1-3 March 2019

City, University London

Browser Wars 2019 - Implementing a Content Security Policy

Prerequisites

Attendees should have an interest in web security and current real world threats.
The session is aimed at site owners, business managers, developers and site builders; anyone with the desire and responsibility to deliver secure user experiences.

Session details

[ - Slides available here - ]

It used to be that browsers were something we fought against to get our sites viewed the way we wanted; now they are our allies.

Far from being dumb proprietary clients that just parse our HTML the way they want, they have evolved into complex software applications. 
They provide powerful security controls to make decisions about what to display and debugging tools to enable us to investigate their actions.

It is increasingly common to find malicious exploits targeting web pages within the browser; running crypto-miners, stealing credentials and forging requests. 
By implementing a set of headers to be delivered alongside our web pages, we can now work with browsers to protect our site visitors from malicious content 
and control what is displayed and included on our pages.

In this session we will touch on what threats face our web pages out in the wild and what measures we can employ to work with browsers to protect them.
We will focus on implementing security headers and building a Content Security Policy, and will cover

  • implementation of essential security headers;
  • the initial investigation and building of a Content Security Policy (CSP);
  • implementation and observation of the CSP in the wild;
  • monitoring of the CSP once live;
  • evidence of its effectiveness (threats thwarted).

Hopefully attendees will be convinced as to why security headers and CSP are invaluable and why projects should build in time and resources to implement them.

Speaker(s)
Skill Level
Session Track
Scheduled day
Saturday
Room
ELG01
Session Time
15.00 - 15.45

Keynote speakers

Rowan Merewood

Developer @ Google

Saturday AM

Preston So

Director of R&I @ Acquia

Sunday AM

Sally Young

Developer @ Lullabot

Closing Keynote

Drupal apprentices

The best people to train new developers are developers

The Drupal Apprenticeship Scheme will be running a London intake in March. If you are interested in hiring an apprentice or know someone who would benefit from the scheme please get in touch via the link below.

  • Created and run by experienced developers
  • Teaches core skills and best practice
  • Extensive support for businesses and teams

We are also really keen to hear from people who might be interested in mentoring, training and helping us to develop and review training materials to make sure they stay absolutely current and relevant.

Find out more

Join the Drupal Association

The Drupal Association unites a global open source community to build and promote Drupal.

The Association is a not-for-profit organization that relies on individuals and businesses to fund everything they do for Drupal — from drupal.org to DrupalCon and community programs.

Connect with us and support our mission-driven work.

Support the Drupal Association

Hosting provided by

platform.sh