SlideShare a Scribd company logo

HTTP Security Headers - Devoxx UA 18

Download as PPTX, PDF
T
Tim De Grande

Securing your web application and protecting your users are 2 of the most important things to a developer nowadays. We all know about the dangers of cross site scripting and sql injection, but did you know that you can also make the browser do its share? In this presentation we'll dive into the world of the HTTP security headers, which will make the browser help protect your users.

Technology
1 of 47
HTTPSecurity Headers How to make thebrowser help protect your users
HI, I’MTIM DE GRANDE Competence Lead Application Security Ordina Belgium @TimDG
SECURITYMATTERS
SECURITYMATTERS
Give me the page over HTTP HTTPS Icons by https://icons8.com/
HTTPS No, you should use HTTPS Icons by https://icons8.com/
HTTPS Give me the page over HTTPS Icons by https://icons8.com/
HTTPS OK, here’s your page. Icons by https://icons8.com/
HTTPS Give me the page over HTTP Icons by https://icons8.com/
HTTPS Give me the page over HTTP Give me the page over HTTP Icons by https://icons8.com/
HTTPS No, you should use HTTPS Icons by https://icons8.com/
HTTPS Give me the page over HTTP Give me the page over HTTPS Icons by https://icons8.com/
HTTPS Give me the page over HTTP OK, here’s your page Icons by https://icons8.com/
HTTPS OK, here’s your page Icons by https://icons8.com/
HSTS Strict-Transport-Security: max-age=31536000 HTTP Strict Transport Protocol
HSTS Strict-Transport-Security: max-age=31536000; includeSubDomains HTTP Strict Transport Protocol
HSTS Strict-Transport-Security: max-age=31536000; includeSubDomains; preload HTTP Strict Transport Protocol
HSTS
HSTSTAKE AWAYS Definitely enable it Make sure your max-age is long enough Careful with includesubdomains Don’t use preload prematurely
CERTIFICATES
CERTIFICATES Here’s my certificate Icons by https://icons8.com/
CERTIFICATES
CERTIFICATES
CERTIFICATEPINNING By the way, only accept certificates: 64f618b9… 29b51e5f… Icons by https://icons8.com/
CERTIFICATEPINNING By the way, only accept certificates: 64f618b9… 29b51e5f… Icons by https://icons8.com/
CERTIFICATEPINNING By the way, only accept certificates: 64f618b9… 29b51e5f…OK, only: 64f618b9… 29b51e5f… Icons by https://icons8.com/
CERTIFICATEPINNING I now have a new certificate: 850ebc4335… Icons by https://icons8.com/
CERTIFICATEPINNING I now have a new certificate: 850ebc4335… Nope! That’s not in my list: 64f618b9… 29b51e5f… Icons by https://icons8.com/
CERTIFICATEPINNING
CERTIFICATEPINNING TAKE AWAYS Do NOT use it for websites Only use it if you have a separate update channel for pins (e.g. mobile app)
CERTIFICATETRANSPARENCY Icons by https://icons8.com/
CERTIFICATETRANSPARENCY
EXPECT-CT Only accept certificates that have been published Expect-CT: max-age=31536000, enforce
EXPECT-CT Only accept certificates that have been published Expect-CT: max-age=31536000, enforce, report-uri="https://example.com"
EXPECT-CT
EXPECT-CT TAKE AWAYS Limited browser support at the moment Start out by only reporting Activate the enforce directive when it’s stable
PROTECT THECONTENT
CONTENT SECURITYPOLICY CSP header limits what can run on your page default-src img-src style-src font-src script-src media-src connect-src frame-src worker-src child-src manifest-src object-src
CONTENT SECURITYPOLICY CSP header limits a lot of things frame-ancestors form-action require-sri-for base-uri sandbox nonce
CONTENT SECURITYPOLICY Also supports report-uri directive Fails silently! Only visible in the dev console. Has a “Report-Only” variant: Content-Security-Policy-Report-Only
CSP TAKE AWAYS Good to have, hard to master Run it in “Report-Only” mode for a while Keep monitoring the reports
OVERVIEW HTTPS is good. Use it!
OVERVIEW Use HSTS to tell the browser that you want a secure connection.
OVERVIEW HPKP (certificate pinning) is useful for mobile apps. Do NOT use it on your website.
OVERVIEW Enable Expect-CT to reduce MitM possibilities
OVERVIEW Content-Security-Policy tells the browser what the page is allowed to do. And what it isn’t.
QUESTIONS?

Recommended

Open source technologies in Microsoft cloud
Open source technologies in Microsoft cloudOpen source technologies in Microsoft cloud
Open source technologies in Microsoft cloudAlexey Bokov
 
Using browser settings for performance
Using browser settings for performanceUsing browser settings for performance
Using browser settings for performanceWalter Ebert
 
Open Source Adoption Challenges in the Enterprise
Open Source Adoption Challenges in the EnterpriseOpen Source Adoption Challenges in the Enterprise
Open Source Adoption Challenges in the EnterpriseVenkat Mangudi
 
conference presentation_298_withNotes
conference presentation_298_withNotesconference presentation_298_withNotes
conference presentation_298_withNotesSarah Fihe
 
Hello websocket(cn)
Hello websocket(cn)Hello websocket(cn)
Hello websocket(cn)g65537
 
Why wordpress is not completely safe
Why wordpress is not completely safeWhy wordpress is not completely safe
Why wordpress is not completely safeBrainwork Technologies
 
Technical SEO for WordPress - 2017 edition
Technical SEO for WordPress - 2017 editionTechnical SEO for WordPress - 2017 edition
Technical SEO for WordPress - 2017 editionOtto Kekäläinen
 
Merchant’s guide to protecting Magento Storefronts (Meet Magento India 2020)
Merchant’s guide to protecting Magento Storefronts (Meet Magento India 2020)Merchant’s guide to protecting Magento Storefronts (Meet Magento India 2020)
Merchant’s guide to protecting Magento Storefronts (Meet Magento India 2020)Tarun Sharma
 

Recommended

Open source technologies in Microsoft cloud
Open source technologies in Microsoft cloudOpen source technologies in Microsoft cloud
Open source technologies in Microsoft cloudAlexey Bokov
 
Using browser settings for performance
Using browser settings for performanceUsing browser settings for performance
Using browser settings for performanceWalter Ebert
 
Open Source Adoption Challenges in the Enterprise
Open Source Adoption Challenges in the EnterpriseOpen Source Adoption Challenges in the Enterprise
Open Source Adoption Challenges in the EnterpriseVenkat Mangudi
 
conference presentation_298_withNotes
conference presentation_298_withNotesconference presentation_298_withNotes
conference presentation_298_withNotesSarah Fihe
 
Hello websocket(cn)
Hello websocket(cn)Hello websocket(cn)
Hello websocket(cn)g65537
 
Why wordpress is not completely safe
Why wordpress is not completely safeWhy wordpress is not completely safe
Why wordpress is not completely safeBrainwork Technologies
 
Technical SEO for WordPress - 2017 edition
Technical SEO for WordPress - 2017 editionTechnical SEO for WordPress - 2017 edition
Technical SEO for WordPress - 2017 editionOtto Kekäläinen
 
Merchant’s guide to protecting Magento Storefronts (Meet Magento India 2020)
Merchant’s guide to protecting Magento Storefronts (Meet Magento India 2020)Merchant’s guide to protecting Magento Storefronts (Meet Magento India 2020)
Merchant’s guide to protecting Magento Storefronts (Meet Magento India 2020)Tarun Sharma
 
Ten Easy Steps to Hackproof Your WordPress Install (Blogging While Brown 2013)
Ten Easy Steps to Hackproof Your WordPress Install (Blogging While Brown 2013)Ten Easy Steps to Hackproof Your WordPress Install (Blogging While Brown 2013)
Ten Easy Steps to Hackproof Your WordPress Install (Blogging While Brown 2013)brandbuildsell
 
Hero Video Performance
Hero Video PerformanceHero Video Performance
Hero Video PerformanceWalter Ebert
 
WordPress Site Management - Keeping Your Creation Happy, Healthy and Secure
WordPress Site Management - Keeping Your Creation Happy, Healthy and SecureWordPress Site Management - Keeping Your Creation Happy, Healthy and Secure
WordPress Site Management - Keeping Your Creation Happy, Healthy and SecureMeagan Hanes
 
Protect Your Site: Security Tips For WordPress (GoDaddy "The Campfire" Hangout)
Protect Your Site: Security Tips For WordPress (GoDaddy "The Campfire" Hangout)Protect Your Site: Security Tips For WordPress (GoDaddy "The Campfire" Hangout)
Protect Your Site: Security Tips For WordPress (GoDaddy "The Campfire" Hangout)Joshua McNary
 
Microsoft Azure News - May 2015
Microsoft Azure News - May 2015Microsoft Azure News - May 2015
Microsoft Azure News - May 2015Daniel Toomey
 
The GiveCamp Guide to WordPress
The GiveCamp Guide to WordPressThe GiveCamp Guide to WordPress
The GiveCamp Guide to WordPressSarah Dutkiewicz
 
PALETTE BUSINESS SOLUTION DOCUMENTATION
PALETTE BUSINESS SOLUTION DOCUMENTATIONPALETTE BUSINESS SOLUTION DOCUMENTATION
PALETTE BUSINESS SOLUTION DOCUMENTATIONOnwubiko Emmanuel
 
WordPress security 101 - WP Turku Meetup 2.2.2017
WordPress security 101 - WP Turku Meetup 2.2.2017WordPress security 101 - WP Turku Meetup 2.2.2017
WordPress security 101 - WP Turku Meetup 2.2.2017Otto Kekäläinen
 
Rails security: above and beyond the defaults
Rails security: above and beyond the defaultsRails security: above and beyond the defaults
Rails security: above and beyond the defaultsMatias Korhonen
 
nullcon 2011 - Exploiting SCADA Systems
nullcon 2011 - Exploiting SCADA Systemsnullcon 2011 - Exploiting SCADA Systems
nullcon 2011 - Exploiting SCADA Systemsn|u - The Open Security Community
 
HTTP_Header_Security.pdf
HTTP_Header_Security.pdfHTTP_Header_Security.pdf
HTTP_Header_Security.pdfksudhakarreddy5
 
Creating Secure Web Apps: What Every Developer Needs to Know About HTTPS Today
Creating Secure Web Apps: What Every Developer Needs to Know About HTTPS TodayCreating Secure Web Apps: What Every Developer Needs to Know About HTTPS Today
Creating Secure Web Apps: What Every Developer Needs to Know About HTTPS TodayHeroku
 
You Spent All That Money And Still Got Owned
You Spent All That Money And Still Got OwnedYou Spent All That Money And Still Got Owned
You Spent All That Money And Still Got OwnedJoe McCray
 
Список коротких ссылок на решения Cisco по безопасности
Список коротких ссылок на решения Cisco по безопасностиСписок коротких ссылок на решения Cisco по безопасности
Список коротких ссылок на решения Cisco по безопасностиCisco Russia
 
From basement to global
From basement to globalFrom basement to global
From basement to globalMichał Kutyła
 
Stefan Judis "HTTP headers for the responsible developer"
Stefan Judis "HTTP headers for the responsible developer"Stefan Judis "HTTP headers for the responsible developer"
Stefan Judis "HTTP headers for the responsible developer"Fwdays
 
Why Traditional Web Security Technologies no Longer Suffice to Keep You Safe
Why Traditional Web Security Technologies no Longer Suffice to Keep You SafeWhy Traditional Web Security Technologies no Longer Suffice to Keep You Safe
Why Traditional Web Security Technologies no Longer Suffice to Keep You SafePhilippe De Ryck
 
Connecting All Abstractions with Istio
Connecting All Abstractions with IstioConnecting All Abstractions with Istio
Connecting All Abstractions with IstioVMware Tanzu
 
Adaptive layouts - standards>next Manchester 23.03.2011
Adaptive layouts - standards>next Manchester 23.03.2011Adaptive layouts - standards>next Manchester 23.03.2011
Adaptive layouts - standards>next Manchester 23.03.2011Patrick Lauke
 
Protecting Web App users in today’s hostile environment
Protecting Web App users in today’s hostile environmentProtecting Web App users in today’s hostile environment
Protecting Web App users in today’s hostile environmentajitdhumale
 
Browser Wars 2019 - Implementing a Content Security Policy
Browser Wars 2019 - Implementing a Content Security PolicyBrowser Wars 2019 - Implementing a Content Security Policy
Browser Wars 2019 - Implementing a Content Security PolicyGeorge Boobyer
 
Anastasiia Vixentael: 10 things you need to know before implementing cryptogr...
Anastasiia Vixentael: 10 things you need to know before implementing cryptogr...Anastasiia Vixentael: 10 things you need to know before implementing cryptogr...
Anastasiia Vixentael: 10 things you need to know before implementing cryptogr...mdevtalk
 

More Related Content

What's hot

Ten Easy Steps to Hackproof Your WordPress Install (Blogging While Brown 2013)
Ten Easy Steps to Hackproof Your WordPress Install (Blogging While Brown 2013)Ten Easy Steps to Hackproof Your WordPress Install (Blogging While Brown 2013)
Ten Easy Steps to Hackproof Your WordPress Install (Blogging While Brown 2013)brandbuildsell
 
Hero Video Performance
Hero Video PerformanceHero Video Performance
Hero Video PerformanceWalter Ebert
 
WordPress Site Management - Keeping Your Creation Happy, Healthy and Secure
WordPress Site Management - Keeping Your Creation Happy, Healthy and SecureWordPress Site Management - Keeping Your Creation Happy, Healthy and Secure
WordPress Site Management - Keeping Your Creation Happy, Healthy and SecureMeagan Hanes
 
Protect Your Site: Security Tips For WordPress (GoDaddy "The Campfire" Hangout)
Protect Your Site: Security Tips For WordPress (GoDaddy "The Campfire" Hangout)Protect Your Site: Security Tips For WordPress (GoDaddy "The Campfire" Hangout)
Protect Your Site: Security Tips For WordPress (GoDaddy "The Campfire" Hangout)Joshua McNary
 
Microsoft Azure News - May 2015
Microsoft Azure News - May 2015Microsoft Azure News - May 2015
Microsoft Azure News - May 2015Daniel Toomey
 
The GiveCamp Guide to WordPress
The GiveCamp Guide to WordPressThe GiveCamp Guide to WordPress
The GiveCamp Guide to WordPressSarah Dutkiewicz
 
PALETTE BUSINESS SOLUTION DOCUMENTATION
PALETTE BUSINESS SOLUTION DOCUMENTATIONPALETTE BUSINESS SOLUTION DOCUMENTATION
PALETTE BUSINESS SOLUTION DOCUMENTATIONOnwubiko Emmanuel
 
WordPress security 101 - WP Turku Meetup 2.2.2017
WordPress security 101 - WP Turku Meetup 2.2.2017WordPress security 101 - WP Turku Meetup 2.2.2017
WordPress security 101 - WP Turku Meetup 2.2.2017Otto Kekäläinen
 

What's hot (8)

Ten Easy Steps to Hackproof Your WordPress Install (Blogging While Brown 2013)
Ten Easy Steps to Hackproof Your WordPress Install (Blogging While Brown 2013)Ten Easy Steps to Hackproof Your WordPress Install (Blogging While Brown 2013)
Ten Easy Steps to Hackproof Your WordPress Install (Blogging While Brown 2013)
 
Hero Video Performance
Hero Video PerformanceHero Video Performance
Hero Video Performance
 
WordPress Site Management - Keeping Your Creation Happy, Healthy and Secure
WordPress Site Management - Keeping Your Creation Happy, Healthy and SecureWordPress Site Management - Keeping Your Creation Happy, Healthy and Secure
WordPress Site Management - Keeping Your Creation Happy, Healthy and Secure
 
Protect Your Site: Security Tips For WordPress (GoDaddy "The Campfire" Hangout)
Protect Your Site: Security Tips For WordPress (GoDaddy "The Campfire" Hangout)Protect Your Site: Security Tips For WordPress (GoDaddy "The Campfire" Hangout)
Protect Your Site: Security Tips For WordPress (GoDaddy "The Campfire" Hangout)
 
Microsoft Azure News - May 2015
Microsoft Azure News - May 2015Microsoft Azure News - May 2015
Microsoft Azure News - May 2015
 
The GiveCamp Guide to WordPress
The GiveCamp Guide to WordPressThe GiveCamp Guide to WordPress
The GiveCamp Guide to WordPress
 
PALETTE BUSINESS SOLUTION DOCUMENTATION
PALETTE BUSINESS SOLUTION DOCUMENTATIONPALETTE BUSINESS SOLUTION DOCUMENTATION
PALETTE BUSINESS SOLUTION DOCUMENTATION
 
WordPress security 101 - WP Turku Meetup 2.2.2017
WordPress security 101 - WP Turku Meetup 2.2.2017WordPress security 101 - WP Turku Meetup 2.2.2017
WordPress security 101 - WP Turku Meetup 2.2.2017
 

Similar to HTTP Security Headers - Devoxx UA 18

Rails security: above and beyond the defaults
Rails security: above and beyond the defaultsRails security: above and beyond the defaults
Rails security: above and beyond the defaultsMatias Korhonen
 
HTTP_Header_Security.pdf
HTTP_Header_Security.pdfHTTP_Header_Security.pdf
HTTP_Header_Security.pdfksudhakarreddy5
 
Creating Secure Web Apps: What Every Developer Needs to Know About HTTPS Today
Creating Secure Web Apps: What Every Developer Needs to Know About HTTPS TodayCreating Secure Web Apps: What Every Developer Needs to Know About HTTPS Today
Creating Secure Web Apps: What Every Developer Needs to Know About HTTPS TodayHeroku
 
You Spent All That Money And Still Got Owned
You Spent All That Money And Still Got OwnedYou Spent All That Money And Still Got Owned
You Spent All That Money And Still Got OwnedJoe McCray
 
Список коротких ссылок на решения Cisco по безопасности
Список коротких ссылок на решения Cisco по безопасностиСписок коротких ссылок на решения Cisco по безопасности
Список коротких ссылок на решения Cisco по безопасностиCisco Russia
 
Stefan Judis "HTTP headers for the responsible developer"
Stefan Judis "HTTP headers for the responsible developer"Stefan Judis "HTTP headers for the responsible developer"
Stefan Judis "HTTP headers for the responsible developer"Fwdays
 
Why Traditional Web Security Technologies no Longer Suffice to Keep You Safe
Why Traditional Web Security Technologies no Longer Suffice to Keep You SafeWhy Traditional Web Security Technologies no Longer Suffice to Keep You Safe
Why Traditional Web Security Technologies no Longer Suffice to Keep You SafePhilippe De Ryck
 
Connecting All Abstractions with Istio
Connecting All Abstractions with IstioConnecting All Abstractions with Istio
Connecting All Abstractions with IstioVMware Tanzu
 
Adaptive layouts - standards>next Manchester 23.03.2011
Adaptive layouts - standards>next Manchester 23.03.2011Adaptive layouts - standards>next Manchester 23.03.2011
Adaptive layouts - standards>next Manchester 23.03.2011Patrick Lauke
 
Protecting Web App users in today’s hostile environment
Protecting Web App users in today’s hostile environmentProtecting Web App users in today’s hostile environment
Protecting Web App users in today’s hostile environmentajitdhumale
 
Browser Wars 2019 - Implementing a Content Security Policy
Browser Wars 2019 - Implementing a Content Security PolicyBrowser Wars 2019 - Implementing a Content Security Policy
Browser Wars 2019 - Implementing a Content Security PolicyGeorge Boobyer
 
Anastasiia Vixentael: 10 things you need to know before implementing cryptogr...
Anastasiia Vixentael: 10 things you need to know before implementing cryptogr...Anastasiia Vixentael: 10 things you need to know before implementing cryptogr...
Anastasiia Vixentael: 10 things you need to know before implementing cryptogr...mdevtalk
 
Harness the power of http headers to secure your web apps
Harness the power of http headers to secure your web appsHarness the power of http headers to secure your web apps
Harness the power of http headers to secure your web appsDaniel Gartmann
 
Alt-Cookies and Controversies in Ethics
Alt-Cookies and Controversies in EthicsAlt-Cookies and Controversies in Ethics
Alt-Cookies and Controversies in EthicsKazuhiro Kosaka
 
Apidaze WebRTC Workshop barcelona 21st april 2013
Apidaze WebRTC Workshop barcelona 21st april 2013Apidaze WebRTC Workshop barcelona 21st april 2013
Apidaze WebRTC Workshop barcelona 21st april 2013Alan Quayle
 
HTML5: Markup Evolved
HTML5: Markup EvolvedHTML5: Markup Evolved
HTML5: Markup EvolvedBilly Hylton
 
Dart on Arm - Flutter Bangalore June 2021
Dart on Arm - Flutter Bangalore June 2021Dart on Arm - Flutter Bangalore June 2021
Dart on Arm - Flutter Bangalore June 2021Chris Swan
 

Similar to HTTP Security Headers - Devoxx UA 18 (20)

Rails security: above and beyond the defaults
Rails security: above and beyond the defaultsRails security: above and beyond the defaults
Rails security: above and beyond the defaults
 
nullcon 2011 - Exploiting SCADA Systems
nullcon 2011 - Exploiting SCADA Systemsnullcon 2011 - Exploiting SCADA Systems
nullcon 2011 - Exploiting SCADA Systems
 
HTTP_Header_Security.pdf
HTTP_Header_Security.pdfHTTP_Header_Security.pdf
HTTP_Header_Security.pdf
 
Creating Secure Web Apps: What Every Developer Needs to Know About HTTPS Today
Creating Secure Web Apps: What Every Developer Needs to Know About HTTPS TodayCreating Secure Web Apps: What Every Developer Needs to Know About HTTPS Today
Creating Secure Web Apps: What Every Developer Needs to Know About HTTPS Today
 
You Spent All That Money And Still Got Owned
You Spent All That Money And Still Got OwnedYou Spent All That Money And Still Got Owned
You Spent All That Money And Still Got Owned
 
Список коротких ссылок на решения Cisco по безопасности
Список коротких ссылок на решения Cisco по безопасностиСписок коротких ссылок на решения Cisco по безопасности
Список коротких ссылок на решения Cisco по безопасности
 
From basement to global
From basement to globalFrom basement to global
From basement to global
 
Stefan Judis "HTTP headers for the responsible developer"
Stefan Judis "HTTP headers for the responsible developer"Stefan Judis "HTTP headers for the responsible developer"
Stefan Judis "HTTP headers for the responsible developer"
 
Why Traditional Web Security Technologies no Longer Suffice to Keep You Safe
Why Traditional Web Security Technologies no Longer Suffice to Keep You SafeWhy Traditional Web Security Technologies no Longer Suffice to Keep You Safe
Why Traditional Web Security Technologies no Longer Suffice to Keep You Safe
 
Connecting All Abstractions with Istio
Connecting All Abstractions with IstioConnecting All Abstractions with Istio
Connecting All Abstractions with Istio
 
Adaptive layouts - standards>next Manchester 23.03.2011
Adaptive layouts - standards>next Manchester 23.03.2011Adaptive layouts - standards>next Manchester 23.03.2011
Adaptive layouts - standards>next Manchester 23.03.2011
 
Protecting Web App users in today’s hostile environment
Protecting Web App users in today’s hostile environmentProtecting Web App users in today’s hostile environment
Protecting Web App users in today’s hostile environment
 
Browser Wars 2019 - Implementing a Content Security Policy
Browser Wars 2019 - Implementing a Content Security PolicyBrowser Wars 2019 - Implementing a Content Security Policy
Browser Wars 2019 - Implementing a Content Security Policy
 
Anastasiia Vixentael: 10 things you need to know before implementing cryptogr...
Anastasiia Vixentael: 10 things you need to know before implementing cryptogr...Anastasiia Vixentael: 10 things you need to know before implementing cryptogr...
Anastasiia Vixentael: 10 things you need to know before implementing cryptogr...
 
Harness the power of http headers to secure your web apps
Harness the power of http headers to secure your web appsHarness the power of http headers to secure your web apps
Harness the power of http headers to secure your web apps
 
Java fx ap is
Java fx ap isJava fx ap is
Java fx ap is
 
Alt-Cookies and Controversies in Ethics
Alt-Cookies and Controversies in EthicsAlt-Cookies and Controversies in Ethics
Alt-Cookies and Controversies in Ethics
 
Apidaze WebRTC Workshop barcelona 21st april 2013
Apidaze WebRTC Workshop barcelona 21st april 2013Apidaze WebRTC Workshop barcelona 21st april 2013
Apidaze WebRTC Workshop barcelona 21st april 2013
 
HTML5: Markup Evolved
HTML5: Markup EvolvedHTML5: Markup Evolved
HTML5: Markup Evolved
 
Dart on Arm - Flutter Bangalore June 2021
Dart on Arm - Flutter Bangalore June 2021Dart on Arm - Flutter Bangalore June 2021
Dart on Arm - Flutter Bangalore June 2021
 

Recently uploaded

Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?XfilesPro
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 

Recently uploaded (20)

Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 

HTTP Security Headers - Devoxx UA 18

Editor's Notes

  1. HTTP no longer considered secure HTTPS is cheap (letsencrypt) and faster (HTTP/2)
  2. Enables HSTS for 1 year Refreshed every time the browser sees it Should be fine for most usecases (exception e.g. taxonweb)
  3. Include subdomains for HTTPS Careful though -> all subdomains might possibly break internal stuff (e.g. old printer with an http only management interface on printer.example.com)
  4. Allow preloading
  5. Preloading is an end goal. Removal from the list is a manual process, which will take time. Site is eligible when It has a valid certificate Redirects to https Serves al subdomains on https HSTS max-age at least 1 year HSTS preload active HSTS includesubdomains active
  6. Browser validates the certificate.
  7. 169 roots configured, your browser trusts all of them.
  8. CAs have to publish certificate info in logs Site admin should monitor those logs Careful, these logs are public!
  9. Enforce -> actually enforce the header.
  10. Report-uri -> sends a report of non-compliance to an endpoint of your choice e.g. reporturi.io Without enforce -> only reporting.