International PHP Conference |
October 21 - 25, 2019 in Munich

Workshop: Understanding HTTP Security Header – 101 [SOLD OUT]

This talk originates from the archive. To the CURRENT program
Until September 19th: ✓ PS Classic Mini or Arduino Starter Kit for free ✓ Group discount ✓ Save up to 315 € Register now
Friday, June 7 2019
09:00 - 17:00
Booking note:
Security Workshop

This workshop provides an hands on overview of the so-called security header HTTP extensions. This workshop is for web developers, backend developers, DevOps, DevSecOps and technical leads to give some basic insights into those additional security features the protocol and user agents provide today. Beside the introduction of useful tools to check your applications, all headers will get reviewed, what they are for, when to use them and when not. Beside the dos and don’ts, useful insights are given, precautions to take and how the behavior of user agents and applications might change if used. So if you haven’t heard about security headers yet – this workshop is for you!

The workshop will go through all the current security headers and provide some looking forward to upcoming ones. Security Headers provide a good way to improve security and reduce risks of web and mobile applications. In the future additional logging and monitoring capabilities will be provided! Also a lot of additional references and links for further reading and research will be provided.


The workshop has a defined structure but it is possible to deep dive where possible and necessary depending on participants knowledge and needs.


For all headers a short summary is provided; examples are shown on how to use them and what to take care of, how to test. As we are currently at 10 headers -> the main part of the workshop will be required for them. There are some more complex once like CSP – that will get a deeper analysis and showcase. Also HTTPS-PKI related headers are covered with more background.

Part I: Introduction and Overview of the Headers; Used Tools and Onlineservices during the Workshop

  • Motivation / Application Security Overview
  • Why have those headers been introduced?
  • Overall Benefits & Risks
  • In-Browser Support & Tests
  • Online & Browser-Tools & Online Security Ratings


Part II: The Headers in Detail – Part I

  • X-Frame-Options
  • X-XSS-Protection
  • X-Content-Type-Options
  • X-Permitted-Cross-Domain-Policies
  • Referrer-Policy
  • Content-Security-Policy (CSP)
  • Feature-Policy


Part III: The Headers in Detail – Part II

  • Short Intro to HTTPS/PKI/Certificate Transparency for headers interacting with it
  • Expect-CT
  • HTTP Strict Transport Security (HSTS)
  • Public Key Pinning Extension for HTTP (HPKP)


Part IV: Outlook & Summary

  • Upcoming Headers
  • Important Links & Tools
  • Further Security Ressources
  • Summary of the workshop

The workshop aims at developers and administrators as well as security people wanting to take a deeper understanding of the topic. As it is designed as an 101 workshop – no special knowledge on the topic itself is required. A basic knowledge of http and interaction between user agents (browsers, web views in mobile apps) and servers would be helpful.

Participants should bring a laptop with internet access; having google chrome installed is helpful, as some features of the browser will be used during the workshop. An intermediate development proxy might be usefull too: like Fiddler (Windows); OWASP ZAP; Postman or similar tools – that help to record and post HTTP Header. The proxy should be capable of intercepting HTTPS traffic for best use.

It is still possible to follow the workshop without your own computer but you gain most of it, if you bring one and try out the things for yourself during the workshop. All materials, links and tools will be publicly available.

Stay tuned!

Behind the Tracks of IPC

PHP Development
Best Practices & Application

Web Development
Web Development & more

JavaScript Development
All about JavaScript

Agile & Culture
Agility has become mainstream

Concepts & Environments

Web Security
All about Web Security

Testing & Quality
An overview of the most important topics

DevOps is a philosophy