HTTP headers for the responsible developer

by stefan judis

Slide 1

Slide 1 text

@stefanjudis HTTP headers for the responsible developer

Slide 2

Slide 2 text

My journey on the web

Slide 3

Slide 3 text

uboot.com

Slide 4

Slide 4 text

1999

Slide 5

Slide 5 text

The web connects people

Slide 6

Slide 6 text

2010

Slide 7

Slide 7 text

The web connects people

Slide 8

Slide 8 text

We connect people! We enable people! We help people!

Slide 9

Slide 9 text

[he/him] @stefanjudis www.stefanjudis.com Heyo, I'm Stefan!

Slide 10

Slide 10 text

... and I want to be a responsible developer

Slide 11

Slide 11 text

No content

Slide 12

Slide 12 text

1999

Slide 13

Slide 13 text

2019

Slide 14

Slide 14 text

2019

Slide 15

Slide 15 text

2019

Slide 16

Slide 16 text

2019 We should be building for everybody

Slide 17

Slide 17 text

"We don't have users in/that ..."

Slide 18

Slide 18 text

"We don't have users in/that ..."

Slide 19

Slide 19 text

The challenge of building a "good" website

Slide 20

Slide 20 text

Design Performance Content Accessibility Devices Network Frameworks

Slide 21

Slide 21 text

Design Performance Content Accessibility Network Frameworks Devices

Slide 22

Slide 22 text

Let's talk HTTP

Slide 23

Slide 23 text

https://the-responsible.dev/ Accept: text/html,application/xhtml+xml,application/xml  Accept-Encoding: gzip, deflate, br  Accept-Language: en-GB,en-US;q=0.9,en;q=0.8,de;q=0.7 ... Connection: keep-alive Content-Type: text/html; charset=utf-8 Date: Mon, 11 Mar 2019 12:59:38 GMT ... Response Body

Slide 24

Slide 24 text

Accept: text/html,application/xhtml+xml,application/xml  Accept-Encoding: gzip, deflate, br  Accept-Language: en-GB,en-US;q=0.9,en;q=0.8,de;q=0.7 ... https://the-responsible.dev/ Connection: keep-alive Content-Type: text/html; charset=utf-8 Date: Mon, 11 Mar 2019 12:59:38 GMT ... Response Body

Slide 25

Slide 25 text

the-responsible.dev

Slide 26

Slide 26 text

How can we use headers to make this site better?

Slide 27

Slide 27 text

The web is a scary place

Slide 28

Slide 28 text

thenextweb.com/contributors/2018/03/10/protect-website-cryptojacking-attacks/

Slide 29

Slide 29 text

shoptalkshow.com/episodes/special-one-one-hacker/

Slide 30

Slide 30 text

blog.npmjs.org/post/180565383195/details-about-the-event-stream-incident

Slide 31

Slide 31 text

www.twilio.com/blog/learned-about-security-from-calling-35-contact-centers

Slide 32

Slide 32 text

www.twilio.com/blog/learned-about-security-from-calling-35-contact-centers We always rely on others

Slide 33

Slide 33 text

The web has to be safe!

Slide 34

Slide 34 text

HTTPS

Slide 35

Slide 35 text

HTTP/2 ServiceWorker getUserMedia() ...

Slide 36

Slide 36 text

whynohttps.com

Slide 37

Slide 37 text

whynohttps.com

Slide 38

Slide 38 text

Ensure encryption

Slide 39

Slide 39 text

Strict-Transport-Security: max-age=1000; includeSubDomains; preload Response Header

Slide 40

Slide 40 text

hstspreload.org

Slide 41

Slide 41 text

chromium.googlesource.com/chromium/src/net/+/master/http/ transport_security_state_static.json

Slide 42

Slide 42 text

No content

Slide 43

Slide 43 text

caniuse.com/#feat=stricttransportsecurity

Slide 44

Slide 44 text

Upgrade HTTP requests

Slide 45

Slide 45 text

Content-Security-Policy: upgrade-insecure-requests Response Header

Slide 46

Slide 46 text

www.chromestatus.com/feature/5557268741357568

Slide 47

Slide 47 text

Limit what's allowed

Slide 48

Slide 48 text

requestmap.webperf.tools

Slide 49

Slide 49 text

base-uri block-all-mixed-content connect-src default-src font-src form-action frame-ancestors frame-src img-src manifest-src media-src navigate-to object-src plugin-types report-sample report-to require-sri-for sandbox script-src strict-dynamic style-src upgrade-insecure-requests worker-src developer.mozilla.org/en-US/docs/Web/HTTP/CSP prefetch-src

Slide 50

Slide 50 text

Slide 51

Slide 51 text

Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe- inline' 'unsafe-eval' just-comments.com www.google-analytics.com production-assets.codepen.io storage.googleapis.com; style-src 'self' 'unsafe-inline'; img-src 'self' data: images.contentful.com images.ctfassets.net www.gravatar.com www.google-analytics.com just- comments.com; font-src 'self' data:; connect-src 'self' cdn.contentful.com images.contentful.com videos.contentful.com images.ctfassets.net videos.ctfassets.net service.just-comments.com www.google-analytics.com; media-src 'self' videos.contentful.com videos.ctfassets.net; object-src 'self'; frame-src codepen.io; frame- ancestors 'self'; worker-src 'self'; block-all-mixed-content; manifest-src 'self' 'self'; disown-opener; prefetch-src 'self'; report-uri https:// stefanjudis.report-uri.com/r/d/csp/reportOnly Response Header

Slide 52

Slide 52 text

Content-Security-Policy-Report-Only: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' just-comments.com www.google- analytics.com production-assets.codepen.io storage.googleapis.com; style-src 'self' 'unsafe-inline'; img-src 'self' data: images.contentful.com images.ctfassets.net www.gravatar.com www.google-analytics.com just- comments.com; font-src 'self' data:; connect-src 'self' cdn.contentful.com images.contentful.com videos.contentful.com images.ctfassets.net videos.ctfassets.net service.just-comments.com www.google-analytics.com; media-src 'self' videos.contentful.com videos.ctfassets.net; object-src 'self'; frame-src codepen.io; frame- ancestors 'self'; worker-src 'self'; block-all-mixed-content; manifest-src 'self' 'self'; disown-opener; prefetch-src 'self'; report-uri https:// stefanjudis.report-uri.com/r/d/csp/reportOnly Response Header

Slide 53

Slide 53 text

Slide 54

Slide 54 text

Report-To: { "group": "csp-endpoint", "max_age": 10886400, "endpoints": [{ "url": "https://stefanjudis.com/.../csp-report" }] }

Slide 55

Slide 55 text

Report-To: { "group": "csp-endpoint", "max_age": 10886400, "endpoints": [{ "url": "https://stefanjudis.com/.../csp-report" }] }, { "group": "network-endpoint", "max_age": 10886400, "endpoints": [{ "url": "https://stefanjudis.com/.../network-report" }] }, { "max_age": 10886400, "endpoints": [{ "url": "https://stefanjudis.com/.../general-report" }] }

Slide 56

Slide 56 text

developers.google.com/web/updates/2018/09/reportingapi

Slide 57

Slide 57 text

Slide 58

Slide 58 text

Slide 59

Slide 59 text

Content-Security-Policy: default-src 'self'; script-src 'sha256-blL...' console.log('Inline script executing ...'); Response Header

Slide 60

Slide 60 text

Content-Security-Policy: default-src 'self'; script-src 'nonce-abc...' console.log('Inline script executing ...'); Response Header

Slide 61

Slide 61 text

caniuse.com/#feat=contentsecuritypolicy

Slide 62

Slide 62 text

caniuse.com/#feat=contentsecuritypolicy2 * * not complete

Slide 63

Slide 63 text

httparchive.org

Slide 64

Slide 64 text

How many pages use CSP?

Slide 65

Slide 65 text

USE CSP DON'T USE CSP 94% 6%

Slide 66

Slide 66 text

USE CSP DON'T USE CSP 94% 6% We can do better!

Slide 67

Slide 67 text

Always monitor your CSP reports and "test in production" with report-only before enforcing them! Troy Hunt

Slide 68

Slide 68 text

Disallow third-party cookies!

Slide 69

Slide 69 text

Set-Cookie: widget_session=abc123; Response Header Set-Cookie: ...

Slide 70

Slide 70 text

Set-Cookie: widget_session=abc123; Response Header Set-Cookie: ... This behaviour leads to security and privacy issues

Slide 71

Slide 71 text

Set-Cookie: widget_session=abc123; SameSite=None; Secure Set-Cookie: widget_session=abc123; SameSite=Lax; Secure Set-Cookie: widget_session=abc123; SameSite=Strict; Secure Response Header

Slide 72

Slide 72 text

caniuse.com/#feat=same-site-cookie-attribute * * somewhat ready but maybe buggy

Slide 73

Slide 73 text

web.dev/samesite-cookies-explained

Slide 74

Slide 74 text

the-responsible.dev/safe/

Slide 75

Slide 75 text

The web is crucial for people.

Slide 76

Slide 76 text

Your sh** doesn't work in Africa. William Imoh

Slide 77

Slide 77 text

No content

Slide 78

Slide 78 text

You get 6MB for 2Euros but you have only 24h to use them! Right...

Slide 79

Slide 79 text

whatdoesmysitecost.com

Slide 80

Slide 80 text

The web has to be affordable!

Slide 81

Slide 81 text

Don't request the same content over and over again

Slide 82

Slide 82 text

Cache-Control: max-age=31536000, public, immutable Response Header

Slide 83

Slide 83 text

immutable developer.mozilla.org/en-US/docs/Web/HTTP/ Headers/Cache-Control

Slide 84

Slide 84 text

csswizardry.com/2019/03/cache-control-for-civilians/

Slide 85

Slide 85 text

Send the right data

Slide 86

Slide 86 text

Accept-Encoding: gzip, deflate, br Request Header

Slide 87

Slide 87 text

No content

Slide 88

Slide 88 text

No content

Slide 89

Slide 89 text

But Brotli compression is so slow!

Slide 90

Slide 90 text

GZIP Brotli vs Default Mode 6 11

Slide 91

Slide 91 text

GZIP Brotli Default Mode vs 6 11

Slide 92

Slide 92 text

GZIP Brotli Optimal middle ground vs 6 4

Slide 93

Slide 93 text

GZIP Brotli Optimal middle ground vs 6 4 Brotli tends to compress better with the same speed

Slide 94

Slide 94 text

GZIP Brotli Optimal middle ground vs 6 4 You don't have to do it on the fly...

Slide 95

Slide 95 text

blogs.akamai.com/2016/02/understanding-brotlis-potential.html

Slide 96

Slide 96 text

caniuse.com/#feat=brotli

Slide 97

Slide 97 text

No content

Slide 98

Slide 98 text

No content

Slide 99

Slide 99 text

Serve tailored media

Slide 100

Slide 100 text

Slide 101

Slide 101 text

/image/thing-800.webp 800w, /image/thing-1200.webp 1200w, /image/thing-1600.webp 1600w, /image/thing-2000.webp 2000w" type="image/webp">

Slide 102

Slide 102 text

Accept: image/webp, image/apng, image/*,*/*;q=0.8 Request Header

Slide 103

Slide 103 text

caniuse.com/#feat=webp

Slide 104

Slide 104 text

Accept-CH: Width, Viewport-Width Accept-CH-Lifetime: 100 Request URL: https://.../header.jpg  Viewport-Width: 980 Width: 980

Slide 105

Slide 105 text

Accept: image/webp,image/apng,image/*,*/*;q=0.8  Request URL: https://.../header.jpg  Viewport-Width: 980 Width: 980

Slide 106

Slide 106 text

Accept: image/webp,image/apng,image/*,*/*;q=0.8  Request URL: https://.../header.jpg  Viewport-Width: 980 Width: 1960

Slide 107

Slide 107 text

Accept: image/webp,image/apng,image/*,*/*;q=0.8  Request URL: https://.../header.jpg  Viewport-Width: 980 Width: 1064 Serve a tailored version via server/service worker

Slide 108

Slide 108 text

speaking.jeremy.codes/yD4dKY/take-a-client-hint

Slide 109

Slide 109 text

www.zdnet.com/article/privacy-concerns-raised-about-upcoming-client-hints-web-standard/

Slide 110

Slide 110 text

Sec-CH-UA: "Examplary Browser"; v="73" Accept-CH: UA, Platform Sec-CH-UA: "Examplary Browser"; v="73.3R8.2H.1" Sec-CH-UA-Platform: "Windows"; v="10"

Slide 111

Slide 111 text

wicg.github.io/ua-client-hints/

Slide 112

Slide 112 text

Save data

Slide 113

Slide 113 text

save-data: on if ("connection" in navigator) { if (navigator.connection.saveData === true) { // Implement data saving operations here. } } Request Header

Slide 114

Slide 114 text

No content

Slide 115

Slide 115 text

Let's use the platform and make these features more visible

Slide 116

Slide 116 text

https://.... Save data?

Slide 117

Slide 117 text

https://.... Save data? We should provide an easy way to save data!

Slide 118

Slide 118 text

Save data? https://.... Prefer reduced motion? Prefer a dark interface?

Slide 119

Slide 119 text

Save data? https://.... Reduced Motion? Dark colour Scheme? All these settings should be easily accessible all the time!

Slide 120

Slide 120 text

No content

Slide 121

Slide 121 text

blog.chromium.org/2019/03/chrome-lite-pages-for-faster-leaner.html

Slide 122

Slide 122 text

blog.chromium.org/2019/03/chrome-lite-pages-for-faster-leaner.html I'm not sure how I feel about that...

Slide 123

Slide 123 text

Cache-Control: max-age=31536000, public, no-transform Response Header

Slide 124

Slide 124 text

Be aware of CDNs and proxies – use vary

Slide 125

Slide 125 text

No content

Slide 126

Slide 126 text

Should browsers or developers optimise?

Slide 127

Slide 127 text

The browser can only optimise to a certain extend...

Slide 128

Slide 128 text

No content

Slide 129

Slide 129 text

20% of requests...

Slide 130

Slide 130 text

https:/ /nooshu.github.io/blog/2019/09/01/speeding-up-the-web-with-save-data-header/

Slide 131

Slide 131 text

Less Data Doesn't Mean a Lesser Experience Tim Kadlec

Slide 132

Slide 132 text

the-responsible.dev/affordable/

Slide 133

Slide 133 text

The web is with us every day

Slide 134

Slide 134 text

2018.bloomca.me

Slide 135

Slide 135 text

It has to be respectful!

Slide 136

Slide 136 text

Get stuff "down" as quickly as possible

Slide 137

Slide 137 text

Link: ; rel=preload; as=image; no-push Response Header

Slide 138

Slide 138 text

Link: ; rel=preload; as=image; no-push Response Header This is great to speed up critical resources

Slide 139

Slide 139 text

caniuse.com/#feat=link-rel-preload * * behind a flag

Slide 140

Slide 140 text

Don't annoy the user (aka. the AMP reaction)

Slide 141

Slide 141 text

speakerdeck.com/stefanjudis/amp-tries-to-fix-the-web-what-can-we-learn-from-it?slide=112

Slide 142

Slide 142 text

Feature-Policy: vibrate 'none'; geolocation 'none' Response Header

Slide 143

Slide 143 text

accelerometer ambient-light-sensor autoplay camera document-domain encrypted-media fullscreen geolocation gyroscope layout-animations legacy-image-formats magnetometer microphone midi oversized-images payment picture-in-picture speaker sync-xhr unoptimized-images unsized-media usb vibrate vr developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy

Slide 144

Slide 144 text

Slide 145

Slide 145 text

Slide 146

Slide 146 text

tiny-helpers.dev

Slide 147

Slide 147 text

Slide 148

Slide 148 text

tiny-helpers.dev

Slide 149

Slide 149 text

www.youtube.com/watch?v=4-d_SoCHeWE

Slide 150

Slide 150 text

www.youtube.com/watch?v=4-d_SoCHeWE Define width & height to avoid jumpy pages

Slide 151

Slide 151 text

No content

Slide 152

Slide 152 text

new ReportingObserver((reports, observer) => { reports.forEach(({type, url, body}) => { console.log(type, url); // 'feature-policy-violation', https://some-url.com/... console.log(body); // { // featureId: 'oversized-images', // sourceFile: 'https://path-to-image/... // ... // } }); }, {types: ['feature-policy-violation'], buffered: true}).observe();

Slide 153

Slide 153 text

Report-To: { "max_age": 10886400, "endpoints": [{ "url": "https://stefanjudis.com/.../general-report" }] }

Slide 154

Slide 154 text

timkadlec.com/remembers/2020-02-20-in-browser-performance-linting-with-feature-policies/

Slide 155

Slide 155 text

feature-policy: accelerometer 'none'; camera 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; payment 'none'; usb 'none' Response Header

Slide 156

Slide 156 text

document.featurePolicy.allowedFeatures(); // → ["geolocation", "midi", ...] document.featurePolicy.allowsFeature('geolocation'); // → true document.featurePolicy.getAllowlistForFeature('geolocation'); // → ["https://example.com"]

Slide 157

Slide 157 text

What happened to the most annoying one?

Slide 158

Slide 158 text

github.com/w3c/webappsec-feature-policy/issues/243

Slide 159

Slide 159 text

blog.chromium.org/2020/01/introducing-quieter-permission-ui-for.html

Slide 160

Slide 160 text

caniuse.com/#feat=feature-policy ** support only for allow on iframes ** * support for Feature-Policy header, allow on iframes, and JS API behind a flag * * * **

Slide 161

Slide 161 text

Respect privacy

Slide 162

Slide 162 text

No content

Slide 163

Slide 163 text

caniuse.com/#feat=do-not-track

Slide 164

Slide 164 text

webkit.org/blog/8594/release-notes-for-safari-technology-preview-75/

Slide 165

Slide 165 text

caniuse.com/#feat=do-not-track

Slide 166

Slide 166 text

caniuse.com/#feat=do-not-track It was a nice try, but I don't really see that happening...

Slide 167

Slide 167 text

No content

Slide 168

Slide 168 text

No content

Slide 169

Slide 169 text

No content

Slide 170

Slide 170 text

No content

Slide 171

Slide 171 text

www.xanjero.com/news/samsung-internet-beta-version-9-2-now-includes-oneui-design-smart- anti-tracking-and-more-features/

Slide 172

Slide 172 text

webkit.org/blog/category/privacy/

Slide 173

Slide 173 text

www.engadget.com/2019/11/04/chromium-edge-browser-release-date/

Slide 174

Slide 174 text

The next browser war is on its way...

Slide 175

Slide 175 text

the-responsible.dev/respectful/

Slide 176

Slide 176 text

Building for the web is very hard

Slide 177

Slide 177 text

Design Performance Content Accessibility Devices Network Frameworks

Slide 178

Slide 178 text

Lighthouse

Slide 179

Slide 179 text

webhint.io

Slide 180

Slide 180 text

If you want to get a more complete overview...

Slide 181

Slide 181 text

www.twilio.com/blog/a-http-headers-for-the-responsible-developer

Slide 182

Slide 182 text

securityheaders.com

Slide 183

Slide 183 text

schepp.github.io/HTTP-headers

Slide 184

Slide 184 text

youtu.be/II9m9_esNZc

Slide 185

Slide 185 text

The web has to be safe...

Slide 186

Slide 186 text

The web has to be safe, affordable...

Slide 187

Slide 187 text

The web has to be safe, affordable and respectful...

Slide 188

Slide 188 text

... so that it really is  for everybody!

Slide 189

Slide 189 text

@stefanjudis www.stefanjudis.com Thanks. Slides:  my-links.online/the-responsible-dev

Slide 190

Slide 190 text

@stefanjudis www.stefanjudis.com Thanks. Slides:  my-links.online/the-responsible-dev I have some stickers!