As developers, we spend most of our time focused on business logic, features, delivery dates and yes, bugs. I know I do. This session will focus on the web security and including the HTTP security headers that travel with each server Request and Response. Based on the best practices, as defined by organizations like OWASP, Mozilla and others, we'll explore the various headers that act as a line of defense against the craziness that's part of the world wide web. Expect lots of details and plenty of examples that will help us get our head around why the settings are important and what the suggested settings might be for your site and services. Topics covered will include HTTPS, Subresource Integrity (SRI), Cookies, Content Security Policy (CSP), HTTP Strict Transport Security (HSTS), and Cross-site security (XSS). We'll also explore tools like securityheaders.com and Mozilla Observatory.