Skip Main Navigation
Page Content
This event has ended

Save This Event

Event Saved

SPA-303: AGM + Harness the power of HTTP headers to secure your web apps

BCS Software Practice Advancement

Thursday, October 6, 2016 from 6:15 PM to 8:00 PM (BST)

SPA-303: AGM + Harness the power of HTTP headers to...

Ticket Information

Type Remaining End Quantity
Complimentary   more info 27 Tickets Ended Free  

Share SPA-303: AGM + Harness the power of HTTP headers to secure your web apps

Event Details

Refreshments and sandwiches from 18:00.

BCS SPA SG AGM from 18:15 to 18:30

  • Welcome and Introductions
  • Apologies for absence
  • Minutes of the previous AGM
  • Matters arising from the minutes
  • Chairman's report
  • Treasurer's report
  • Election of committee
  • AOB

PLEASE NOTE - all positions on the committee are open for election. If you wish to stand, please announce your intention to the Secretary (Mohinder Khosla - see for contact details) before the meeting.


Security flaws on websites are very widespread and, depending on the nature of the website, can lead to severe consequences. One of the reasons why securing web apps can be challenging is that many security aspects, such as client side security, transport security and server side security, have to be considered during design, implementation and operation.

Another fundamental problem of the web is the web browser, which has deliberately been designed as a remote code execution engine - the dream platform for any attacker wanting, for instance, to inject malicious code either by exploiting an Cross-Site Scripting (XSS) vulnerability or by mounting a man-in-the-middle attack. Since a browser executes JavaScript and HTML on the fly with 'almost' no security checks, it is important to be able to identify the origin of the content and to take advantage of the available means to restrict how the browser executes the web app.

Daniel will start with brief overview of the many security deficiencies of the web and especially of web browsers. He will explain why secure transport is so important and point out the different guarantees that HTTPS provides, such as confidentiality, authenticity and integrity - and why there is no valid reason for not using it over HTTP. He will show you how to get a free certificate for your website and how to test the HTTPS configuration.

The main focus of this talk are the recently introduced headers, such as HTTP Strict Transport Security (HSTS), HTTP Public Key Pinning (HPKP) and Content Security Policy (CSP). Daniel will explain how HSTS and HPKP help to harden HTTPS against various attacks. He will also present the best practices for avoiding the common pitfalls.

Daniel will show how CSP has the capability to prevent Cross-Site Scripting (XSS) and Clickjacking attacks. He will also suggest good practices for formulating CSP policies for your site while minimising negative side effects, presenting some tools that will make your CSP journey as easy as pie.

All the aforementioned headers offer security “for free” in defence of your web apps, so you can start using them right away.

About the Presenter

Daniel Gartmann has been a senior software engineer at Zuhlke Engineering Ltd with special responsibility for web application security, network security and server security since 2015, and before that at Zuhlke AG in Zurich. He publishes occasional blog posts on the Zuhlke web site.

Have questions about SPA-303: AGM + Harness the power of HTTP headers to secure your web apps? Contact BCS Software Practice Advancement

When & Where

BCS London
5 Southampton Street
WC2E 7HA London
United Kingdom

Thursday, October 6, 2016 from 6:15 PM to 8:00 PM (BST)

  Add to my calendar

Interested in hosting your own event?

Join millions of people on Eventbrite.

Please log in or sign up

In order to purchase these tickets in installments, you'll need an Eventbrite account. Log in or sign up for a free account to continue.