Content Security Policy

What?

Content Security Policy is an HTTP header. When interpreted by supporting browsers it allows us to restrict what our site loads, connects to, and executes.

Protects against a wide range of attacks, cross-site scripting and other cross-site injections.

How?

Send an HTTP header, for example:

Content-Security-Policy: default-src 'self';

Or:

Content-Security-Policy: default-src 'self' *.google-analytics.com;
                         style-src 'self' 'unsafe-inline';
                         frame-src 'self' https://*.youtube.com;

Benefits

Prevents cross-site scripting - you specify the domains code can be executed from.
Prevents code injection - you must allow inline script script-src: 'unsafe-inline';

Impact

This is a new Markdown slide

Put your speaker notes here. You can see them pressing 's'.

The future

This is a new Markdown slide

Put your speaker notes here. You can see them pressing 's'.

Other useful HTTP headers

This is a new Markdown slide

Put your speaker notes here. You can see them pressing 's'.

presentation-csp

guttmann

presentation-csp

0 0

presentation-csp

Content Security Policy

What?

How?

Benefits

Impact

The future

Other useful HTTP headers

More reading

presentation-csp

guttmann

presentation-csp

0 0 (function() { var po = document.createElement('script'); po.type = 'text/javascript'; po.async = true; po.src = 'https://apis.google.com/js/platform.js'; var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(po, s); })();

presentation-csp

Content Security Policy

What?

How?

Benefits

Impact

The future

Other useful HTTP headers

More reading

0 0