09:00 - 17:00
This workshop provides an hands on overview of the so-called security header HTTP extensions. This workshop is for web developers, backend developers, DevOps, DevSecOps and technical leads to give some basic insights into those additional security features the protocol and user agents provide today. Beside the introduction of useful tools to check your applications, all headers will get reviewed, what they are for, when to use them and when not. Beside the dos and don’ts, useful insights are given, precautions to take and how the behavior of user agents and applications might change if used. So if you haven’t heard about security headers yet – this workshop is for you!
Content & Process
The workshop will go through all the current security headers and provide some looking forward to upcoming ones. Security Headers provide a good way to improve security and reduce risks of web and mobile applications. In the future additional logging and monitoring capabilities will be provided! Also a lot of additional references and links for further reading and research will be provided.
The workshop has a defined structure but it is possible to deep dive where possible and necessary depending on participants knowledge and needs.
For all headers a short summary is provided; examples are shown on how to use them and what to take care of, how to test. As we are currently at 10 headers -> the main part of the workshop will be required for them. There are some more complex once like CSP – that will get a deeper analysis and showcase. Also HTTPS-PKI related headers are covered with more background.
Part I: Introduction and Overview of the Headers; Used Tools and Onlineservices during the Workshop
- Motivation / Application Security Overview
- Why have those headers been introduced?
- Overall Benefits & Risks
- In-Browser Support & Tests
- Online & Browser-Tools & Online Security Ratings
Part II: The Headers in Detail – Part I
- Content-Security-Policy (CSP)
Part III: The Headers in Detail – Part II
- Short Intro to HTTPS/PKI/Certificate Transparency for headers interacting with it
- HTTP Strict Transport Security (HSTS)
- Public Key Pinning Extension for HTTP (HPKP)
Part IV: Outlook & Summary
- Upcoming Headers
- Important Links & Tools
- Further Security Ressources
- Summary of the workshop
Audience & Requirements
The workshop aims at developers and administrators as well as security people wanting to take a deeper understanding of the topic. As it is designed as an 101 workshop – no special knowledge on the topic itself is required. A basic knowledge of http and interaction between user agents (browsers, web views in mobile apps) and servers would be helpful.
Participants should bring a laptop with internet access; having google chrome installed is helpful, as some features of the browser will be used during the workshop. An intermediate development proxy might be usefull too: like Fiddler (Windows); OWASP ZAP; Postman or similar tools – that help to record and post HTTP Header. The proxy should be capable of intercepting HTTPS traffic for best use.
It is still possible to follow the workshop without your own computer but you gain most of it, if you bring one and try out the things for yourself during the workshop. All materials, links and tools will be publicly available.