Build but don't break: Lessons in Implementing HTTP Security Headers

Presented at AppSec USA 2013, Nov. 20, 2013, noon (50 minutes).

Content Security Policy is a new standard from the WC3 that aims to help stop a mainstay of the OWASP top 10, cross-site scripting (XSS). The problem faced by many major sites today is how to craft a working content security policy that works for already existing applications. We will discuss real world techniques to simplify policy generation and testing, as well as discuss what changes are coming in CSP version 1.1. I will also discussion additional security headers such as X-Frame-Options to stop clickjacking and HTTP Strict Transport Security to stop man-in-the-middle attacks.

Presenters:

• Kenneth Lee - Product Security Engineer - Etsy
  AppSec Engineer @ Etsy. Loves pentests, code reviews, and a good cup of tea. Twitter: @kennysan Github: https://github.com/kennysan

Links:

• https://appsecusa2013.sched.com/event/13jaSHw/build-but-dont-break-lessons-in-implementing-http-security-headers

Similar Presentations:

• DEF CON 21 (2013) / How to use CSP to Stop XSS
• AppSec USA 2014 / Client-side security with the Security Header Injection Module (SHIM)
• BSidesSF 2019 / HTTP Security Headers: A Technology History Through Scar Tissue