Browser security headers provide a means for websites to describe how they should behave when loaded into the client. By specifying expected and allowable behaviors, security headers can thwart a number of otherwise serious attacks against websites.
Security is all about defense in depth: applying layer upon layer of security controls such that any one single failure does not lead to a compromise of the application. One of those layers is the browser itself, which is becoming increasingly intelligent when it comes to implementing defenses. Security headers are a way of telling the browser how a website may behave when it’s loaded into the client. They provide numerous defenses against a variety of attacks in ways that have not previously been possible with security controls that ran solely on the server. In this course, we’ll walk through a number of essential security headers that provide even greater levels of defense for web applications. We’ll look at how they’re intended to work, what attacks they protect against, and how you can easily implement them in your website.
Troy Hunt is a Microsoft Regional Director and MVP for Developer Security. He's a regular conference speaker, frequent blogger at troyhunt.com and is the creator of the data breach notification service known as “Have I Been Pwned”.
Tools for Working with Browser Headers In this final module, I'd like to look at tools for working with browser headers. So these are things that are going to make your life easier when you go to actually implement the headers that we've looked at over the last few modules. Some of them do take a bit of work, and these tools are going to make your life a whole lot easier. So let's jump into the overview and see what I'm going to cover in this module. We're going to look at half a dozen different tools in this module, and the one thing that's common across all of them is that they're going to help you analyze and build your browser security headers. They'll all do it in different ways, of course. They're different tools, each designed to help you with a different aspect of managing browser security headers. But certainly they have this in common. Now some of them can significantly streamline the process of building these headers, particularly when you look at something like the Content Security Policy header. There's a lot of work that can go into putting that together. And one tool in particular that I'm going to show you in this module can make life significantly easier when it comes to building up your CSP. But beyond just the tools that help you prepare your security headers, I'm also going to show you one that will help you with ongoing monitoring and analysis of the reports that come back from some of these headers. So there's a really good ongoing service here that will help you make the most out of headers like HPKP and CSP. So with that now understood, let's jump in and start looking at some of these tools for working with browser headers.