SlideShare une entreprise Scribd logo

Content Security Policy

A
Austin Gil

A presentation on Content Security Policy by Austin Gil, presented for Advanced WordPress San Diego. What it is, who it's for, and how to implement on your website. More from Austin Gil at https://stegosource.com

Internet
1  sur  14
Télécharger pour lire hors ligne
Content Security Policy (CSP)
What is it? “Content Security Policy (CSP) is a computer security standard introduced to prevent cross-site scripting (XSS), clickjacking and other code injection attacks resulting from execution of malicious content in the trusted web page context. [...] CSP provides a standard method for website owners to declare approved origins of content that browsers should be allowed to load on that website—covered types are JavaScript, CSS, HTML frames, web workers, fonts, images, embeddable objects such as Java applets, ActiveX, audio and video files, and other HTML5 features.” - https://en.wikipedia.org/wiki/Content_Security_Policy
How does it work? Applied in the Content-Security-Policy HTTP header (more on HTTP headers). With it, you can create a whitelist of trusted content sources. Because CSP occurs on the HTTP headers, it can implement security early on.
What does it look like? The Content-Security-Policy is defined in the HTTP headers and is provided with directives and their respective sources. HTTP Headers: Response Headers ... Content-Security-Policy: <directive> <source list>; <directive> <source list>; ... Directives can list multiple sources.
What are directives? Directives define the rules the browser must follow for various types of resources. The main ones we will most often work with are: default-src, script-src, style-src, img-src, font-src But there’s plenty more... base-uri, frame-src, object-src, media-src, connect-src, form-action, frame-ancestors, child-src, plugin-types, upgrade-insecure-requests, worker-src, sandbox
What are source lists? Source lists are sets of strings which identify content that can be fetched and potentially embedded or executed. For example, you may load styles from your site, and fonts from Google. Sources can follow various formats: ● example.com - Allows resources from the specified domain name. ● *.example.com - Allows resources from any subdomain under example.com. ● https://cdn.com - Only resources over HTTPS matching the given domain. ● https: - Allows loading resources only over HTTPS on any domain. ● data: - Allows resources via the data scheme (eg Base64 encoded images).
What is ‘self’ all about? Special keywords can be used instead of URLs. ● * ● 'self' ● 'unsafe-inline' ● 'unsafe-eval' ● ‘strict-dynamic’ ● 'none' ● 'nonce-' ● 'sha256-' More on these here: https://content-security-policy.com/
How do I implement it? ● With the .htaccess file: <IfModule mod_headers.c> Header set Content-Security-Policy "default-src 'self'; ..." </IfModule> ● With PHP (must happen before any other content): header("Content-Security-Policy: default-src 'self'; ..."); ● With a <meta> tag (not recommended): <meta http-equiv="Content-Security-Policy" content="default-src ‘self’"> ● With a plugin (yay!): HTTP Headers or WP Content Security Policy Plugin
Will it break anything? Quite possibly, yes. Luckily there is the Content-Security-Policy-Report-Only header. Allows you to test your CSP without enforcing it. Format is the same as the Content-Security-Policy header.
How can I test it? Examine your HTTP headers in browser dev tools. Observatory by Mozilla csp-evaluator.withgoogle.com
Workshop Time… Work on an “it’s ok if I break something” website please Install WP Plugin: https://wordpress.org/plugins/wp-content-security-policy/ Disable any caching Testing tool: https://observatory.mozilla.org/
The final verdict... CSP is an optional added layer of security. This comes at the cost of possibly breaking things, and making debugging more difficult. Most sites probably won’t see benefits outweigh the costs. However, it could be a great fit for: ● Banks, government sites, or government-funded institutions. ● Larger organizations with security as a top priority. ● Organizations at higher risk of targeted attacks. ● Recently hacked websites.
Resources Plugins: WP Content Security Policy Plugin HTTP Headers Testing tools: Observatory csp-evaluator.withgoogle.com Information: content-security-policy.com Google’s Web Fundamentals
Thanks! Austin Gil https://stegosource.com austin@stegosource.com @stegosource

Recommandé

Content security policy
Content security policyContent security policy
Content security policyRonan Dunne, CEH, SSCP
 
Preventing XSS with Content Security Policy
Preventing XSS with Content Security PolicyPreventing XSS with Content Security Policy
Preventing XSS with Content Security PolicyKsenia Peguero
 
W3C Content Security Policy
W3C Content Security PolicyW3C Content Security Policy
W3C Content Security PolicyMarkus Wichmann
 
HTTP Security Headers
HTTP Security HeadersHTTP Security Headers
HTTP Security HeadersIsmael Goncalves
 
Http security response headers
Http security response headers Http security response headers
Http security response headers mohammadhosseinrouha
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Codingbilcorry
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Amit Tyagi
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopPaul Ionescu
 

Recommandé

Content security policy
Content security policyContent security policy
Content security policyRonan Dunne, CEH, SSCP
 
Preventing XSS with Content Security Policy
Preventing XSS with Content Security PolicyPreventing XSS with Content Security Policy
Preventing XSS with Content Security PolicyKsenia Peguero
 
W3C Content Security Policy
W3C Content Security PolicyW3C Content Security Policy
W3C Content Security PolicyMarkus Wichmann
 
HTTP Security Headers
HTTP Security HeadersHTTP Security Headers
HTTP Security HeadersIsmael Goncalves
 
Http security response headers
Http security response headers Http security response headers
Http security response headers mohammadhosseinrouha
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Codingbilcorry
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Amit Tyagi
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopPaul Ionescu
 
SSRF For Bug Bounties
SSRF For Bug BountiesSSRF For Bug Bounties
SSRF For Bug BountiesOWASP Nagpur
 
Click jacking
Click jackingClick jacking
Click jackingRonan Dunne, CEH, SSCP
 
Getting Started with API Security Testing
Getting Started with API Security TestingGetting Started with API Security Testing
Getting Started with API Security TestingSmartBear
 
Rest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityRest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityMohammed Fazuluddin
 
Reflective and Stored XSS- Cross Site Scripting
Reflective and Stored XSS- Cross Site ScriptingReflective and Stored XSS- Cross Site Scripting
Reflective and Stored XSS- Cross Site ScriptingInMobi Technology
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practicesScott Hurrey
 
Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation Ikhade Maro Igbape
 
XXE
XXEXXE
XXEn|u - The Open Security Community
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionMikhail Egorov
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)TzahiArabov
 
API Security Best Practices and Guidelines
API Security Best Practices and GuidelinesAPI Security Best Practices and Guidelines
API Security Best Practices and GuidelinesWSO2
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World42Crunch
 
CSRF Basics
CSRF BasicsCSRF Basics
CSRF Basicsn|u - The Open Security Community
 
Cross Site Scripting
Cross Site ScriptingCross Site Scripting
Cross Site ScriptingAli Mattash
 
A5: Security Misconfiguration
A5: Security Misconfiguration A5: Security Misconfiguration
A5: Security Misconfiguration Tariq Islam
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Moataz Kamel
 
Secure coding in C#
Secure coding in C#Secure coding in C#
Secure coding in C#Siddharth Bezalwar
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with SplunkSplunk
 
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
"15 Technique to Exploit File Upload Pages", Ebrahim HegazyHackIT Ukraine
 
API Security Fundamentals
API Security FundamentalsAPI Security Fundamentals
API Security FundamentalsJosé Haro Peralta
 
HTTP_Header_Security.pdf
HTTP_Header_Security.pdfHTTP_Header_Security.pdf
HTTP_Header_Security.pdfksudhakarreddy5
 
http security response headers for web security
http security response headers for web securityhttp security response headers for web security
http security response headers for web securityOlatunji Adetunji
 

Contenu connexe

Tendances

SSRF For Bug Bounties
SSRF For Bug BountiesSSRF For Bug Bounties
SSRF For Bug BountiesOWASP Nagpur
 
Getting Started with API Security Testing
Getting Started with API Security TestingGetting Started with API Security Testing
Getting Started with API Security TestingSmartBear
 
Rest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityRest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityMohammed Fazuluddin
 
Reflective and Stored XSS- Cross Site Scripting
Reflective and Stored XSS- Cross Site ScriptingReflective and Stored XSS- Cross Site Scripting
Reflective and Stored XSS- Cross Site ScriptingInMobi Technology
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practicesScott Hurrey
 
Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation Ikhade Maro Igbape
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionMikhail Egorov
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)TzahiArabov
 
API Security Best Practices and Guidelines
API Security Best Practices and GuidelinesAPI Security Best Practices and Guidelines
API Security Best Practices and GuidelinesWSO2
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World42Crunch
 
Cross Site Scripting
Cross Site ScriptingCross Site Scripting
Cross Site ScriptingAli Mattash
 
A5: Security Misconfiguration
A5: Security Misconfiguration A5: Security Misconfiguration
A5: Security Misconfiguration Tariq Islam
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Moataz Kamel
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with SplunkSplunk
 
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
"15 Technique to Exploit File Upload Pages", Ebrahim HegazyHackIT Ukraine
 

Tendances (20)

SSRF For Bug Bounties
SSRF For Bug BountiesSSRF For Bug Bounties
SSRF For Bug Bounties
 
Click jacking
Click jackingClick jacking
Click jacking
 
Getting Started with API Security Testing
Getting Started with API Security TestingGetting Started with API Security Testing
Getting Started with API Security Testing
 
Rest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityRest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API Security
 
Reflective and Stored XSS- Cross Site Scripting
Reflective and Stored XSS- Cross Site ScriptingReflective and Stored XSS- Cross Site Scripting
Reflective and Stored XSS- Cross Site Scripting
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
 
Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation
 
XXE
XXEXXE
XXE
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protection
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)
 
API Security Best Practices and Guidelines
API Security Best Practices and GuidelinesAPI Security Best Practices and Guidelines
API Security Best Practices and Guidelines
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World
 
CSRF Basics
CSRF BasicsCSRF Basics
CSRF Basics
 
Cross Site Scripting
Cross Site ScriptingCross Site Scripting
Cross Site Scripting
 
A5: Security Misconfiguration
A5: Security Misconfiguration A5: Security Misconfiguration
A5: Security Misconfiguration
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020
 
Secure coding in C#
Secure coding in C#Secure coding in C#
Secure coding in C#
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
 
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
 
API Security Fundamentals
API Security FundamentalsAPI Security Fundamentals
API Security Fundamentals
 

Similaire à Content Security Policy

HTTP_Header_Security.pdf
HTTP_Header_Security.pdfHTTP_Header_Security.pdf
HTTP_Header_Security.pdfksudhakarreddy5
 
http security response headers for web security
http security response headers for web securityhttp security response headers for web security
http security response headers for web securityOlatunji Adetunji
 
Content Security Policy (CSP)
Content Security Policy (CSP)Content Security Policy (CSP)
Content Security Policy (CSP)Arun Kumar
 
Csp and http headers
Csp and http headersCsp and http headers
Csp and http headersdevObjective
 
Rails and Content Security Policies
Rails and Content Security PoliciesRails and Content Security Policies
Rails and Content Security PoliciesMatias Korhonen
 
Ignite content security policy
Ignite content security policyIgnite content security policy
Ignite content security policyjstack
 
Analysis of HTTP Security Headers in Turkey
Analysis of HTTP Security Headers in TurkeyAnalysis of HTTP Security Headers in Turkey
Analysis of HTTP Security Headers in TurkeyDr. Emin İslam Tatlı
 
Rails security: above and beyond the defaults
Rails security: above and beyond the defaultsRails security: above and beyond the defaults
Rails security: above and beyond the defaultsMatias Korhonen
 
Browser Wars 2019 - Implementing a Content Security Policy
Browser Wars 2019 - Implementing a Content Security PolicyBrowser Wars 2019 - Implementing a Content Security Policy
Browser Wars 2019 - Implementing a Content Security PolicyGeorge Boobyer
 
Content Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at YahooContent Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at YahooBinu Ramakrishnan
 
Content Security Policy - The application security Swiss Army Knife
Content Security Policy - The application security Swiss Army KnifeContent Security Policy - The application security Swiss Army Knife
Content Security Policy - The application security Swiss Army KnifeScott Helme
 
Tsc summit #2 - HTTP Header Security
Tsc summit #2 - HTTP Header SecurityTsc summit #2 - HTTP Header Security
Tsc summit #2 - HTTP Header SecurityMikal Villa
 
Péhápkaři v Pecce: Jak na bezpečnostní hlavičky – Marek Humpolík – 23. 1. 2019
Péhápkaři v Pecce: Jak na bezpečnostní hlavičky – Marek Humpolík – 23. 1. 2019Péhápkaři v Pecce: Jak na bezpečnostní hlavičky – Marek Humpolík – 23. 1. 2019
Péhápkaři v Pecce: Jak na bezpečnostní hlavičky – Marek Humpolík – 23. 1. 2019PeckaDesign.cz
 
Web content security policies
Web content security policiesWeb content security policies
Web content security policiesDhanu Gupta
 
Content Security Policy
Content Security PolicyContent Security Policy
Content Security PolicyRyan LaBouve
 
D3LDN17 - Recruiting the Browser
D3LDN17 - Recruiting the BrowserD3LDN17 - Recruiting the Browser
D3LDN17 - Recruiting the BrowserImperva Incapsula
 
Protecting Web App users in today’s hostile environment
Protecting Web App users in today’s hostile environmentProtecting Web App users in today’s hostile environment
Protecting Web App users in today’s hostile environmentajitdhumale
 

Similaire à Content Security Policy (20)

HTTP_Header_Security.pdf
HTTP_Header_Security.pdfHTTP_Header_Security.pdf
HTTP_Header_Security.pdf
 
http security response headers for web security
http security response headers for web securityhttp security response headers for web security
http security response headers for web security
 
Content Security Policy (CSP)
Content Security Policy (CSP)Content Security Policy (CSP)
Content Security Policy (CSP)
 
Csp and http headers
Csp and http headersCsp and http headers
Csp and http headers
 
Csp and http headers
Csp and http headersCsp and http headers
Csp and http headers
 
Rails and Content Security Policies
Rails and Content Security PoliciesRails and Content Security Policies
Rails and Content Security Policies
 
Ignite content security policy
Ignite content security policyIgnite content security policy
Ignite content security policy
 
Web Security - CSP & Web Cryptography
Web Security - CSP & Web CryptographyWeb Security - CSP & Web Cryptography
Web Security - CSP & Web Cryptography
 
Analysis of HTTP Security Headers in Turkey
Analysis of HTTP Security Headers in TurkeyAnalysis of HTTP Security Headers in Turkey
Analysis of HTTP Security Headers in Turkey
 
Rails security: above and beyond the defaults
Rails security: above and beyond the defaultsRails security: above and beyond the defaults
Rails security: above and beyond the defaults
 
Browser Wars 2019 - Implementing a Content Security Policy
Browser Wars 2019 - Implementing a Content Security PolicyBrowser Wars 2019 - Implementing a Content Security Policy
Browser Wars 2019 - Implementing a Content Security Policy
 
XSS
XSSXSS
XSS
 
Content Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at YahooContent Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at Yahoo
 
Content Security Policy - The application security Swiss Army Knife
Content Security Policy - The application security Swiss Army KnifeContent Security Policy - The application security Swiss Army Knife
Content Security Policy - The application security Swiss Army Knife
 
Tsc summit #2 - HTTP Header Security
Tsc summit #2 - HTTP Header SecurityTsc summit #2 - HTTP Header Security
Tsc summit #2 - HTTP Header Security
 
Péhápkaři v Pecce: Jak na bezpečnostní hlavičky – Marek Humpolík – 23. 1. 2019
Péhápkaři v Pecce: Jak na bezpečnostní hlavičky – Marek Humpolík – 23. 1. 2019Péhápkaři v Pecce: Jak na bezpečnostní hlavičky – Marek Humpolík – 23. 1. 2019
Péhápkaři v Pecce: Jak na bezpečnostní hlavičky – Marek Humpolík – 23. 1. 2019
 
Web content security policies
Web content security policiesWeb content security policies
Web content security policies
 
Content Security Policy
Content Security PolicyContent Security Policy
Content Security Policy
 
D3LDN17 - Recruiting the Browser
D3LDN17 - Recruiting the BrowserD3LDN17 - Recruiting the Browser
D3LDN17 - Recruiting the Browser
 
Protecting Web App users in today’s hostile environment
Protecting Web App users in today’s hostile environmentProtecting Web App users in today’s hostile environment
Protecting Web App users in today’s hostile environment
 

Plus de Austin Gil

What I like about vue
What I like about vueWhat I like about vue
What I like about vueAustin Gil
 
Functional Components in Vue.js
Functional Components in Vue.jsFunctional Components in Vue.js
Functional Components in Vue.jsAustin Gil
 
Enterprise level application in 5 min
Enterprise level application in 5 minEnterprise level application in 5 min
Enterprise level application in 5 minAustin Gil
 
Developing word press professionally
Developing word press professionallyDeveloping word press professionally
Developing word press professionallyAustin Gil
 
A holistic approach to web performance
A holistic approach to web performanceA holistic approach to web performance
A holistic approach to web performanceAustin Gil
 
Web Performance: 3 Stages to Success
Web Performance: 3 Stages to SuccessWeb Performance: 3 Stages to Success
Web Performance: 3 Stages to SuccessAustin Gil
 
Improve WordPress load times with a CDN
Improve WordPress load times with a CDNImprove WordPress load times with a CDN
Improve WordPress load times with a CDNAustin Gil
 
Isotope, WP REST API, and AJAX...Oh my!
Isotope, WP REST API, and AJAX...Oh my!Isotope, WP REST API, and AJAX...Oh my!
Isotope, WP REST API, and AJAX...Oh my!Austin Gil
 

Plus de Austin Gil (8)

What I like about vue
What I like about vueWhat I like about vue
What I like about vue
 
Functional Components in Vue.js
Functional Components in Vue.jsFunctional Components in Vue.js
Functional Components in Vue.js
 
Enterprise level application in 5 min
Enterprise level application in 5 minEnterprise level application in 5 min
Enterprise level application in 5 min
 
Developing word press professionally
Developing word press professionallyDeveloping word press professionally
Developing word press professionally
 
A holistic approach to web performance
A holistic approach to web performanceA holistic approach to web performance
A holistic approach to web performance
 
Web Performance: 3 Stages to Success
Web Performance: 3 Stages to SuccessWeb Performance: 3 Stages to Success
Web Performance: 3 Stages to Success
 
Improve WordPress load times with a CDN
Improve WordPress load times with a CDNImprove WordPress load times with a CDN
Improve WordPress load times with a CDN
 
Isotope, WP REST API, and AJAX...Oh my!
Isotope, WP REST API, and AJAX...Oh my!Isotope, WP REST API, and AJAX...Oh my!
Isotope, WP REST API, and AJAX...Oh my!
 

Dernier

Trump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts SweatshirtTrump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts Sweatshirtrahman018755
 
Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...
Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...
Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...SUHANI PANDEY
 
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrStory Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrHenryBriggs2
 
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdfpdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdfJOHNBEBONYAP1
 
VIP Call Girls Himatnagar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Himatnagar 7001035870 Whatsapp Number, 24/07 BookingVIP Call Girls Himatnagar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Himatnagar 7001035870 Whatsapp Number, 24/07 Bookingdharasingh5698
 
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge GraphsEleniIlkou
 
Wadgaon Sheri $ Call Girls Pune 10k @ I'm VIP Independent Escorts Girls 80057...
Wadgaon Sheri $ Call Girls Pune 10k @ I'm VIP Independent Escorts Girls 80057...Wadgaon Sheri $ Call Girls Pune 10k @ I'm VIP Independent Escorts Girls 80057...
Wadgaon Sheri $ Call Girls Pune 10k @ I'm VIP Independent Escorts Girls 80057...SUHANI PANDEY
 
20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdfMatthew Sinclair
 
➥🔝 7737669865 🔝▻ mehsana Call-girls in Women Seeking Men 🔝mehsana🔝 Escorts...
➥🔝 7737669865 🔝▻ mehsana Call-girls in Women Seeking Men 🔝mehsana🔝 Escorts...➥🔝 7737669865 🔝▻ mehsana Call-girls in Women Seeking Men 🔝mehsana🔝 Escorts...
➥🔝 7737669865 🔝▻ mehsana Call-girls in Women Seeking Men 🔝mehsana🔝 Escorts...nirzagarg
 
"Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency""Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency"growthgrids
 
💚😋 Salem Escort Service Call Girls, 9352852248 ₹5000 To 25K With AC💚😋
💚😋 Salem Escort Service Call Girls, 9352852248 ₹5000 To 25K With AC💚😋💚😋 Salem Escort Service Call Girls, 9352852248 ₹5000 To 25K With AC💚😋
💚😋 Salem Escort Service Call Girls, 9352852248 ₹5000 To 25K With AC💚😋nirzagarg
 
Call Girls Sangvi Call Me 7737669865 Budget Friendly No Advance BookingCall G...
Call Girls Sangvi Call Me 7737669865 Budget Friendly No Advance BookingCall G...Call Girls Sangvi Call Me 7737669865 Budget Friendly No Advance BookingCall G...
Call Girls Sangvi Call Me 7737669865 Budget Friendly No Advance BookingCall G...roncy bisnoi
 
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdfMatthew Sinclair
 
Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...
Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...
Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...SUHANI PANDEY
 
VIP Call Girls Pollachi 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Pollachi 7001035870 Whatsapp Number, 24/07 BookingVIP Call Girls Pollachi 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Pollachi 7001035870 Whatsapp Number, 24/07 Bookingdharasingh5698
 
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445ruhi
 
Wagholi & High Class Call Girls Pune Neha 8005736733 | 100% Gennuine High Cla...
Wagholi & High Class Call Girls Pune Neha 8005736733 | 100% Gennuine High Cla...Wagholi & High Class Call Girls Pune Neha 8005736733 | 100% Gennuine High Cla...
Wagholi & High Class Call Girls Pune Neha 8005736733 | 100% Gennuine High Cla...SUHANI PANDEY
 
Sarola * Female Escorts Service in Pune | 8005736733 Independent Escorts & Da...
Sarola * Female Escorts Service in Pune | 8005736733 Independent Escorts & Da...Sarola * Female Escorts Service in Pune | 8005736733 Independent Escorts & Da...
Sarola * Female Escorts Service in Pune | 8005736733 Independent Escorts & Da...SUHANI PANDEY
 

Dernier (20)

Trump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts SweatshirtTrump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts Sweatshirt
 
Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...
Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...
Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...
 
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrStory Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
 
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdfpdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
 
VIP Call Girls Himatnagar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Himatnagar 7001035870 Whatsapp Number, 24/07 BookingVIP Call Girls Himatnagar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Himatnagar 7001035870 Whatsapp Number, 24/07 Booking
 
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
 
Wadgaon Sheri $ Call Girls Pune 10k @ I'm VIP Independent Escorts Girls 80057...
Wadgaon Sheri $ Call Girls Pune 10k @ I'm VIP Independent Escorts Girls 80057...Wadgaon Sheri $ Call Girls Pune 10k @ I'm VIP Independent Escorts Girls 80057...
Wadgaon Sheri $ Call Girls Pune 10k @ I'm VIP Independent Escorts Girls 80057...
 
20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf
 
➥🔝 7737669865 🔝▻ mehsana Call-girls in Women Seeking Men 🔝mehsana🔝 Escorts...
➥🔝 7737669865 🔝▻ mehsana Call-girls in Women Seeking Men 🔝mehsana🔝 Escorts...➥🔝 7737669865 🔝▻ mehsana Call-girls in Women Seeking Men 🔝mehsana🔝 Escorts...
➥🔝 7737669865 🔝▻ mehsana Call-girls in Women Seeking Men 🔝mehsana🔝 Escorts...
 
"Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency""Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency"
 
💚😋 Salem Escort Service Call Girls, 9352852248 ₹5000 To 25K With AC💚😋
💚😋 Salem Escort Service Call Girls, 9352852248 ₹5000 To 25K With AC💚😋💚😋 Salem Escort Service Call Girls, 9352852248 ₹5000 To 25K With AC💚😋
💚😋 Salem Escort Service Call Girls, 9352852248 ₹5000 To 25K With AC💚😋
 
Call Girls Sangvi Call Me 7737669865 Budget Friendly No Advance BookingCall G...
Call Girls Sangvi Call Me 7737669865 Budget Friendly No Advance BookingCall G...Call Girls Sangvi Call Me 7737669865 Budget Friendly No Advance BookingCall G...
Call Girls Sangvi Call Me 7737669865 Budget Friendly No Advance BookingCall G...
 
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
 
Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...
Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...
Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...
 
VIP Call Girls Pollachi 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Pollachi 7001035870 Whatsapp Number, 24/07 BookingVIP Call Girls Pollachi 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Pollachi 7001035870 Whatsapp Number, 24/07 Booking
 
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445
 
Wagholi & High Class Call Girls Pune Neha 8005736733 | 100% Gennuine High Cla...
Wagholi & High Class Call Girls Pune Neha 8005736733 | 100% Gennuine High Cla...Wagholi & High Class Call Girls Pune Neha 8005736733 | 100% Gennuine High Cla...
Wagholi & High Class Call Girls Pune Neha 8005736733 | 100% Gennuine High Cla...
 
6.High Profile Call Girls In Punjab +919053900678 Punjab Call GirlHigh Profil...
6.High Profile Call Girls In Punjab +919053900678 Punjab Call GirlHigh Profil...6.High Profile Call Girls In Punjab +919053900678 Punjab Call GirlHigh Profil...
6.High Profile Call Girls In Punjab +919053900678 Punjab Call GirlHigh Profil...
 
Call Girls in Prashant Vihar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
Call Girls in Prashant Vihar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort ServiceCall Girls in Prashant Vihar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
Call Girls in Prashant Vihar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
 
Sarola * Female Escorts Service in Pune | 8005736733 Independent Escorts & Da...
Sarola * Female Escorts Service in Pune | 8005736733 Independent Escorts & Da...Sarola * Female Escorts Service in Pune | 8005736733 Independent Escorts & Da...
Sarola * Female Escorts Service in Pune | 8005736733 Independent Escorts & Da...
 

Content Security Policy

  • 2. What is it? “Content Security Policy (CSP) is a computer security standard introduced to prevent cross-site scripting (XSS), clickjacking and other code injection attacks resulting from execution of malicious content in the trusted web page context. [...] CSP provides a standard method for website owners to declare approved origins of content that browsers should be allowed to load on that website—covered types are JavaScript, CSS, HTML frames, web workers, fonts, images, embeddable objects such as Java applets, ActiveX, audio and video files, and other HTML5 features.” - https://en.wikipedia.org/wiki/Content_Security_Policy
  • 3. How does it work? Applied in the Content-Security-Policy HTTP header (more on HTTP headers). With it, you can create a whitelist of trusted content sources. Because CSP occurs on the HTTP headers, it can implement security early on.
  • 4. What does it look like? The Content-Security-Policy is defined in the HTTP headers and is provided with directives and their respective sources. HTTP Headers: Response Headers ... Content-Security-Policy: <directive> <source list>; <directive> <source list>; ... Directives can list multiple sources.
  • 5. What are directives? Directives define the rules the browser must follow for various types of resources. The main ones we will most often work with are: default-src, script-src, style-src, img-src, font-src But there’s plenty more... base-uri, frame-src, object-src, media-src, connect-src, form-action, frame-ancestors, child-src, plugin-types, upgrade-insecure-requests, worker-src, sandbox
  • 6. What are source lists? Source lists are sets of strings which identify content that can be fetched and potentially embedded or executed. For example, you may load styles from your site, and fonts from Google. Sources can follow various formats: ● example.com - Allows resources from the specified domain name. ● *.example.com - Allows resources from any subdomain under example.com. ● https://cdn.com - Only resources over HTTPS matching the given domain. ● https: - Allows loading resources only over HTTPS on any domain. ● data: - Allows resources via the data scheme (eg Base64 encoded images).
  • 7. What is ‘self’ all about? Special keywords can be used instead of URLs. ● * ● 'self' ● 'unsafe-inline' ● 'unsafe-eval' ● ‘strict-dynamic’ ● 'none' ● 'nonce-' ● 'sha256-' More on these here: https://content-security-policy.com/
  • 8. How do I implement it? ● With the .htaccess file: <IfModule mod_headers.c> Header set Content-Security-Policy "default-src 'self'; ..." </IfModule> ● With PHP (must happen before any other content): header("Content-Security-Policy: default-src 'self'; ..."); ● With a <meta> tag (not recommended): <meta http-equiv="Content-Security-Policy" content="default-src ‘self’"> ● With a plugin (yay!): HTTP Headers or WP Content Security Policy Plugin
  • 9. Will it break anything? Quite possibly, yes. Luckily there is the Content-Security-Policy-Report-Only header. Allows you to test your CSP without enforcing it. Format is the same as the Content-Security-Policy header.
  • 10. How can I test it? Examine your HTTP headers in browser dev tools. Observatory by Mozilla csp-evaluator.withgoogle.com
  • 11. Workshop Time… Work on an “it’s ok if I break something” website please Install WP Plugin: https://wordpress.org/plugins/wp-content-security-policy/ Disable any caching Testing tool: https://observatory.mozilla.org/
  • 12. The final verdict... CSP is an optional added layer of security. This comes at the cost of possibly breaking things, and making debugging more difficult. Most sites probably won’t see benefits outweigh the costs. However, it could be a great fit for: ● Banks, government sites, or government-funded institutions. ● Larger organizations with security as a top priority. ● Organizations at higher risk of targeted attacks. ● Recently hacked websites.
  • 13. Resources Plugins: WP Content Security Policy Plugin HTTP Headers Testing tools: Observatory csp-evaluator.withgoogle.com Information: content-security-policy.com Google’s Web Fundamentals