Presented at
BSidesSF 2019,
March 4, 2019, 2:10 p.m.
(30 minutes).
Security headers are a history of digital scar tissue. Each one there because we discovered something terrible on the internet but couldn't shut it off without breaking things. They allow you to tap into a wealth of security controls built into modern browsers, but most are simply off by default. We'll start with a quick, high level overview of most of the major security headers and what best practice is for setting them.
We'll finish with a deep dive into the content-security-policy header, both the most complex and most powerful security header. I'll show how at my company we got the best security outcomes by enabling developers—the people who best know the content that should be running in our apps—to tailor the CSP header themselves giving us more fine-grained control than a traditional security or operations driven policy.
Presenters:
-
Benjamin Hering
- ASAPP
Benjamin Hering leads Security Engineering at ASAPP. His career focuses on leveraging technology to improve organizations and people in both the for-profit and non-profit spheres; making technology meet people where they are rather than the other way around. He graduated from Grinnell College with a B.A. in Mathematics and Economics and is a GCIH & GCIA.
Links:
Similar Presentations: