Content Security Policy and other HTTP Security Headers

Are your users always accessing your site over encrypted requests, even on that dodgy public WiFi?  If a content editor copying some text onto a page of your site inadvertently pasted some inline JavaScript, would you know?  If one of your JavaScript dependencies were altered to start sending sensitive form data to a third-party site, could you prevent it?  Is your CDN making changes to your JavaScript or CSS assets?  A suite of HTTP headers are available to prevent security risks and protect the privacy of your user's interactions with your site, and corresponding Drupal modules make these tools available to site builders.

This session will cover:

• Some real stories of security breaches that Content Security Policy could have prevented.
• The history and current state of the Content Security Policy spec, and current browser support.
• How Content Security Policy mitigates risks such as cross site scripting (XSS), content injection, and data exfiltration.
• Common patterns for using Content Security Policy directives to control your external assets.
• Implementing CSP safely by using reporting mode.
• The roadblocks current modules, frontend libraries, and third-party services present to adding CSP to your site.
• How to make your own modules and themes ready to enable an effective CSP policy.
• Some of the inventive ways people are using CSP to detect and mitigate additional risks.
• Using Feature Policy to restrict the use of privacy-sensitive browser features like webcam access or geolocation.
• How to monitor the effectiveness of a Content Security or Feature policy.
• Ensuring your CDN provides what you expect with Subresource Integrity.
• Keeping the connection secure with HTTP Strict Transport Security.
• Why you shouldn't implement Public Key Pinning.
• Keeping sensitve URLs safe with Referrer Policy.
• Roadmaps for the Content-Security-Policy, Feature Policy, and Reporting Drupal modules.

Attendees should walk away from this session with a knowlege of the most common web security and privacy risks, and how to configure available HTTP headers to mitigate them.