AppSec California 2017

Moving a large website with many user customizations to HTTPS is not easy as it sounds. Migrating to a secure HTTPS platform is even harder. Browser vendors have added many HTTP headers to make HTTPS website safer to use: HSTS, HPKP (Public Key Pinning), CSP (Content Security Policy), etc. In this talk, I will share my experience at Zscaler and Salesforce in moving large and complex websites to HTTPS. I will explain how these headers need to be thoroughly thought out, from the TLS versions and ciphers to support to which certificate to pin. The talk will show how to plan the migration to HTTPS, how to leverage CSP to measure the impact of the update before it happens, and how HSTS, HPKP and CSP can work together to ensure a safer experience for the users.
Participants will learn a methodology to move a complex website to HTTPS, including the role of the different HTTP headers in the planning and execution phases.