In this course, Modern Browser Security Reports, Troy Hunt and Scott Helme discuss how browsers have evolved in recent years to provide a range of new security constructs and increasingly involve the ability to report back to site owners when something unexpected of a security nature occurs. Learn the features of content security policies, HTTP public key pinning, certificate authority authorization, certificate transparency, and cross-site scripting reporting. By the end of this course, you’ll be able to implement browser security reporting features on any website.
Troy Hunt is a Microsoft Regional Director and MVP for Developer Security. He's a regular conference speaker, frequent blogger at troyhunt.com and is the creator of the data breach notification service known as “Have I Been Pwned”.
Scott Helme is a security researcher, consultant, and international speaker. He can often be found talking about web security and performance online and helping organizations better deploy both.
Section Introduction Transcripts
Section Introduction Transcripts
Course Overview Hi, this is Troy Hunt, I'm an Australian Pluralsight author of many different courses about how to secure your online things, and I've got a particular passion for web security. Hi, I'm Scott Helme, a UK-based security researcher and founder of Report URI and securityheaders. com. We're going to talk about a whole heap of modern web security standards, thigs like CSP, HPKP, CAA, CT, XSS, and a bunch of other acronyms I haven't even touched on. We're also going to talk about how the browser can report on each one of these security constructs. If there's an error on your website or the browser detects an attack, it can call back and tell you in real time that it's happening. I really enjoyed teaming up with Scott Helme on this course. He's one of the foremost experts in the area of modern browser security headers. I hope you'll join Scott and I in this Play by Play on Modern Browser Security Reporting.
Wrap-up So, alright, so starting to wrap it up. So we looked as CSP. Obviously that is an enormously powerful thing. We're both very endorsed in CSP. The ability to report not just things that might be violations such as form actions targeting other places, but also things like getting your content in mixed mode, you know, HTTP. Fixing things automatically. So that was good, we did that one. We did HPKP, and then we said don't do HPKP, but at least we kind of discussed the reporting, right, so it was a very sort of similar reporting construct. CAA we looked at as well. Now CAA is usually going to send you an email. Yeah. We've seen the introduction of HTTP reporting now very slowly that's coming. Okay, so I mean that would be another mechanism and you could tie that into your reporting pipeline with everything else, and of course that's going to let you know if a non-whitelisted CA attempts to issue a certificate, we just did certificate transparency as well. If that SCT doesn't exist in the certificate, the browser is going to send you a report so you get to know about that as well. And, of course, finally we did XSS, and if that XSS auditor fires, which is usually going to be because someone is trying to XSS your site, you really want to know about that, and it's going to tell you. So, look, I think that's a heap of cool stuff. I'm really interested to sort of finish it on the screen as well, where it says, look the adoption rates for this are really, really low. Hopefully as a result of this course we can get those adoption rates up a little bit. Mate, thanks very much for doing this. No problem. I think this is a really cool course. Thank you.