Security: Purely a matter of the head(ers)?
HTTP used to be a comparatively simple protocol. Or so it seemed. In reality, modern web applications require a large number of HTTP headers to ensure secure transport and, later on, the correct execution in the browser.
It does not matter if you have Strict-Transport-Security, Content-Security-Policy, accesses across domain boundaries, or even the good old Cookie-Headers – without the right values and settings, you won’t get far these days. But who knows all the options? And which of them are important? Where do pitfalls lurk? This presentation provides the answers.