TLS (Transport Layer Security) has been around for a long time, but is still only used by a small fraction of internet domains, and only a small percentage of them are implementing it correctly. Old, vulnerable protocols are still widely used, and barely one percent use modern security headers.

This workshop is for everyone who wishes to provide their users with a secure service, both you who think "enable SSL" is enough, but also for the perfectionist hunting for A+ at SSL Labs. The workshop walks through configuring your servers to be good Internet citizens. We will also look into security headers that let you cooperate with the users browser to mitigate entire categories of vulnerabilities.

This will be a hands-on workshop teaching you how to set up TLS, Content-Security-Policy and other security headers, as well as what pitfalls to avoid. Along the way we'll show how to abuse incorrectly configured sites, and how to secure them.

Participants should bring a laptop (preferably Windows, with Visual Studio), and register a free Azure account.