Attendees should have an interest in web security and current real world threats.
The session is aimed at site owners, business managers, developers and site builders; anyone with the desire and responsibility to deliver secure user experiences.
[ - Slides available here - ]
It used to be that browsers were something we fought against to get our sites viewed the way we wanted; now they are our allies.
Far from being dumb proprietary clients that just parse our HTML the way they want, they have evolved into complex software applications.
They provide powerful security controls to make decisions about what to display and debugging tools to enable us to investigate their actions.
It is increasingly common to find malicious exploits targeting web pages within the browser; running crypto-miners, stealing credentials and forging requests.
By implementing a set of headers to be delivered alongside our web pages, we can now work with browsers to protect our site visitors from malicious content
and control what is displayed and included on our pages.
In this session we will touch on what threats face our web pages out in the wild and what measures we can employ to work with browsers to protect them.
We will focus on implementing security headers and building a Content Security Policy, and will cover
- implementation of essential security headers;
- the initial investigation and building of a Content Security Policy (CSP);
- implementation and observation of the CSP in the wild;
- monitoring of the CSP once live;
- evidence of its effectiveness (threats thwarted).
Hopefully attendees will be convinced as to why security headers and CSP are invaluable and why projects should build in time and resources to implement them.