Beyond HTTPS - HSTS, TLS, HPKP, CSP and friends


Beyond HTTPS - HSTS, TLS, HPKP, CSP and friends

Most developers know they should secure a website using HTTPS. Moving a website to HTTPS is not enough. Browser vendors have added many HTTP security headers to make HTTPS websites safer to use: HSTS, HPKP (Public Key Pinning), CSP (Content Security Policy), etc.

In this session, you will learn about moving websites to HTTPS. You will also see how the security headers need to be thoroughly planned out, from the TLS versions and ciphers to support to which certificates to pin. The session will show how to leverage CSP to measure the impact of the updates before they happen, how HSTS, HPKP, and CSP can work together to ensure a safer experience for users, and how to use various tools to test and monitor all of these security headers.

Robert Hurlbut is a software security architect, developer, and trainer. Robert is a Microsoft MVP for Developer Security and holds the (ISC)2 CSSLP certification. Robert has over 30 years of industry experience in secure coding, software architecture, and software development. Robert blogs at

and shares links and other information on Twitter at @RobertHurlbut ( and is a co-host of the Application Security Podcast at