Invalid quantity. Please enter a quantity of 1 or more.
The quantity you chose exceeds the quantity available.
Please enter your name.
Please enter an email address.
Please enter a valid email address.
Please enter your message or comments.
Please enter the code as shown on the image.
Please select the date you would like to attend.
Please enter an email address.
Please enter a valid email address in the To: field.
Please enter a subject for your message.
Please enter a message.
You can only send this invitations to 10 email addresses at a time.
$$$$ is not a properly formatted colour. Please use the format #RRGGBB for all colours.
Please limit your message to $$$$ characters. There are currently ££££.
$$$$ is not a valid email address.
Please enter a promotional code.
N/A
Sold Out
Unavailable
Please enter a password with at least 8 characters.
You have exceeded the time limit and your reservation has been released.
The purpose of this time limit is to ensure that registration is available to as many people as possible. We apologise for the inconvenience.
This option is not available anymore. Please choose a different option.
Please read and accept the waiver.
All fields marked with * are required.
Please double check your email address. The email address format does not appear valid.
Please double-check your email address. Your emails do not match.
$$$$ requires a number between ££££ and §§§§
US Zipcodes need to be 5 digits.
Postal code may contain no more than 9 letter or number characters.
Please double check your website URL.
All fields marked with * are required.
Your card expiration date is in the past.
Your card CSC needs to be 4 digits.
Please confirm your order: $$$$ You have selected to Pay by Cheque.
Click OK to confirm your order.
Please confirm your order: $$$$ You have selected to Pay at the Door.
Click OK to confirm your order.
Please confirm your order: $$$$ You have selected to Pay upon Receiving an Invoice.
Click OK to confirm your order.
Your card CSC needs to be 3 digits.
Sofort is only available in Germany and Austria.
Boleto Bancario is only available in Brazil.
OXXO is only available in Mexico.
PagoFacil is only available in Argentina.
Rapipago is only available in Argentina.
Please enter a valid IBAN number.
You need to accept to charge your bank account.
Your billing zip code needs to be 5 digits.
Please double check your CEP info. The CEP format should be something like 12345-678.
Please double check your tax identifier.
There was a problem saving your address.
There was a problem saving your card info.
There was a problem saving your personal information.
Please select the date you would like to attend.
McAfee Secure sites help keep you safe from identity theft, card fraud, spyware, spam, viruses and online scams.
Copying Prohibited by Law - McAfee Secure is a Trademark of McAfee, Inc.
Unknown card type.
No card number provided.
card number is in invalid format.
Wrong card type or card number is invalid.
card number has an inappropriate number of digits.
Please enter numbers here.
Please enter an integer value.
Numbers must be less or equal to $$$$
All the required fields have not been filled out. Click OK to proceed without all the required information, or click Cancel to finish entering the missing data.
Job titles must be less than 50 characters.
There is currently an issue with card submission on Safari with iOS7. Please try again with a different browser or device.
Sorry, invalid event registration form.
Sorry, invalid event or database error.
Sorry, quantity must be a positive integer.
Sorry, you did not select a valid ticket.
Sorry, invalid event organiser email address.
Your order was cancelled.
Thank You. Your order has been successfully completed. Your name and email address have been added to the list of event attendees.
Sorry, that option is sold out.
Sorry, that option is no longer available.
Sorry, you entered an invalid quantity. Please enter a quantity of 1 or more next to the type or types of tickets you would like to purchase.
Sorry, you did not select any tickets to purchase. Please enter a quantity of 1 or more next to the type or types of tickets you would like to purchase.
Sorry, there are no tickets left for this event.
The tickets, ticket quantity or date and time you've requested are no longer available, due to previous sales. Please choose a different date, time or number of tickets and place your order again.
Sorry, one or more of the tickets you requested are no longer available for purchase.
Sorry, you need to select the date you want to attend.
Sorry, the promotional code you entered is not valid yet.
Sorry, the promotional code you entered has expired.
Sorry, the promotional code you entered is not valid.
Your session has expired. Try ordering again.
Sorry, your requested ticket quantity exceeds the number provided by your promotional code.
PLEASE NOTE - all positions on the committee are open for election. If you wish to stand, please announce your intention to the Secretary (Mohinder Khosla - see http://bcs-spa.org/ for contact details) before the meeting.
Synopsis
Security flaws on websites are very widespread and, depending on the nature of the website, can lead to severe consequences. One of the reasons why securing web apps can be challenging is that many security aspects, such as client side security, transport security and server side security, have to be considered during design, implementation and operation.
Another fundamental problem of the web is the web browser, which has deliberately been designed as a remote code execution engine - the dream platform for any attacker wanting, for instance, to inject malicious code either by exploiting an Cross-Site Scripting (XSS) vulnerability or by mounting a man-in-the-middle attack. Since a browser executes JavaScript and HTML on the fly with 'almost' no security checks, it is important to be able to identify the origin of the content and to take advantage of the available means to restrict how the browser executes the web app.
Daniel will start with brief overview of the many security deficiencies of the web and especially of web browsers. He will explain why secure transport is so important and point out the different guarantees that HTTPS provides, such as confidentiality, authenticity and integrity - and why there is no valid reason for not using it over HTTP. He will show you how to get a free certificate for your website and how to test the HTTPS configuration.
The main focus of this talk are the recently introduced headers, such as HTTP Strict Transport Security (HSTS), HTTP Public Key Pinning (HPKP) and Content Security Policy (CSP). Daniel will explain how HSTS and HPKP help to harden HTTPS against various attacks. He will also present the best practices for avoiding the common pitfalls.
Daniel will show how CSP has the capability to prevent Cross-Site Scripting (XSS) and Clickjacking attacks. He will also suggest good practices for formulating CSP policies for your site while minimising negative side effects, presenting some tools that will make your CSP journey as easy as pie.
All the aforementioned headers offer security “for free” in defence of your web apps, so you can start using them right away.
About the Presenter
Daniel Gartmann has been a senior software engineer at Zuhlke Engineering Ltd with special responsibility for web application security, network security and server security since 2015, and before that at Zuhlke AG in Zurich. He publishes occasional blog posts on the Zuhlke web site.
Share SPA-303: AGM + Harness the power of HTTP headers to secure your web apps
Share Tweet