Security Header at CGNwebperf

Reading Time: 2 minutes

Sebastian presents security headers at cgnwebperf

The last three months I always found an excuse not to speak at CGNwebperf, the local Web Performance Meetup.

But Stefan Böck, the organizer, kept on chasing me. Finally, after hosting the 20th version of CGNwebperf — Lightning Talks at our office, I couldn’t resist any longer.

Originally, I wanted to speak about ServiceWorkers. Colleagues of mine know about me fearing, loathing and loving ServiceWorkers. Our long-term relationship started rocky but developed for good during the past years. Even if there is a lot to talk about regarding this topic, we decided to postpone it.

What else can you offer an audience that is taking care of #webperf since ages? What is an interesting area that has not been covered and can still lead to new discoveries?

Well, security for the web and how you can protect your users not only from ordinary attacks like cross-site scripting (XSS) or cross-site request forgery (CSRF) but also from newer security vulnerabilities like Meltdown and Spectre was my topic of choice.

I had the feeling it could be a daring suggestion. Usually, the CGNwebperf meetups are all about the smallest JPEG file possible, the shortest time to first byte (TTFB), the best speed index or on which compression level you should use Brotli on the fly.

I was relieved to see the RSVPs for the meetup being more than stable, actually exceeding my expectations. Pheew.

Ready, set, GO! Security Headers & CGNwebperf @Startplatz

Startplatz is, there is no other way to put it, a pretty damn cool location. Overseeing the Mediapark from the third floor, we started with ambient light and a great atmosphere in the room “New York”. After all the participants arrived it became a little too atmospheric (read: cramped) so we moved to “San Francisco”. At least at Startplatz just seconds away.

The last webspeeders had to be routed via voice signal and off we went.

Small screen, big impact

cgnwebperfmeetup closeup of sebastian - presenting security headers

The screen we moved from New York was not living up to the expectations of the Big Apple. Nevertheless, everybody moved a little closer and was sucked even more into the presentation.

X-XSS-Protection, X-Frame-Options or the theoretical mind game to combine 27 Content-Security-Policy plugins with 40 different Origins of our example site did not lull anyone into sleep.

With the support of some Kölsch we worked out how the combination of correct Content-Types in combination with forbidding browsers to sniff the same, lead to higher security for users being affected from Spectre or Meltdown (basically everyone with a PC or smartphone).

Furthermore, the working principles of Secure Sockets Layers (SSL), which components of a secured HTTP connection are actually encrypted, and why HTTP Public Key Pinning (HPKP) may be completely replaced by Google’s certificate transparency, were discussed.

And finally, after we used wao.io to change the security rating of startplatz.de from a big red F to a tasty yellow-green B at the security checker of securityheaders.io, everybody was convinced to invest some (or even some more) minutes into security optimization to make their websites fast AND secure.

I would like to use this opportunity to thank the attendants! Your questions, remarks and the resulting discussions are the essence of these meetups and turn every presentation (long-winded or not) into an interesting discovery of hidden knowledge.

We definitely are going to meet up again, every first Thursday of the month – regardless if it is a performance topic or a different but nonetheless relevant one!

This article was originally published at Sevenval by Sebastian T. Translation by Heinrich R. 

Leave a Comment

Your email address will not be published.