International PHP Conference
The Conference for PHP and Web Development

Workshop: Understanding HTTP Security Header – 101 [SOLD OUT]

Until May 6:
✓ Save up to € 238
✓ 2 in 1 conference special
✓ Group discount
Register now
Bis 6. Mai:
✓ Bis zu 238 € sparen
✓ 5-Tages-Special
✓ Kollegenrabatt
Jetzt anmelden
Thank you for attending
✓ See you in 2021!
Danke für Eure Teilnahme
✓ Bis 2021!
Friday, June 7 2019
09:00 - 17:00
Booking note:
Security Workshop

This workshop provides an hands on overview of the so-called security header HTTP extensions. This workshop is for web developers, backend developers, DevOps, DevSecOps and technical leads to give some basic insights into those additional security features the protocol and user agents provide today. Beside the introduction of useful tools to check your applications, all headers will get reviewed, what they are for, when to use them and when not. Beside the dos and don’ts, useful insights are given, precautions to take and how the behavior of user agents and applications might change if used. So if you haven’t heard about security headers yet – this workshop is for you!

The workshop will go through all the current security headers and provide some looking forward to upcoming ones. Security Headers provide a good way to improve security and reduce risks of web and mobile applications. In the future additional logging and monitoring capabilities will be provided! Also a lot of additional references and links for further reading and research will be provided.


The workshop has a defined structure but it is possible to deep dive where possible and necessary depending on participants knowledge and needs.


For all headers a short summary is provided; examples are shown on how to use them and what to take care of, how to test. As we are currently at 10 headers -> the main part of the workshop will be required for them. There are some more complex once like CSP – that will get a deeper analysis and showcase. Also HTTPS-PKI related headers are covered with more background.

Part I: Introduction and Overview of the Headers; Used Tools and Onlineservices during the Workshop

  • Motivation / Application Security Overview
  • Why have those headers been introduced?
  • Overall Benefits & Risks
  • In-Browser Support & Tests
  • Online & Browser-Tools & Online Security Ratings


Part II: The Headers in Detail – Part I

  • X-Frame-Options
  • X-XSS-Protection
  • X-Content-Type-Options
  • X-Permitted-Cross-Domain-Policies
  • Referrer-Policy
  • Content-Security-Policy (CSP)
  • Feature-Policy


Part III: The Headers in Detail – Part II

  • Short Intro to HTTPS/PKI/Certificate Transparency for headers interacting with it
  • Expect-CT
  • HTTP Strict Transport Security (HSTS)
  • Public Key Pinning Extension for HTTP (HPKP)


Part IV: Outlook & Summary

  • Upcoming Headers
  • Important Links & Tools
  • Further Security Ressources
  • Summary of the workshop

The workshop aims at developers and administrators as well as security people wanting to take a deeper understanding of the topic. As it is designed as an 101 workshop – no special knowledge on the topic itself is required. A basic knowledge of http and interaction between user agents (browsers, web views in mobile apps) and servers would be helpful.

Participants should bring a laptop with internet access; having google chrome installed is helpful, as some features of the browser will be used during the workshop. An intermediate development proxy might be usefull too: like Fiddler (Windows); OWASP ZAP; Postman or similar tools – that help to record and post HTTP Header. The proxy should be capable of intercepting HTTPS traffic for best use.

It is still possible to follow the workshop without your own computer but you gain most of it, if you bring one and try out the things for yourself during the workshop. All materials, links and tools will be publicly available.

This Session originates from the archive of Diese Session stammt aus dem Archiv von BerlinBerlin . Take me to the program of . Hier geht es zum aktuellen Programm von Berlin Berlin .

This Session originates from the archive of Diese Session stammt aus dem Archiv von BerlinBerlin . Take me to the program of . Hier geht es zum aktuellen Programm von Munich München .

This Session Diese Session originates from the archive of stammt aus dem Archiv von BerlinBerlin . Take me to the current program of . Hier geht es zum aktuellen Programm von Berlin Berlin or oder Munich München .

Stay tuned!

Behind the Tracks of IPC

PHP Core & Coding
Best practices & applications

General Web Development
Broader web development topics

DevOps & Continuous Delivery
Learn about DevOps and transform your development pipeline

Software Architecture
All about PHP frameworks, concepts & environments

Web Security
All about web security

Software Quality
More about software testing tools & strategies

Agile & Company Culture
Getting agile right is so important

Content Management Systems
Sessions on content management systems

#slideless (pure coding)
See how technology really works

PHP Frameworks
All about PHP Frameworks

Docker, Kubernetes, Cloud
Cloud-based & native apps