HTTP Security Headers You Need To Have On Your Web Apps

Learn about essential HTTP security headers for web applications in this comprehensive conference talk from NDC London 2021. Explore the fundamentals of HTTP headers and their role in web security. Dive deep into specific security headers like HTTP Strict Transport Security (HSTS), Content Security Policy (CSP), and X-Frame-Options (XFO). Understand their purposes, implementation methods, and see live demonstrations of their effects. Discover the importance of HTTPS, protection against Cross-Site Scripting (XSS), and browser sniffing. Gain insights on retrofitting security headers to existing applications, testing your website's security, and find valuable resources for further learning. Equip yourself with the knowledge to enhance the security of your web applications through effective use of HTTP headers.

Intro
Audience
What are HTTP Headers?
What are HTTP Security Headers?
HTTP Strict Transport Security (HSTS)
Without HSTS
What's the issue?
What can happen?
With HSTS
HSTS Options
HSTS Preload List
HSTS Gotchas
HSTS Impact of Retrofitting on Existing A
Quick word on HTTPS
Cross-Site Scripting (XSS)
XSS Final Note
Content Security Policy (CSP) Options
CSP Impacting of Retrofitting to Existing
Browser Sniffing Protection X-Content-Type
XCTO Impact of Retrofitting to Existing AS
Referer Header background
and even JIRA/Confluence/OWA
Referrer-Policy
Feature-Policy Is Experimental
How do I test my website?
Takeaways
Resources