This event has ended. View the official site or create your own event → Check it out
This event has ended. Create your own
View analytic
Friday, May 22 • 09:50 - 10:35
Security And Insecurity Of HTTP Headers

Sign up or log in to save this to your schedule and see who's attending!

From the security perspective HTTP headers have two extreme occurrences:
They can provide a higher level of security for the browser and thus be used as an additional piece of defense, like e.g. HSTS and CSP.

On the flipside of the coin HTTP headers they can give an attacker with a default setup alreay some information and worse with crafted requests they even might divulge too much about the infrastructure involved (e.g. IP addresses behind reverse proxy or load balancer).

This talk will address those two sides of the coin. It'll start with basics with respect to HTTP headers, show what's neccessary and what's redundant information. It gives practical advices -- where to set which header, where to unset certain lines and what the pitfalls are.

It mentions browser dependencies and outline new features such as CSPv2 and
HPKP and new threats to privacy as the HSTS tracking.

The talk will look from the infrastructure perspective at the topics mentioned
and shows examples for often used server software.

avatar for Dirk Wetter

Dirk Wetter

Dirk is an independent security consultant which has more than 17 years | experience in information security, as he is an old man even more in the world | of Unix/Linux. If his time allows he'ss giving talks at conferences and | publishing articles for computer magazines. | | He is engaged in OWASP Germany / Europe and chaired a couple of conferences. | He uses whenever possible Open Source Software. His pet project testssl.sh... Read More →

Friday May 22, 2015 09:50 - 10:35
E104&105 Amsterdam RAI