Explore essential HTTP security headers in this JSConf.Asia 2014 conference talk by Wei Lu. Dive into Content-Security-Policy and Strict-Transport-Security, understanding their importance in protecting web applications. Learn about the well-designed security specifications within the HTTP protocol and how modern browsers can handle much of the security workload. Discover which security headers are most valuable, when to implement them, and how to effectively use them. Gain insights into resource directives, keywords, and potential pitfalls of Content Security Policy. Examine X-XSS-Protection, its origins, and current relevance. Understand the risks of Man-in-the-Middle attacks and how HTTP Strict Transport Security (HSTS) can mitigate them. Explore clickjacking prevention techniques, comparing X-Frame-Options with Content Security Policy. Review browser support for various security headers and discover useful Node modules for implementation. Walk away with a comprehensive understanding of how to leverage HTTP headers to enhance web application security.
Overview
Syllabus
Intro
Cowsay
Content Security Policy
CSP: Resource Directives
CSP: Keywords
CSP: Gotchas
Content Security PC
CSP: Browser Support
X-XSS-Protection - by MS
X-XSS-Protection - Today
Man in the Middle
With HTTP Strict Transport Security
HSTS: Gotchas
HSTS: Verification
HSTS: Browser Support
Clickjacking
X-Frame-Options vs. CSP
X-Frame-Options: Browser Support
Node Modules
Summary
Conclusions
Taught by
JSConf
Related Courses
-
Configuring Security Headers in ASP.NET and ASP.NET Core Applications
-
HTTP Security Headers You Need To Have On Your Web Apps
-
Modern Security Standards
-
Modern Web Application Defense with OWASP Tools
-
Browser Security and HTTP Headers - Attacks and Protections in Action
-
Headers for Hackers - Understanding and Optimizing HTTP Headers
