Friday, May 22 • 09:50 - 10:35
Security And Insecurity Of HTTP Headers

Sign up or log in to save this to your schedule and see who's attending!

From the security perspective HTTP headers have two extreme occurrences:
They can provide a higher level of security for the browser and thus be used as an additional piece of defense, like e.g. HSTS and CSP.

On the flipside of the coin HTTP headers they can give an attacker with a default setup alreay some information and worse with crafted requests they even might divulge too much about the infrastructure involved (e.g. IP addresses behind reverse proxy or load balancer).

This talk will address those two sides of the coin. It'll start with basics with respect to HTTP headers, show what's neccessary and what's redundant information. It gives practical advices -- where to set which header, where to unset certain lines and what the pitfalls are.

It mentions browser dependencies and outline new features such as CSPv2 and
HPKP and new threats to privacy as the HSTS tracking.

The talk will look from the infrastructure perspective at the topics mentioned
and shows examples for often used server software.

avatar for Dirk Wetter

Dirk Wetter

Dirk is an independent security consultant which has more than 17 years experience in information security, as he is an old man even more in the world of Unix/Linux. If his time allows he'ss giving talks at conferences and publishing articles for computer magazines. He is... Read More →

Friday May 22, 2015 09:50 - 10:35
E104&105 Amsterdam RAI

Attendees (0)