David Lord

David Lord is a core maintainer of Flask and manages the Pallets open source organization. He is a member of San Diego Python, where he helps organize a weekly Python study group.

Browser security with HTTP headers

Python & Libraries, Web, IoT, & Hardware, Intermediate
8/18/2019 | 2:25 PM-2:55 PM | Robertson 2

Description

Browsers provide many ways to help keep your users and their data secure. In this talk, learn about what security features are available and how to enable them in Flask, Django, or other web applications. This talk is targeted at intermediate web developers, but should be useful for beginners as well.

Abstract

Each section will discuss a type of vulnerability and how the browser can be configured to protect users. Examples will be shown using Flask, but are applicable to other applications.

  • Overview of how browsers behave by default and what configuration is available.
  • Cross-site Scripting and the X-XSS-Protection header
  • Content sniffing and the X-Content-Type-Options header
  • Clickjacking, using frames to trick users into clicking hidden content, and the X-Frame-Options header
  • Cookie header options and content security
  • History information and the Referrer-Policy header
  • HTTPS headers: TLS certificates, HTTP redirection, and Strict Transport Security
  • Content-Security-Policy controls where different types of content can be loaded from. Explain how to determine a good policy for an application.
  • Validating security configuration
    • https://www.ssllabs.com/ssltest/
    • https://securityheaders.com/
    • Using these tools and interpreting results. What do good and bad configurations look like?