Misconfigured CORS and Web Application Security Challenges

Explore a conference talk from AppSecUSA 2016 that delves into the complexities of web application security, focusing on misconfigured CORS (Cross-Origin Resource Sharing) and its implications. Learn about the challenges of implementing advanced browser security features and HTTP response headers, as the speaker shares a personal story of discovering a significant vulnerability affecting approximately 1000 websites from the Alexa top 1 million. Gain insights into the intricacies of CORS headers and the operational issues associated with various security technologies such as CSP, HPKP, HSTS, and SRI. Understand the importance of mastering the basics before implementing advanced security features, and consider the speaker's perspective on the utility of these features for most websites. Benefit from the expertise of Evan Johnson, a Security Systems Engineer at CloudFlare, as he shares his experiences and insights in this 40-minute presentation.

Evan Johnson - Misconfigured CORS and why web appsec is not getting easier - AppSecUSA 2016