No prerequisites - I am pitching this session at anyone who has any responsibility for a website of any type: whether you are a project manager, site builder, designer or developer.
It used to be that browsers were something we fought against to get our site viewed the way we wanted; now they are our allies.
Far from being dumb proprietary clients that just parse our HTML the way they want they have evolved into complex software applications. They provide powerful security controls to make decisions about what to display and debugging tools to enable us to investigate their actions.
By implementing a set of headers to be delivered alongside our web pages, we can now work with browsers to protect our site visitors from malicious content and control what is displayed and included on our pages.
In this session we will touch on what threats face our web pages out in the wild and what measures we can employ to protect them.
We will focus on implementing a Content Security Policy and will cover
- the initial investigation and building of a Content Security Policy (CSP);
- implementation and observation of the CSP in the wild;
- monitoring of the CSP once live;
- evidence of its effectiveness (threats thwarted).
Hopefully attendees will be convinced as to why a CSP is invaluable and why projects should build in time and resources to implement one.