The web is moving slowly towards HTTPS everywhere, but even now man-in-the-middle attacks are still astoundingly effective and easy to do. In this talk you’ll see how to beat HTTPS on many major websites, discover the tools required to secure your own applications, and learn how to keep your users safe.
50. Needs to be set on root domain (example.com)
Required on redirect domains too (example.net)
Needs easily recognizable domains
You’re committing to HTTPS forever
Other gotchas
@pimterry
53. Serve content with HTTPS only
Use upgrade-insecure-requests
Use HSTS, and get preloaded
Check other sites (securityheaders.io) and complain!
Let’s build a secure web
@pimterry