OWASP DevSlop’s journey to TLS and Security Headers

Franziska Buehler
Nov 15, 2018 · 6 min read

Why TLS? It’s only static content!

Thanks to the very useful and informative blog by Troy Hunt, we have learned that not only should the transmission of sensitive information, such as credit card numbers or login data, be protected by TLS, but that every website should implement TLS.

TLS Server Certificate

Of course, everyone knows the free TLS certificates from Let’s Encrypt. Unfortunately, this was not an option for us, as DevSlop.co is implemented as a Microsoft Azure App Service and it is not yet compatible.

SSL Report for devslop.co

Security Headers

Not only did we want to add TLS to our site, but we also wanted to add more security measures such as security-related HTTP response headers.

X-XSS-Protection

The first two headers we added were the X-XSS-Protection and the Content-Type-Policy headers in OWASP DevSlop Season 1 Episode 1 (S01E01).

Content-Security-Policy (CSP)

In short, we define from which sources our site may load scripts, images, frames, fonts, etc. We control where the content on our site comes from.

X-Frame-Options

OWASP DevSlop S01E02 — Security Headers! shows the implementation of additional security headers.

X-Content-Type-Options

This header tells the browser not to sniff the content-type, but to rely on the content-type provided by the application.

Referrer-Policy

Imagine someone visits our website and then connects to another site. The browser would send the request header Referer: https://devslop.co/link/to/site to the other site. We don’t want that much information being sent to the other site. Therefore, we add the following response header:

SecurityHeaders.com Report for devslop.co

Further improvements

Strict-Transport-Security (HSTS)

Since we are a security project and we want to learn more, we want to reach an A+ on both SSLLabs.com and SecurityHeaders.com.

Feature-Policy

This is the newest security header. We tell the browser which modern browser features we want to allow for our website.

More Headers and Cookie Settings

We also plan to do add:

  • X-Permitted-Cross-Domain-Policies: none
  • Expect-CT: (not currently supported by our provider)

    Franziska Buehler

    Written by

    Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
    Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
    Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade