In the past few years, several new HTTP Headers have been proposed to increase the security of web applications. This is being done by providing additional instructions and information about the served application to the browser. Those can mitigate and avert various common web attacks, even if the underlying application contains vulnerabilities, therefore adding another layer of defense.
As time passes, more and more people do use a browser which support those measures. Compass Security has long been testing for these security enhancing features, and is actively advocate their implementation. Therefore we release an presentation which we used to educate employees and customers alike about this topic.

 

The presentation “New HTTP headers – and living in a POST-XSS world” aims to give quick overview, and answers to all of the questions below:
  • What are the new HTTP headers you can use to protect your web application?
  • Why should I force mode=block for the X-XSS-Protection header?
  • How tightly can I configure a X-Content-Security-Policy?
  • What is the purpose of the Strict-Transport-Security header?
  • How does Stefano Di Paola’s Firefox SeecurityHeaders extension look like?
  • Let’s dream of a world where browsers are smart enough to prevent execution of arbitrary JavaScript code via XSS – what options would be left?