$30 off During Our Annual Pro Sale. View Details »

Content Security Policy 101

Christoph Rumpel
April 07, 2018
Technology
1
430

Content Security Policy 101

As more and more services get digital these days, security has become a significant aspect of every application. Especially when it comes to third-party code, it is tough to guarantee safety. But in general, XSS and Code Injection is a big problem these days. Content Security Policy provides another layer of security that helps to detect and protect different attacks. In this talk, I will introduce this concept and its main features, as well as show real-world examples and integrations for WordPress.

Christoph Rumpel

April 07, 2018
Tweet

More Decks by Christoph Rumpel

See All by Christoph Rumpel
Christoph Dreams Of Simple Code (Laravel Vienna Meetup)
christophrumpel
0
16
Why Refactoring Is The Best Tool To Write Better Code
christophrumpel
0
440
Debugging with PhpStorm & XDebug
christophrumpel
0
160
The final Laravel Service Container talk (Laracon Online)
christophrumpel
1
690
NomadPHP - The Laravel Core - Demystify The Beast
christophrumpel
0
110
Laravel Factories Reloaded (Laracon Online)
christophrumpel
1
220
The Beauty of Laravel's Notification System (Laracon EU Amsterdam)
christophrumpel
0
200
The Laravel Core - Demystify The Beast (New York)
christophrumpel
0
120
The Laravel Core - Demystify The Beast (LaravelLive UK)
christophrumpel
0
200

Other Decks in Technology

See All in Technology
AWS Security Hubを有効化したけど見てない人に向けたDevSecOpsの実現方法 / #kayac_andpad_event
muziyoshiz
0
220
Repro の開発組織体制の変遷そして Platform Engineering / Platform Engineering Meetup #6
a_bicky
3
800
提案段階のVS CodeのチャットエージェントAPIを動かしてみた
masa5555
0
130
GoのProtocプラグインを活用した効率的な負荷試験戦略 / Efficient Load Testing Strategies Utilizing the Go Protoc Plugin
biwashi
0
120
Rest Clientユーザーの自分がPostman の VS Code拡張機能を扱ってみた感想
smt7174
0
150
Kamuee: A Pure-Software-Approach Router
nttcom
0
150
The future is already here – Mastering the challenges of the coming years
ufried
0
320
更新”しない”ドキュメント管理 「イミュータブルドキュメントモデル」の実運用
kosui
11
1.5k
合宿はいいぞ / Training camp is so good.
okamototakuyasr2
0
120
APIライフサイクル全体を見据えたテスト戦略
nagix
0
150
go-ldap Contribution
kazamori
0
120
Building smarter apps with machine learning, from magic to reality
picardparis
4
3.7k

Featured

See All Featured
Building Adaptive Systems
keathley
29
1.6k
The Art of Programming - Codeland 2020
erikaheidi
39
12k
XXLCSS - How to scale CSS and keep your sanity
sugarenia
239
1.2M
Art Directing for the Web. Five minutes with CSS Template Areas
malarkey
197
11k
In The Pink: A Labor of Love
frogandcode
135
21k
Producing Creativity
orderedlist
PRO
335
38k
VelocityConf: Rendering Performance Case Studies
addyosmani
319
23k
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
eileencodes
123
31k
The Illustrated Children's Guide to Kubernetes
chrisshort
26
45k
Typedesign – Prime Four
hannesfritz
35
1.8k
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
panda_program
44
12k
Designing Dashboards & Data Visualisations in Web Apps
destraynor
225
51k

Transcript

  1. Hello WordCamp :)

    View Slide

  2. Content Security
    Policy 101

    View Slide

  3. ABOUT ME

    View Slide

  4. CHRISTOPH RUMPEL
    Web Developer

    View Slide

  5. CHRISTOPH RUMPEL
    Web Developer
    PHP / Laravel
    Chatbots
    Talks
    @christophrumpel
    christoph-rumpel.com

    View Slide

  6. Finally a Starting Point
    for Your PHP Chatbot
    https://buildchatbotswithphp.com/

    View Slide

  7. SECURITY IS HARD

    View Slide

  8. SSL
    Input Handling
    Updates
    Packages
    Plugins
    CSRF
    NONCES
    Weak Typing
    Error Handling
    Storing Credentials
    Server Access
    SQL Prepared Statements
    Passwords
    Brute Force Attacks

    View Slide

  9. Adobe
    Playstation Network
    Cloudflare
    FAMOUS LEAKS

    View Slide

  10. How can we protect our sites when
    even big companies can't?

    View Slide

  11. Step by step

    View Slide

  12. CONTENT SECURITY
    POLICY

    View Slide

  13. Content Security Policy (CSP) is an added
    layer of security that helps to detect and
    mitigate certain types of attacks,
    including Cross Site Scripting (XSS) and
    data injection attacks.


    MDN WEB DOCS

    View Slide

  14. CSP lets you define trusted resources.

    View Slide

  15. Content-Security-Policy: policies

    View Slide

  16. Content-Security-Policy: policy
    HTTP Header name

    View Slide

  17. Content-Security-Policy: policy
    HTTP Header value

    View Slide

  18. Content-Security-Policy: img-src *; script-src 'self';
    Policies
    EXAMPLE

    View Slide

  19. img-src *; script-src 'self';
    DIRECTIVES

    View Slide

  20. img-src *; script-src 'self';
    SOURCES

    View Slide

  21. img-src *; script-src 'self';
    TRANSLATED
    Images are allowed to be loaded from any resource

    View Slide

  22. img-src *; script-src 'self';
    TRANSLATED
    Scripts are allowed to be loaded from the current site's origin only

    View Slide

  23. img-src
    script-src
    DIRECTIVES

    View Slide

  24. img-src
    script-src
    style-src
    font-src
    media-src
    form-action
    ...

    View Slide

  25. *
    'self'
    SOURCES

    View Slide

  26. *
    'self'
    domain.example.com
    *.example.com
    'none'
    ...

    View Slide

  27. CSP christoph-rumpel.com

    View Slide

  28. CSP facebook.com

    View Slide

  29. NONCES AND HASHES

    View Slide

  30. script-src 'unsafe-inline';
    INLINE STYLES
    Don't do that!

    View Slide

  31. script-src 'nonce-2726c7f26c';
    NONCES

    View Slide

  32. script-src 'sha256-B2yPHKaXn';
    HASHES
    var isAdmin = 1;

    View Slide

  33. BROWSER SUPPORT

    View Slide

  34. BROWSER SUPPORT

    View Slide

  35. CSP + WORDPRESS

    View Slide

  36. Server Configuration
    Theme
    Plugin
    INTEGRATIONS

    View Slide

  37. SERVER CONFIGURATION
    Apache

    View Slide

  38. SERVER CONFIGURATION
    Nginx

    View Slide

  39. THEME
    functions.php

    View Slide

  40. Create your own
    Use a given one
    PLUGIN

    View Slide

  41. WP Content Security Plugin
    PLUGIN
    https://de.wordpress.org/plugins/wp-content-security-policy/

    View Slide

  42. WP Content Security Policy Plugin - Screenshot Controls

    View Slide

  43. WP Content Security Policy Plugin - Screenshot Policies

    View Slide

  44. WP Core
    Themes
    Plugins
    BE AWARE OF

    View Slide

  45. Report Only
    Using defaults
    Error-Driven-Development
    Send Reports
    HOW TO START

    View Slide

  46. Content-Security-Policy-Report-Only: script-src 'self';
    1. REPORT ONLY

    View Slide

  47. Content-Security-Policy-Report-Only: default-src 'self';
    2. USING DEFAULTS

    View Slide

  48. 3. ERROR-DRIVEN-DEVELOPMENT

    View Slide

  49. Content-Security-Policy: default-src 'self'; report-uri http://site.com
    3. SEND REPORTS

    View Slide

  50. CSP Report Example

    View Slide

  51. Use CSP
    Don't allow inline scripts
    Start in report only mode
    Learn about dependencies
    SUMMARY

    View Slide

  52. Content Security Policy 101
    Laravel Response Caching And CSP
    CSP, Hash-Algorithm, and Turbolinks
    Quick CSP Reference Guide
    MDN web docs
    CSP Level 2 W3C Recommendation
    CSP Level 3 Working Draft
    RESOURCES

    View Slide

  53. THANKS

    View Slide

  54. QUESTIONS?

    View Slide

  55. THANKS AGAIN

    View Slide