HTTP Security Headers: A Technology History Through Scar Tissue

Presented at BSidesSF 2019, March 4, 2019, 2:10 p.m. (30 minutes)

Security headers are a history of digital scar tissue. Each one there because we discovered something terrible on the internet but couldn't shut it off without breaking things. They allow you to tap into a wealth of security controls built into modern browsers, but most are simply off by default. We'll start with a quick, high level overview of most of the major security headers and what best practice is for setting them. We'll finish with a deep dive into the content-security-policy header, both the most complex and most powerful security header. I'll show how at my company we got the best security outcomes by enabling developers—the people who best know the content that should be running in our apps—to tailor the CSP header themselves giving us more fine-grained control than a traditional security or operations driven policy.

Presenters:

• Benjamin Hering - ASAPP
  Benjamin Hering leads Security Engineering at ASAPP. His career focuses on leveraging technology to improve organizations and people in both the for-profit and non-profit spheres; making technology meet people where they are rather than the other way around. He graduated from Grinnell College with a B.A. in Mathematics and Economics and is a GCIH & GCIA.

Links:

• https://bsidessf2019.sched.com/event/JdfY/http-security-headers-a-technology-history-through-scar-tissue

Similar Presentations:

• AppSec USA 2017 / Test Driven Security in the DevOps pipeline
• AppSec USA 2014 / Client-side security with the Security Header Injection Module (SHIM)
• AppSec USA 2013 / Build but don't break: Lessons in Implementing HTTP Security Headers