discusses various standards that are helping to bridge isolated social networks and enable interoperability across platforms, including OpenID, WebFinger, XRD, PubSubHubbub, Salmon, OAuth, XAuth, OEmbed, and OpenSocial. It provides examples of how these standards work to allow users to log in or comment on different sites without separate accounts, share updates across networks, and embed content like videos universally. While progress is being made, challenges remain around user identity, privacy, access control, and full adoption. The overall goal is a more open and interconnected social web.

RFC 7540 was ratified over 2 years ago and, today, all major browsers, servers, and CDNs support the next generation of HTTP. Just over a year ago, at Velocity, we discussed the protocol, looked at some real world implications of its deployment and use, and what realistic expectations we should have from its use. Now that adoption is ramped up and the protocol is being regularly used on the Internet, it's a good time to revisit the protocol and its deployment. Has it evolved? Have we learned anything? Are all the features providing the benefits we were expecting? What's next?In this session, we'll review protocol basics and try to answer some of these questions based on real-world use of it. We'll dig into the core features like interaction with TCP, server push, priorities and dependencies, and HPACK. We'll look at these features through the lens of experience and see if good practice patterns have emerged. We'll also review available tools and discuss what protocol enhancements are in the near and not-so-near horizon.

CBS Interactive streams some of the largest video streaming events on the planet, including SuperBowl in 2019. This talk will focus on all the work that goes in ahead of time to prepare and plan for game day. From architecture design to capacity reservations to operational visibility and building playbooks we will explore how we build, test and prepare for these large events. We will also explore how some of Fastly's unique features such as MediaShield and VCL are becoming critical to these workflows.

As a global organization, Fastly carefully selects and deploys POP locations to service the greater audience of the Internet. Fastly currently has 52 global POPs across the Internet, 13 of which are located in the Southern Hemisphere. Another 3 are outside North America, Europe, and Asia. During this talk, VP of Infrastructure Tom Daly will share our experience in building Fastly's network of POPs south of the equator, where, in some cases, the Internet we know here in San Francisco, is much different. Tom will explore the physical datacenter infrastructure, network topology, and network policy that pose of unique challenges when operating in these parts of the world.

FuboTV’s recent offering of the 2018 FIFA World Cup broke all of our previous records for viewership and put our systems to the test as we delivered all 64 matches live. Coverage for a majority of games was spread out across ~150 regional sports networks, local FOX affiliates, owned and operated regional stations and other local FOX offerings, with a few early matches broadcasted on national channels. Running a successful World Cup required us to pay close attention to our caching strategies, delivery mechanisms, content edge-case handling and more. An event at this scale, spread out over a month, also gave us an excellent test bed to run experiments. We were able to augment our last-mile delivery, test/tweak our solution for CDN decisioning/priority, and even stand up a set of UHD HDR10 feeds to give our users their first glimpse of live OTT UHD offerings. We’ll run through this whole event from a scale and technology perspective and share our takeaways as we prepare for the upcoming NFL season and beyond.

1) CNN adopted GraphQL in 2016 to improve page load speeds by allowing clients to request specific data fields rather than entire documents, reducing response sizes by over 90% in some cases. 2) CNN later developed its own Data API using GraphQL and saw request volumes increase to over 7 million per hour with an 89% cache hit rate. 3) For live storytelling, CNN chose to implement Server-Sent Events which allows for near real-time updates without polling by allowing servers to push messages to clients as new data becomes available.

Braze is a customer engagement platform that delivers more than a billion messaging experiences across push, email, apps and more each day. In this session, Jon Hyman will describe the company's challenges during an inflection point in 2015 when the company reached the limitation of their physical networking equipment, and how Braze has since grown more than 7x on Fastly. Jon will also discuss how Braze uses Fastly's Layer 7 load balancing to improve stability and uptime of its APIs.