Web.dev - Web Privacy and Security Recipe

•

0 gefällt mir•111 views

Mark Robin

Sharing my slides I used during my talk in Web.dev LIVE Cebu. Aug 08, 2020

Technologie

Web Privacy & Security Recipes
Mark Robin
Senior Software Engineer
Inspire Team
GDG Cebu #webdevLIVE

Protects the integrity of your
website
HTTPS
HTTPS helps prevent intruders from
tampering with the communications
between your websites and your users'
browsers.
Protects the privacy & security
of your users
HTTPS prevents intruders from being
able to passively listen to
communications between your
websites and your users.
The future of the web
HTTPS is a key component to the
permission workﬂows for new features
and updated APIs.
GDG Cebu

Protects the privacy & security
of your users
HTTPS prevents intruders from being
able to passively listen to
communications between your
websites and your users.
Protects the integrity of your
website
HTTPS
HTTPS helps prevent intruders from
tampering with the communications
between your websites and your users'
browsers.
Protects the privacy & security
of your users
HTTPS prevents intruders from being
able to passively listen to
communications between your
websites and your users.
The future of the web
HTTPS is a key component to the
permission workﬂows for new features
and updated APIs.
GDG Cebu
Protects the integrity of your
website
HTTPS helps prevent intruders from
tampering with the communications
between your websites and your users'
browsers.

Cookie recipes:
SameSite and beyond
GDG Cebu

Set-Cookie:
__Host-cookiename=cookievalue;
Secure;
Path=/;
HttpOnly;
SameSite=Lax
Set-Cookie:
__Host-cookiename=cookievalue;
Secure;
Path=/;
HttpOnly;
SameSite=Lax
GDG Cebu

Set-Cookie:
__Host-cookiename=cookievalue;
Secure;
Path=/;
HttpOnly;
SameSite=Lax
GDG Cebu

Set-Cookie:
__Secure-cookiename=cookievalue;
Secure;
Domain=news.site;
Path=/;
HttpOnly;
SameSite=Lax
GDG Cebu

Set-Cookie:
__Host-cookiename=cookievalue;
Secure;
Path=/;
HttpOnly;
SameSite=Lax;
Max-Age=900
GDG Cebu

Set-Cookie:
__Host-cookiename=cookievalue;
Secure;
Path=/;
HttpOnly;
SameSite=Strict
GDG Cebu

Set-Cookie:
__Host-cookiename=cookievalue;
Secure;
Path=/;
HttpOnly;
SameSite=None
GDG Cebu

Set-Cookie:
first_party=cookievalue;
SameSite=Lax
Set-Cookie:
third_party=cookievalue;
SameSite=None; Secure
GDG Cebu

COOP:
COEP:
Cross-Origin-Opener-Policy
Cross-Origin-Embedder-Policy
GDG Cebu

Powerful Features
• SharedArrayBuffer across platforms
• performance.measureMemory()
• JS Self Profiling API
and more to come…
GDG Cebu

Composability
● Ads
● Fonts
● Images
● Videos
● Maps
● Payment solutions
a.example
b.example
GDG Cebu

Same-origin Policy
a.example
b.example
Browsing Context Group
GDG Cebu

Same-origin Policy
Origin A Origin B
Explanation of whether Origin A
and B are "same-origin" or
"cross-origin"
https://www.example.com:443
https://www.evil.com:443 cross-origin: different domains
https://example.com:443 cross-origin: different subdomains
https://login.example.com:443 cross-origin: different subdomains
http://www.example.com:443 cross-origin: different schemes
https://www.example.com:80 cross-origin: different ports
https://www.example.com:443 same-origin: exact match
https://www.example.com same-origin: implicit port number (443)
matches
GDG Cebu

Spectre
evil.example
Browsing Context Group
a.example
b.example
GDG Cebu

COOP+COEP = cross-origin isolated
evil.example
a.example
b.example
GDG Cebu

Enabling cross-origin isolation
1. Set `Cross-Origin-Opener-Policy: same-origin` for the main
document.
2. Make sure cross-origin resources use `CORP: cross-origin` or CORS.
3. Set `Cross-Origin-Embedder-Policy: require-corp` for the main
document.
GDG Cebu

Cross-Origin-Opener-Policy: same-origin
COOP COEP CORP CORS
GDG Cebu

Confirm cross-origin resources support:
COOP COEP CORP CORS
• `Cross-Origin-Resource-Policy: cross-origin` header
• Cross Origin Resource Sharing
`<img src=“image.png” crossorigin>`
GDG Cebu

Attention! Resource providers:
COOP COEP CORP CORS
Apply `Cross-Origin-Resource-Policy: cross-origin` header!
GDG Cebu

Cross-Origin-Embedder-Policy: require-corp
Resource without `CORP` or CORS will be blocked
COOP COEP CORP CORS
GDG Cebu

Cross-Origin-Embedder-Policy: require-corp
Cross-origin resource with `CORP: cross-origin` can be loaded
COOP COEP CORP CORS
GDG Cebu

```js
if (self.crossOriginIsolated) {
// Your page is at "cross-origin isolated" state
}
```
GDG Cebu

This cover has been designed using
resources from Freepik.com
Security is always excessive
until it’s not enough.
Robbie Sinclair

linkedin.com/in/markdrobin
github.com/mdrobin95
GDG Cebu
giphy.com
SOURCE web.dev/secure

Weitere ähnliche Inhalte

Was ist angesagt?

Bünyamin Demir - 10 Adımda Yazılım Güvenliği

CypSec - Siber Güvenlik Konferansı

BrightonSEO

Richard Falconer

Content Security Policy - The application security Swiss Army Knife

Scott Helme

These are the slides from my "Phishing Forensics - Is it just suspicious or is it malicious?" presentation at the BSides Cleveland Information Security Conference on 06/23/2018 in Cleveland, Ohio. Title: Phishing Forensics - Is it just suspicious or is it malicious? Abstract: What thoughts currently make tech defenders uneasy as they go to bed at night? Despite implementing and properly configuring the latest technological controls and security solutions into our environments, end users typically remain the most vulnerable point of entry into nearly any network. Unfortunately, only one misstep by a single user provides attackers with the foothold they need to begin compromising an entire enterprise network environment. The safety of our inboxes is a key initiative on the battlefront of protecting staff from the scourge of phishing and spear phishing attacks. We will perform a deep-dive look at the latest techniques used by criminals to bypass security products and traditional defense-in-depth strategies. We then focus heavily on conducting a digital forensic investigation on a sample phishing email message. Topics covered include technical analysis of message headers, message source code, message attachments, and malicious landing web pages even when a dedicated sandbox environment is unavailable.

BSides Cleveland: Phishing Forensics - Is it just suspicious or is it malicious?

ThreatReel Podcast

In this presentation, we show promising new defense-in-depth techniques to protect modern web applications from old and new classes of bugs: Suborigins to have finer-grained control over origin boundaries, Site Isolation and XSDB against Spectre and Meltdown attacks, and last but not least Origin and Feature Policy. In addition to that, we explain new features of the upcoming CSP 3 specification like 'unsafe-hashed-attributes' and give an overview of how we were able to enforce CSP as a strong mitigation against cross-site scripting on over 50% of production web traffic at Google. With increased adoption new challenges arise: dealing with CSP report noise - generated by buggy browsers, extensions, malware and security software - devising an effective monitoring infrastructure, and keeping on top of bypassing techniques. In this presentation we reveal how our internal CSP infrastructure works and how we solved problems, share our experience, show real-world examples, best practices and common pitfalls. Finally, we hint at a new promising web mitigation technique, which we hope to see gaining traction in the near future: Suborigins.

CONFidence 2018: Defense-in-depth techniques for modern web applications and ...

PROIDEA

Techorama 2019 - Azure Security Center Unleashed

Tom Janetscheck

In today's cloud era, admins struggle to keep their IT infrastructures safe. Cloud security is joint responsibility and what we need is a new approach! In this session, you will learn how to securely deploy and maintain Azure infrastructure solutions, why automation is essential, what network security and encryption options you have, and how access control can prevent you from having sleepless nights. We will successfully attack an Azure environment live on stage, dive deep into Azure Security Center, and see how we can use it to ultimately secure IT infrastructures on premises, hybrid, and on Azure.

Experts Live Norway - Azure Infrastructure Security

Tom Janetscheck

Back in the days, when blocking network traffic was enough to prevent attackers from accessing corporate content, life was easy. You could be sure that your physical datacenter walls built your perimeter, so you simply needed to protect your borders. But nowadays, when we see an increasing amount of phishing, spear phishing and credential theft attacks against corporate environments, it’s no longer sufficient to only take care of network and data security.Today, it's more important than ever to protect and securely manage identities in the cloud and on-premises, and to make sure to be informed as soon as someone tries to get hold of them.

Microsoft Ignite The Tour 2020 - BRK30173 - Identity is the new control plane

Tom Janetscheck

Was ist angesagt? (8)

Bünyamin Demir - 10 Adımda Yazılım Güvenliği

BrightonSEO

Content Security Policy - The application security Swiss Army Knife

BSides Cleveland: Phishing Forensics - Is it just suspicious or is it malicious?

CONFidence 2018: Defense-in-depth techniques for modern web applications and ...

Techorama 2019 - Azure Security Center Unleashed

Experts Live Norway - Azure Infrastructure Security

Microsoft Ignite The Tour 2020 - BRK30173 - Identity is the new control plane

Ähnlich wie Web.dev - Web Privacy and Security Recipe

Before the Web, clients connected to back-end servers without compromises. As the Web came along with HTTP, we had to give up some of the power of our connectivity. With the evolving open Web communications standards, now we have a unique opportunity to move on from a request-response based REST world to a true, event-driven architecture. Learn what it takes to connect physical devices, such as Arduino and the Rasberry Pi to collect sensor data, or control physical devices over the Web. Commercial aviation's biggest challenge when things go wrong is that flight data is stuck on the plane inside the black box. Until the black box is recovered, we barely know anything about what went wrong. This presentation offers detailed insights into how IoT and modern Web communications concepts have the power to change all this. If you're a maker, you will learn about "flight sensors" attached and controlled by Arduino, data transmitted over long range WiFi as well as satellite networks. If interested in real-time Web communications, you'll learn about a highly secure WebSocket implementation with extreme scale, publishing flight data to tablets and laptops used as monitoring dashboard. If protocol layering, enterprise messaging, or JMS is your thing, this talk is for you. Code samples and plenty of interactive live demos (with Things) add color to the talk.

Connecting Physical Devices to the Web - Event Driven Architecture using WebS...

Peter Moskovits

Converting you website to https

Peter Salerno

In the digital age, cybersecurity is a paramount concern, and Google is committed to ensuring user safety and privacy. As part of their efforts, they've made SSL certificates a significant factor in search engine optimization (SEO). SSL (Secure Sockets Layer) certificates, indicated by the "https" in website URLs and the padlock symbol in browsers, are not only essential for security but also offer several SEO benefits. In this comprehensive guide, we'll delve into the advantages of having an SSL certificate for SEO.

SEO benefits | ssl certificate | Learn SEO

devbhargav1

Keeping communication between your visitors and your website secure and confidential has never been more important. Data can be vulnerable to theft as it’s transferred to and from your website. One simple solution to this security threat is to encrypt your traffic with SSL (Secure Sockets Layer). SSL encryption ensures the data transferred between your visitors and your site is safe from data theft, and having SSL enabled can also boost your Google search rankings. CloudFlare has made it simple and easy to add SSL to your site: you don’t have to purchase a separate certificate or install anything. In this webinar CloudFlare’s solution engineer Peter Griffin explains the key features of SSL, and walks you through the simple process of getting SSL running on your site.

Overview of SSL: choose the option that's right for you

Cloudflare

Geek Guide: Apache Web Servers and SSL Authentication

RapidSSLOnline.com

Android P Security Updates: What You Need to Know

NowSecure

This talk is about how to secure your front-end + backend applications using a RESTful approach. As opposed to traditional and monolithic server-side applications (where the HTTP session is used), when your front-end application is running on a browser and not securely from the server, there are few things you need to consider. In this session Alvaro will explore standards like OAuth or JWT to achieve a stateless, token-based authentication and authorization using Spring Security in Grails.

Stateless authentication for microservices - GR8Conf 2015

Alvaro Sanchez-Mariscal

How Does SSL Affect Your Search Engine Optimization

Christopher Dill

http://www.springio.net/stateless-authentication-for-microservices/ This talk is about how to secure your front-end + backend applications using a RESTful approach. As opposed to traditional and monolithic server-side applications (where the HTTP session is used), when your front-end application is running on a browser and not securely from the server, there are few things you need to consider. In this session Alvaro will explore standards like OAuth and JWT to achieve a stateless, token-based authentication and authorization using Spring Security in Grails. More specifically, the demonstration will be made using Spring Security REST, a popular Grails plugin written by Álvaro.

Stateless authentication for microservices - Spring I/O 2015

Alvaro Sanchez-Mariscal

Stateless authentication for microservices - Greach 2015

Alvaro Sanchez-Mariscal

Webinar recording here: https://www.heroku.com/tech-sessions/creating-secure-web-apps Secure internet communication is one of the most important issues facing technology practitioners these days. But for many software development teams, it’s an afterthought. Almost every week there’s a new headline about web security: Google Chrome flagging non-HTTPS sites as insecure, Apple requiring iOS apps’ API communication to use HTTPS, and Google giving search ranking preference to HTTPS. Join Josh Aas, Executive Director of Let's Encrypt, and Chris Castle, Developer Advocate from Heroku, as they take you on a quick tour of what you, as a developer, need to know about HTTPS today plus show you how Let's Encrypt and Heroku are making it easier than ever for all developers to add HTTPS to their web apps.

Creating Secure Web Apps: What Every Developer Needs to Know About HTTPS Today

Heroku

Time to Migrate to HTTPS – The Simple Way to Do It Right, And the Ways That t...

Click Consult (Part of Ceuta Group)

In a world with increasingly sophisticated adversaries employing both targeted and automated attacks, what can we do to keep our users and our web apps safe? While Rails provides pretty decent security options straight out of the box, we can go further and make attacks more difficult to accomplish. For example, why and how to implement a Content Security Policy. Should you use HTTP Public Key Pinning? How do you know if you've configured HTTPS correctly?

Rails security: above and beyond the defaults

Matias Korhonen

Join Cloudflare and CoinGecko, a Singapore-based cryptocurrency ranking chart platform that serves over 100 million pages views per month, for an educational webinar. Learn about the steps CoinGecko took to improve the user experience of its cryptocurrency platform, and how Cloudflare’s Argo Smart Routing routed over 1.2 billion website requests per month to improve performance on average by 65%, while using caching to save CoinGecko up to 88% on bandwidth.

65% Performance Gains at Cryptocurrency Platform CoinGecko: An Argo Smart Rou...

Cloudflare

WebSocket Perspectives and Vision for the Future - HTML5DevConf Oct 2013 SF

Frank Greco

PWA Roadshow Seoul - HTTPS

Chang W. Doh

Hacking Client Side Insecurities

amiable_indian

WordCamp US: Delivering the news over HTTPS

Paul Schreiber

Bitflips happen more than you know, especially on mobile devices and especially on cheap phones with memory that has higher FIT rates (Failures-In-Time). In the past, encryption in-transit (TLS/SSL) would have protected you against the most dangerous opportunistic attackers because it was cost prohibitive. Today however, certificates are free. Free for you and threat actors, thanks to Let’s Encrypt and major cloud providers. While free certificate authorities are a net positive for internet security, we already know attackers are leveraging the HTTPS lock for subverting security awareness training and more successful phishing. What about corporate espionage? That’s precisely what we investigated and will demonstrate with this slide deck.

Ghost in the Browser: Broad-Scale Espionage with Bitsquatting

Bishop Fox

HTTP VS. HTTPS: WHICH IS BETTER??

SEONetsolITSolutions

Ähnlich wie Web.dev - Web Privacy and Security Recipe (20)

Connecting Physical Devices to the Web - Event Driven Architecture using WebS...

Converting you website to https

SEO benefits | ssl certificate | Learn SEO

Overview of SSL: choose the option that's right for you

Geek Guide: Apache Web Servers and SSL Authentication

Android P Security Updates: What You Need to Know

Stateless authentication for microservices - GR8Conf 2015

How Does SSL Affect Your Search Engine Optimization

Stateless authentication for microservices - Spring I/O 2015

Stateless authentication for microservices - Greach 2015

Creating Secure Web Apps: What Every Developer Needs to Know About HTTPS Today

Time to Migrate to HTTPS – The Simple Way to Do It Right, And the Ways That t...

Rails security: above and beyond the defaults

65% Performance Gains at Cryptocurrency Platform CoinGecko: An Argo Smart Rou...

WebSocket Perspectives and Vision for the Future - HTML5DevConf Oct 2013 SF

PWA Roadshow Seoul - HTTPS

Hacking Client Side Insecurities

WordCamp US: Delivering the news over HTTPS

Ghost in the Browser: Broad-Scale Espionage with Bitsquatting

HTTP VS. HTTPS: WHICH IS BETTER??

Kürzlich hochgeladen

Generative AI refers to a class of machine learning algorithms that are designed to generate new data samples that are similar to those in the training data. Unlike traditional AI models that are trained to recognize patterns and make predictions, generative AI models have the ability to create entirely new data based on the patterns they have learned. This is achieved through techniques such as generative adversarial networks (GANs), variational autoencoders (VAEs), and transformer architectures, among others.

Generative AI Use Cases and Applications.pdf

alexjohnson7307

Design and Development of a Provenance Capture Platform for Data Science

Paolo Missier

ADP Passwordless Journey Case Study.pptx

FIDO Alliance

ERP Contender Series: Acumatica vs. Sage Intacct

BrainSell Technologies

WebRTC and SIP not just audio and video @ OpenSIPS 2024

Lorenzo Miniero

Here comes another enlightening document that dives into the thrilling world of breaking BitLocker, Windows' attempt at full disk encryption. This analysis will walk you through the myriad of creative hacks, from the classic cold boot attacks—because who doesn't love freezing their computer to steal some data—to exploiting those oh-so-reliable TPM chips that might as well have a "hack me" sign on them. We'll also cover some software vulnerabilities, because Microsoft just wouldn't be the same without a few of those sprinkled in for good measure. And let's not forget about intercepting those elusive decryption keys; it's like a digital treasure hunt! So, whether you're a security expert, a forensic analyst, or just a curious cat in the world of cybersecurity, enjoy the read, and maybe keep that data backed up somewhere safe, yeah? ------- This document provides a comprehensive analysis of the method demonstrated in the video "Breaking Bitlocker - Bypassing the Windows Disk Encryption" where the author showcases a low-cost hardware attack capable of bypassing BitLocker encryption. The analysis will cover various aspects of the attack, including the technical approach, the use of a Trusted Platform Module (TPM) chip, and the implications for security practices. The analysis provides a high-quality summary of the demonstrated attack, ensuring that security professionals and specialists from different fields can understand the potential risks and necessary countermeasures. The document is particularly useful for cybersecurity experts, IT professionals, and organizations that rely on BitLocker for data protection and to highlight the need for ongoing security assessments and the potential for similar vulnerabilities in other encryption systems.

Microsoft BitLocker Bypass Attack Method.pdf

Overkill Security

In the dynamic field of DevOps, the quest for efficiency and productivity is endless. This talk introduces a revolutionary toolkit: Large Language Models (LLMs), including ChatGPT, Gemini, and Claude, extending far beyond traditional coding assistance. We'll explore how LLMs can automate not just code generation, but also transform day-to-day operations such as crafting compelling cover letters for TPS reports, streamlining client communications, and architecting innovative DevOps solutions. Attendees will learn effective prompting strategies and examine real-life use cases, demonstrating LLMs' potential to redefine productivity in the DevOps landscape. Join us to discover how to harness the power of LLMs for a comprehensive productivity boost across your DevOps activities.

ChatGPT and Beyond - Elevating DevOps Productivity

VictorSzoltysek

Event-Driven Architecture Masterclass: Challenges in Stream Processing

ScyllaDB

Navigating the Large Language Model choices_Ravi Daparthi

RaviKumarDaparthi

The microservices honeymoon is over. When starting a new project or revamping a legacy monolith, teams started looking for alternatives to microservices. The Modular Monolith, or 'Modulith', is an architecture that reaps the benefits of (vertical) functional decoupling without the high costs associated with separate deployments. This talk will delve into the advantages and challenges of this progressive architecture, beginning with exploring the concept of a 'module', its internal structure, public API, and inter-module communication patterns. Supported by spring-modulith, the talk provides practical guidance on addressing the main challenges of a Modultith Architecture: finding and guarding module boundaries, data decoupling, and integration module-testing. You should not miss this talk if you are a software architect or tech lead seeking practical, scalable solutions. About the author With two decades of experience, Victor is a Java Champion working as a trainer for top companies in Europe. Five thousands developers in 120 companies attended his workshops, so he gets to debate every week the challenges that various projects struggle with. In return, Victor summarizes key points from these workshops in conference talks and online meetups for the European Software Crafters, the world’s largest developer community around architecture, refactoring, and testing. Discover how Victor can help you on victorrentea.ro : company training catalog, consultancy and YouTube playlists.

Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024

Victor Rentea

Working together SRE & Platform Engineering

Marcus Vechiato

"The Ultimate Prompt Engineering Guide for Generative AI" provides a comprehensive guide to leveraging the power of AI assistants through effective prompt design. It explores fundamental prompt concepts and details strategies for crafting prompts that maximize output quality. Readers learn about iterative refinement, examples, constraints, and advanced techniques like chaining and decomposition. Case studies demonstrate real-world applications in content creation, coding, analysis, and more. Trends in multimodal, automated, and responsible prompting are also examined. This book is a must-read for anyone seeking to optimize generative AI capabilities.

The Ultimate Prompt Engineering Guide for Generative AI: Get the Most Out of ...

SOFTTECHHUB

Continuing Bonds Through AI: A Hermeneutic Reflection on Thanabots

Leah Henrickson

Frisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdf

AnubhavMangla3

Webinar Recording: https://www.panagenda.com/webinars/alles-neu-macht-der-mai-wir-durchleuchten-den-verbesserten-notes-eigenschaftendialog/ Haben Sie sich schon einmal über den zu kleinen Eigenschaftendialog in Notes geärgert? Mussten Sie einen Agenten oder eine Aktion erstellen, um schnell mal ein Feld zu ändern? Haben Sie jedes mal endlos nach dem zu vergleichenden Feld gesucht, nachdem Sie ein neues Dokument ausgewählt haben? Wollten Sie das verdammte Ding einfach nur größer machen? Zum Glück gibt es dafür eine Lösung – und sie ist wahrscheinlich bereits installiert! Mit dem kostenlosen panagenda Document Properties (Pro) erhalten Sie den Eigenschaftendialog, den Sie schon immer haben wollten. Größer, anpassbar, und im Volltext durchsuchbar. Sehen Sie mehrere Dokumente gleichzeitig oder vergleichen Sie mit einem Diff-Viewer. Ändern Sie beliebige Felder und haben Sie endlich eine einfache Möglichkeit, Profildokumente für alle Benutzer zu verwalten. Entdecken Sie mit HCL Ambassador Marc Thomas, wie Document Properties Ihre Arbeit vereinfachen und Sie bei der täglichen Verwendung von Domino-Anwendungen unterstützen kann – im Client oder im Designer. Sie werden es nicht bereuen! Für Sie in diesem Webinar - Was Document Properties ist, welche Editionen es gibt und wo es in Notes und Domino Designer zu finden ist - Wie Sie nach einem beliebigen Feld suchen und es bearbeiten, Dokumente vergleichen oder alle Daten per CSV exportieren können - Suchen, Bearbeiten und auch Löschen von Profildokumenten - Welche Konfigurationseinstellungen verfügbar sind, um Funktionen anzupassen - Wie Ihre Endbenutzer davon profitieren - Sehen Sie alles in einer Live-Demo

Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...

panagenda

At Skynet Technologies, our team of accessibility experts performs automated, semi-automated, and manual audits of websites and web applications as per WCAG 2.2 level AA, ADA, and section 508. Based on evaluations of the accessibility compliance level of the website’s UI, design, source code, navigation, interactive elements, and overall usability, we will provide a digital accessibility evaluation report with in-depth details of potential accessibility barriers and remediation recommendations. Get a manual website WCAG audit (2.0, 2.1, 2.2 level AA) for a small website: 10 pages: $2,500 within 7 business days 30 pages: $7,500 within 14 business days 50 pages: $12,500 within 28 business days For medium websites: 100 pages: $25,000 within 70 business days For larger websites or audits of all pages, please reach out hello@skynettechnologies.com.

Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...

Skynet Technologies

الأمن السيبراني - ما لا يسع للمستخدم جهله

Mohamed Sweelam

Because observability is such a broad topic – and often something we learn on the job – it can feel like there’s too much to learn at once. But you don’t have to tackle everything and can start with the basics and build from there! Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack. No matter what tooling is in place, there are still observability fundamentals that developers should know. That’s why I’ve put together a primer on the different telemetry types, when to use them, how to understand the data journey, and what to look for in time series graphs.

Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)

Paige Cruz

Portal Kombat : extension du réseau de propagande russe

中央社

Introduction to FIDO Authentication and Passkeys.pptx

FIDO Alliance

Kürzlich hochgeladen (20)

Generative AI Use Cases and Applications.pdf

Design and Development of a Provenance Capture Platform for Data Science

ADP Passwordless Journey Case Study.pptx

ERP Contender Series: Acumatica vs. Sage Intacct

WebRTC and SIP not just audio and video @ OpenSIPS 2024

Microsoft BitLocker Bypass Attack Method.pdf

ChatGPT and Beyond - Elevating DevOps Productivity

Event-Driven Architecture Masterclass: Challenges in Stream Processing

Navigating the Large Language Model choices_Ravi Daparthi

Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024

Working together SRE & Platform Engineering

The Ultimate Prompt Engineering Guide for Generative AI: Get the Most Out of ...

Continuing Bonds Through AI: A Hermeneutic Reflection on Thanabots

Frisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdf

Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...

Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...

الأمن السيبراني - ما لا يسع للمستخدم جهله

Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)

Portal Kombat : extension du réseau de propagande russe

Introduction to FIDO Authentication and Passkeys.pptx

Web.dev - Web Privacy and Security Recipe

1. GDG Cebu

2. Web Privacy & Security Recipes Mark Robin Senior Software Engineer Inspire Team GDG Cebu #webdevLIVE

3. GDG Cebu

4. https:// GDG Cebu

5. Protects the integrity of your website HTTPS HTTPS helps prevent intruders from tampering with the communications between your websites and your users' browsers. Protects the privacy & security of your users HTTPS prevents intruders from being able to passively listen to communications between your websites and your users. The future of the web HTTPS is a key component to the permission workﬂows for new features and updated APIs. GDG Cebu

6. Protects the privacy & security of your users HTTPS prevents intruders from being able to passively listen to communications between your websites and your users. Protects the integrity of your website HTTPS HTTPS helps prevent intruders from tampering with the communications between your websites and your users' browsers. Protects the privacy & security of your users HTTPS prevents intruders from being able to passively listen to communications between your websites and your users. The future of the web HTTPS is a key component to the permission workﬂows for new features and updated APIs. GDG Cebu Protects the integrity of your website HTTPS helps prevent intruders from tampering with the communications between your websites and your users' browsers.

7. Protects the integrity of your website HTTPS HTTPS helps prevent intruders from tampering with the communications between your websites and your users' browsers. Protects the privacy & security of your users HTTPS prevents intruders from being able to passively listen to communications between your websites and your users. The future of the web HTTPS is a key component to the permission workﬂows for new features and updated APIs. GDG Cebu Protects the privacy & security of your users HTTPS prevents intruders from being able to passively listen to communications between your websites and your users. The future of the web HTTPS is a key component to the permission workﬂows for new features and updated APIs.

8. www.iliketoquote.com

10. Cookie recipes: SameSite and beyond GDG Cebu

11. Set-Cookie: __Host-cookiename=cookievalue; Secure; Path=/; HttpOnly; SameSite=Lax Set-Cookie: __Host-cookiename=cookievalue; Secure; Path=/; HttpOnly; SameSite=Lax GDG Cebu

12. Set-Cookie: __Host-cookiename=cookievalue; Secure; Path=/; HttpOnly; SameSite=Lax GDG Cebu

13. Set-Cookie: __Host-cookiename=cookievalue; Secure; Path=/; HttpOnly; SameSite=Lax GDG Cebu

14. Set-Cookie: __Host-cookiename=cookievalue; Secure; Path=/; HttpOnly; SameSite=Lax GDG Cebu

15. Set-Cookie: __Host-cookiename=cookievalue; Secure; Path=/; HttpOnly; SameSite=Lax GDG Cebu

16. Set-Cookie: __Host-cookiename=cookievalue; Secure; Path=/; HttpOnly; SameSite=Lax GDG Cebu

17. Set-Cookie: __Host-cookiename=cookievalue; Secure; Path=/; HttpOnly; SameSite=Lax GDG Cebu

18. Set-Cookie: __Host-cookiename=cookievalue; Secure; Path=/; HttpOnly; SameSite=Lax GDG Cebu

19. Set-Cookie: __Host-cookiename=cookievalue; Secure; Path=/; HttpOnly; SameSite=Lax GDG Cebu

20. Set-Cookie: __Host-cookiename=cookievalue; Secure; Path=/; HttpOnly; SameSite=Lax GDG Cebu

21. Set-Cookie: __Secure-cookiename=cookievalue; Secure; Domain=news.site; Path=/; HttpOnly; SameSite=Lax GDG Cebu

22. Set-Cookie: __Host-cookiename=cookievalue; Secure; Path=/; HttpOnly; SameSite=Lax; Max-Age=900 GDG Cebu

23. Set-Cookie: __Host-cookiename=cookievalue; Secure; Path=/; HttpOnly; SameSite=Strict GDG Cebu

24. Set-Cookie: __Host-cookiename=cookievalue; Secure; Path=/; HttpOnly; SameSite=None GDG Cebu

25. Set-Cookie: __Host-cookiename=cookievalue; Secure; Path=/; HttpOnly; SameSite=None GDG Cebu

26. Set-Cookie: first_party=cookievalue; SameSite=Lax Set-Cookie: third_party=cookievalue; SameSite=None; Secure GDG Cebu

27. COOP: COEP: Cross-Origin-Opener-Policy Cross-Origin-Embedder-Policy GDG Cebu

28. Powerful Features • SharedArrayBuffer across platforms • performance.measureMemory() • JS Self Profiling API and more to come… GDG Cebu

29. Composability ● Ads ● Fonts ● Images ● Videos ● Maps ● Payment solutions a.example b.example GDG Cebu

30. Same-origin Policy a.example b.example Browsing Context Group GDG Cebu

31. Same-origin Policy Origin A Origin B Explanation of whether Origin A and B are "same-origin" or "cross-origin" https://www.example.com:443 https://www.evil.com:443 cross-origin: different domains https://example.com:443 cross-origin: different subdomains https://login.example.com:443 cross-origin: different subdomains http://www.example.com:443 cross-origin: different schemes https://www.example.com:80 cross-origin: different ports https://www.example.com:443 same-origin: exact match https://www.example.com same-origin: implicit port number (443) matches GDG Cebu

32. Spectre evil.example Browsing Context Group a.example b.example GDG Cebu

33. COOP+COEP = cross-origin isolated evil.example a.example b.example GDG Cebu

34. Enabling cross-origin isolation 1. Set `Cross-Origin-Opener-Policy: same-origin` for the main document. 2. Make sure cross-origin resources use `CORP: cross-origin` or CORS. 3. Set `Cross-Origin-Embedder-Policy: require-corp` for the main document. GDG Cebu

35. Cross-Origin-Opener-Policy: same-origin COOP COEP CORP CORS GDG Cebu

36. Confirm cross-origin resources support: COOP COEP CORP CORS • `Cross-Origin-Resource-Policy: cross-origin` header • Cross Origin Resource Sharing `<img src=“image.png” crossorigin>` GDG Cebu

37. Attention! Resource providers: COOP COEP CORP CORS Apply `Cross-Origin-Resource-Policy: cross-origin` header! GDG Cebu

38. Cross-Origin-Embedder-Policy: require-corp Resource without `CORP` or CORS will be blocked COOP COEP CORP CORS GDG Cebu

39. Cross-Origin-Embedder-Policy: require-corp Cross-origin resource with `CORP: cross-origin` can be loaded COOP COEP CORP CORS GDG Cebu

40. ```js if (self.crossOriginIsolated) { // Your page is at "cross-origin isolated" state } ``` GDG Cebu

41. Chrome DevTools GDG Cebu

42. GDG Cebu

43. Issues Tab GDG Cebu

44. GDG Cebu

45. GDG Cebu

46. GDG Cebu

47. This cover has been designed using resources from Freepik.com Security is always excessive until it’s not enough. Robbie Sinclair

48. linkedin.com/in/markdrobin github.com/mdrobin95 GDG Cebu giphy.com SOURCE web.dev/secure

Web.dev - Web Privacy and Security Recipe

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (8)

Ähnlich wie Web.dev - Web Privacy and Security Recipe

Ähnlich wie Web.dev - Web Privacy and Security Recipe (20)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

Web.dev - Web Privacy and Security Recipe