Overview
Explore essential HTTP security headers in this JSConf.Asia 2014 conference talk by Wei Lu. Dive into Content-Security-Policy and Strict-Transport-Security, understanding their importance in protecting web applications. Learn about the well-designed security specifications within the HTTP protocol and how modern browsers can handle much of the security workload. Discover which security headers are most valuable, when to implement them, and how to effectively use them. Gain insights into resource directives, keywords, and potential pitfalls of Content Security Policy. Examine X-XSS-Protection, its origins, and current relevance. Understand the risks of Man-in-the-Middle attacks and how HTTP Strict Transport Security (HSTS) can mitigate them. Explore clickjacking prevention techniques, comparing X-Frame-Options with Content Security Policy. Review browser support for various security headers and discover useful Node modules for implementation. Walk away with a comprehensive understanding of how to leverage HTTP headers to enhance web application security.
Syllabus
Intro
Cowsay
Content Security Policy
CSP: Resource Directives
CSP: Keywords
CSP: Gotchas
Content Security PC
CSP: Browser Support
X-XSS-Protection - by MS
X-XSS-Protection - Today
Man in the Middle
With HTTP Strict Transport Security
HSTS: Gotchas
HSTS: Verification
HSTS: Browser Support
Clickjacking
X-Frame-Options vs. CSP
X-Frame-Options: Browser Support
Node Modules
Summary
Conclusions
Taught by
JSConf