Using HTTPS - HSTS, TLS, HPKP, CSP and friends (Robert Hurlbut)

Boston .NET Architecture Group
Boston .NET Architecture Group
Public group

Location visible to members



Moving a website or API with many user customizations to HTTPS is not easy as it sounds. Migrating to a secure HTTPS platform is even more difficult. Browser vendors have added many HTTP headers to make HTTPS website safer to use: HSTS, HPKP (Public Key Pinning), CSP (Content Security Policy), etc.

In this talk, you will learn about moving large and complex websites and APIs to HTTPS. I will explain how these headers need to be thoroughly thought out, from the TLS versions and ciphers to support to which certificate to pin. The talk will show how to plan the migration to HTTPS, how to leverage CSP to measure the impact of the update before it happens, how HSTS, HPKP and CSP can work together to ensure a safer experience for users, and how to use the various tools to test and monitor all of these methods.


Robert Hurlbut is owner of Robert Hurlbut Consulting Services and is an independent software security consultant and trainer with 30 years of industry experience in secure coding, software architecture, and software development. He speaks at user groups, national and international conferences, and provides training for many clients. Robert leads the Boston .NET Architecture Group in Waltham, MA and the Amherst Security Group in Hadley, MA. You can find Robert on Twitter at and at his blog at (

Venue and Food

We meet at Magenic (see address above) at 6-8 pm. As usual, there will be pizza and sodas provided. Please RSVP through this site if you will be attending.