Why simply deploying HTTPS will not get you an A+ grade

The following resources go deeper into the topics we covered during the course.

• An overview of steps to take to prepare the move towards HTTPS

• An explanation of how the SSL server test comes to its score

• An overview of SSL/TLS Deployment Best Practices

• The free OpenSSL cookbook containing lots of practical details about configuring TLS

• Moxie Marlinspike's entertaining talk on Authenticity in TLS

• A blog post about potential abuses of HSTS and HPKP

• The account of Wired's upgrade to HTTPS, Part 1, Part 2, and the final report

• The 'Black Tulip' report on the compromise of DigiNotar

• Facebook's tool to subscribe to Certificate Transparency logs

Below, you find a few pointers to useful information if you're deploying TLS or HTTPS in practice.

• A detailed explanation of what happens during the initialisation of an HTTPS connection

• Mozilla's operational guide to TLS

• A guide on decrypting TLS traffic in Wireshark

• The intent of Let's Encrypt to support Certificate Transparency through OCSP responses

• A detailed account of setting up Certificate Transparency with a TLS Extension

• F5 labs' 2016 TLS Telemetry Report, documenting the evolution of various SSL/TLS features

How to avoid common pitfalls in authentication and authorization on the Web

The links below explain a few topics from the course in a lot more detail.

• An excellent write-up of the cryptographic errors that have been uncovered in the Adobe breach

• A blog post about the advantages of the YubiKey

• The FIDO U2F security reference, which clearly gives an overview of the threats U2F counters.

• The SameSite cookie flag explained in more detail

• An account from an IE engineer who came up with cookie prefixes, which are ironically supported by most browsers except IE

• The original blog post with the list of JWT Best Practices we covered

• The full article on Insecure Direct Object References

• A deep dive into OAuth and OpenID Connect

• An explanation of the reason why OAuth is not an authentication protocol

A few pointers to some practical information on authentication and authorization.

• An overview of the biggest data breaches over time

• A detailed account of how Dropbox goes out of their way to store your passwords securely.

• Practical advice on addressing the top challenges with implementing U2F-based multi-factor auhtentication.

• A description of Facebook's delegated recovery mechanism

• Using authentication tokens in a Single Page Application

• An example of a brute-force attack in practice, worth $5000 in bug bounties

• A simplified yet practical explanation of OAuth 2.0

Why modern security technologies will eradicate Cross-Site Scripting

Additional information on Cross-Site Scripting and Content Security Policy can be found below.

• A very clear overview of XSS attacks and defenses, ideal to sharpen your understanding of XSS

• A detailed blog post on template injection in AngularJS applications using the orderBy filter

• The blog post series on deploying CSP at Dropbox

• GitHub's well-documented CSP journey

• Strict-dynamic, presented by Google engineers at AppSec 2016

A few practical resources and tools to combat XSS attacks

• OWASP's XSS Filter Evasion Cheat Sheet

• Netflix on the reason they built Sleepy Puppy

• The CSP Playground, which includes a policy validator for CSP

• Google's CSP Evaluator tool to check the security of your CSP policy.

• The write-up of the decision and impact of removing the AngularJS Expression Sandbox

Four new browser communication mechanisms, and how they affect your application

Further reading material on the latest developments in browser communication technologies.

• A well-documented guided tour of CORS

• A very complete explanation of the Server-Sent Events protocol

• The inner workings of WebSocket compression explained in detail

• A good explanation of CSWSH, or Cross-Site WebSocket Hijacking in full

• A very impressive WebRTC demo, that goes a bit further than video conferencing

• The full report on the WebRTC security assessment by the imec-DistriNet Research group