Taking control of the Browser Security Model
Since the birth of the web, the browser security model has remained nearly static. Recent evolutions make it possible for site operators to fine-tune the security model, and enforce mandatory access controls. This session will focus on Content-Security-Policy, and other browser security features like Strict Transport Security and Public Key Pins.
47% of all web applications have a cross-site-scripting vulnerability, and this potential security flaw ranks in the top three classes of all vulnerabilities. [ White Hat Security, 2015 Website Security Statistics Report ]
A Content Security Policy is a systematic way to block these attacks, by whitelisting allowed sources of script, style, and other resources. The holy grail – blocking "unsafe-inline" code – offers the strongest defense, but can be a big surprise for front-end developers when inline scripts and styles stop working!
Practitioners will learn when and why to employ these new browser features, and how to successfully implement them. You'll also learn how to troubleshoot existing policies, and help your front-end colleagues refactor code to adapt to the new policies.
Dylan is Director of Technology at Metal Toad, with an eclectic software engineering background spanning the web, application security, machine learning, and warranty-voiding.
He is also an active contributor to the Drupal community, and an alumni of the Drupal security team.