Security HTTP Headers
June 7th 2016
Protection against clickjacking by specifying which website can include your app in an iframe
* SAME-ORIGIN (default value in Rails)
* ALLOW-FROM https://example.com/
This turns on the Reflective XSS protection in browsers.
HTTP Strict Transport Security (HSTS) ensures the browser never visits the HTTP version of a website.
This mitigates man-in-the-middle attacks where TLS can be stripped out.
Primarily, CSP is a set of rules to tell the browser to whitelist all asset sources that are alloswed.
This will reduce the number of Cross-Site Scripting (XSS) vectors by, for example, allowing only scripts from your domain or disallowing inline scripts
More about that in the next talk Security Tip #2