Skip to content

Beyond HTTPS - HSTS, TLS, HPKP, CSP and friends

Photo of Chris Miller
Hosted By
Chris M.
Beyond HTTPS - HSTS, TLS, HPKP, CSP and friends

Details

Beyond HTTPS - HSTS, TLS, HPKP, CSP and friends

Abstract:
Most developers know they should secure a website using HTTPS. Moving a website to HTTPS is not enough. Browser vendors have added many HTTP security headers to make HTTPS websites safer to use: HSTS, HPKP (Public Key Pinning), CSP (Content Security Policy), etc.

In this session, you will learn about moving websites to HTTPS. You will also see how the security headers need to be thoroughly planned out, from the TLS versions and ciphers to support to which certificates to pin. The session will show how to leverage CSP to measure the impact of the updates before they happen, how HSTS, HPKP, and CSP can work together to ensure a safer experience for users, and how to use various tools to test and monitor all of these security headers.

Bio:
Robert Hurlbut is a software security architect, developer, and trainer. Robert is a Microsoft MVP for Developer Security and holds the (ISC)2 CSSLP certification. Robert has over 30 years of industry experience in secure coding, software architecture, and software development. Robert blogs at

https://roberthurlbut.com/blog

and shares links and other information on Twitter at @RobertHurlbut (https://twitter.com/roberthurlbut) and is a co-host of the Application Security Podcast at

https://www.appsecpodcast.org.

Photo of Tech Valley .NET User Group (TVUG) group
Tech Valley .NET User Group (TVUG)
See more events