Introduction to Browser Security Headers

Browser security headers provide a means for websites to describe how they should behave when loaded into the client. By specifying expected and allowable behaviors, security headers can thwart a number of otherwise serious attacks against websites.
Course info
Rating
(208)
Level
Intermediate
Updated
Aug 19, 2015
Duration
3h 4m
Table of contents
Description
Course info
Rating
(208)
Level
Intermediate
Updated
Aug 19, 2015
Duration
3h 4m
Description

Security is all about defense in depth: applying layer upon layer of security controls such that any one single failure does not lead to a compromise of the application. One of those layers is the browser itself, which is becoming increasingly intelligent when it comes to implementing defenses. Security headers are a way of telling the browser how a website may behave when it’s loaded into the client. They provide numerous defenses against a variety of attacks in ways that have not previously been possible with security controls that ran solely on the server. In this course, we’ll walk through a number of essential security headers that provide even greater levels of defense for web applications. We’ll look at how they’re intended to work, what attacks they protect against, and how you can easily implement them in your website.

About the author
About the author

Troy Hunt is a Microsoft Regional Director and MVP for Developer Security. He's a regular conference speaker, frequent blogger at troyhunt.com and is the creator of the data breach notification service known as “Have I Been Pwned”.

More from the author
Modern Browser Security Reports
Beginner
57m
3 Aug 2018
More courses by Troy Hunt
Section Introduction Transcripts
Section Introduction Transcripts

Content Security Policy (CSP)
In this module, we're going to focus entirely on the Content Security Policy browser header or CSP as it's commonly known. Now the CSP header is enormously powerful. And you can use it on any website as well. You don't need to be serving the site over HTTPS. It's also very highly configurable, so you can choose just how much protection you'd like and then just leave out the things that you're not quite as concerned about. You can even set up a CSP and not allow it to break anything yet still get feedback about how it's actually working for your users. Let's jump into the overview, and I'll talk about what we're going to cover throughout the remainder of this module. Firstly, when I talk about the CSP header, I'm talking about a way of whitelisting the things that your site is allowed to run. So, for example, where can I get images from? Stylesheets from? JavaScript from? Can it run it inline in the page? Can the page be embedded in another site's frame? There are lots of different attributes of the CSP that allow us to have really fine-grained control over the way the site actually executes in the browser. So it's very comprehensive, and it has a lot of these directives that we're going to look at throughout the remainder of this module. We're not going to look at all of them. It's too broad. But we are going to look at the most important ones. And I'm going to give you some great resources in order to go and find out more information. So we've got a whole heap of stuff to cover in this module. Let's go and jump into it and start by having a look at the problem that CSP actually solves.

Tools for Working with Browser Headers
In this final module, I'd like to look at tools for working with browser headers. So these are things that are going to make your life easier when you go to actually implement the headers that we've looked at over the last few modules. Some of them do take a bit of work, and these tools are going to make your life a whole lot easier. So let's jump into the overview and see what I'm going to cover in this module. We're going to look at half a dozen different tools in this module, and the one thing that's common across all of them is that they're going to help you analyze and build your browser security headers. They'll all do it in different ways, of course. They're different tools, each designed to help you with a different aspect of managing browser security headers. But certainly they have this in common. Now some of them can significantly streamline the process of building these headers, particularly when you look at something like the Content Security Policy header. There's a lot of work that can go into putting that together. And one tool in particular that I'm going to show you in this module can make life significantly easier when it comes to building up your CSP. But beyond just the tools that help you prepare your security headers, I'm also going to show you one that will help you with ongoing monitoring and analysis of the reports that come back from some of these headers. So there's a really good ongoing service here that will help you make the most out of headers like HPKP and CSP. So with that now understood, let's jump in and start looking at some of these tools for working with browser headers.