Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Content Security Policy 101

Christoph Rumpel
April 07, 2018
Technology
1
360

Content Security Policy 101

As more and more services get digital these days, security has become a significant aspect of every application. Especially when it comes to third-party code, it is tough to guarantee safety. But in general, XSS and Code Injection is a big problem these days. Content Security Policy provides another layer of security that helps to detect and protect different attacks. In this talk, I will introduce this concept and its main features, as well as show real-world examples and integrations for WordPress.

Christoph Rumpel

April 07, 2018
Tweet

More Decks by Christoph Rumpel

See All by Christoph Rumpel
Why Refactoring Is The Best Tool To Write Better Code
christophrumpel
0
400
Debugging with PhpStorm & XDebug
christophrumpel
0
130
The final Laravel Service Container talk (Laracon Online)
christophrumpel
1
650
NomadPHP - The Laravel Core - Demystify The Beast
christophrumpel
0
97
Laravel Factories Reloaded (Laracon Online)
christophrumpel
1
190
The Beauty of Laravel's Notification System (Laracon EU Amsterdam)
christophrumpel
0
190
The Laravel Core - Demystify The Beast (New York)
christophrumpel
0
120
The Laravel Core - Demystify The Beast (LaravelLive UK)
christophrumpel
0
190
The Laravel Core - Demystify The Beast (Laracon EU Madrid)
christophrumpel
0
160

Other Decks in Technology

See All in Technology
NIST SP800-63-4 IPD 63A: Identity Proofing 概要紹介
kthrtty
0
390
知識拡張型言語モデルLUKE
ikuyamada
1
400
技育祭2023春 ちゅらデータ講演資料
foursue
1
610
Spring Boot 3.0へのアップデートのハマり所 / Findings in Migrating our Application to Spring Boot 3.0
line_developers
PRO
4
410
ロケーターを学んでテスト自動化上級者を目指そう
nozomiito
0
660
エラーログをAlertで引っ掛けるときにEventTimer使ってみた話
sparty
0
160
[CI/CD2023]OSSで構築するOpenAPI開発のCI/CD
xibuka
2
230
「はたらく」前に知るべきIT企業5つのヒミツ 〜プロが教えるプロダクト開発最前線〜 / geeksai_2023spring
visional_engineering_and_design
0
250
Linuxのブロックデバイス
sat
PRO
4
1.6k
GitHub Actionsと"仲良くなる"ための練習方法
tsubakimoto_s
10
2.5k
[Keynote] Production is like ultra running: brutal, ungrateful, but worth every step
colinfay
0
120
[k8sjp #56] Kustomize v5 を含む最新機能とテクニックの紹介
koba1t
0
350

Featured

See All Featured
Debugging Ruby Performance
tmm1
67
11k
Adopting Sorbet at Scale
ufuk
65
7.9k
StorybookのUI Testing Handbookを読んだ
zakiyama
8
3.4k
Dealing with People You Can't Stand - Big Design 2015
cassininazir
351
21k
Become a Pro
speakerdeck
PRO
6
3.3k
The Web Native Designer (August 2011)
paulrobertlloyd
77
2.3k
Put a Button on it: Removing Barriers to Going Fast.
kastner
56
2.6k
Unsuck your backbone
ammeep
659
56k
Product Roadmaps are Hard
iamctodd
38
7.9k
Building a Modern Day 
E-commerce SEO Strategy
aleyda
7
4.9k
Imperfection Machines: The Place of Print at Facebook
scottboms
254
12k
Building Applications with DynamoDB
mza
86
5k

Transcript

  1. Hello WordCamp :)

    View Slide

  2. Content Security
    Policy 101

    View Slide

  3. ABOUT ME

    View Slide

  4. CHRISTOPH RUMPEL
    Web Developer

    View Slide

  5. CHRISTOPH RUMPEL
    Web Developer
    PHP / Laravel
    Chatbots
    Talks
    @christophrumpel
    christoph-rumpel.com

    View Slide

  6. Finally a Starting Point
    for Your PHP Chatbot
    https://buildchatbotswithphp.com/

    View Slide

  7. SECURITY IS HARD

    View Slide

  8. SSL
    Input Handling
    Updates
    Packages
    Plugins
    CSRF
    NONCES
    Weak Typing
    Error Handling
    Storing Credentials
    Server Access
    SQL Prepared Statements
    Passwords
    Brute Force Attacks

    View Slide

  9. Adobe
    Playstation Network
    Cloudflare
    FAMOUS LEAKS

    View Slide

  10. How can we protect our sites when
    even big companies can't?

    View Slide

  11. Step by step

    View Slide

  12. CONTENT SECURITY
    POLICY

    View Slide

  13. Content Security Policy (CSP) is an added
    layer of security that helps to detect and
    mitigate certain types of attacks,
    including Cross Site Scripting (XSS) and
    data injection attacks.


    MDN WEB DOCS

    View Slide

  14. CSP lets you define trusted resources.

    View Slide

  15. Content-Security-Policy: policies

    View Slide

  16. Content-Security-Policy: policy
    HTTP Header name

    View Slide

  17. Content-Security-Policy: policy
    HTTP Header value

    View Slide

  18. Content-Security-Policy: img-src *; script-src 'self';
    Policies
    EXAMPLE

    View Slide

  19. img-src *; script-src 'self';
    DIRECTIVES

    View Slide

  20. img-src *; script-src 'self';
    SOURCES

    View Slide

  21. img-src *; script-src 'self';
    TRANSLATED
    Images are allowed to be loaded from any resource

    View Slide

  22. img-src *; script-src 'self';
    TRANSLATED
    Scripts are allowed to be loaded from the current site's origin only

    View Slide

  23. img-src
    script-src
    DIRECTIVES

    View Slide

  24. img-src
    script-src
    style-src
    font-src
    media-src
    form-action
    ...

    View Slide

  25. *
    'self'
    SOURCES

    View Slide

  26. *
    'self'
    domain.example.com
    *.example.com
    'none'
    ...

    View Slide

  27. CSP christoph-rumpel.com

    View Slide

  28. CSP facebook.com

    View Slide

  29. NONCES AND HASHES

    View Slide

  30. script-src 'unsafe-inline';
    INLINE STYLES
    Don't do that!

    View Slide

  31. script-src 'nonce-2726c7f26c';
    NONCES

    View Slide

  32. script-src 'sha256-B2yPHKaXn';
    HASHES
    var isAdmin = 1;

    View Slide

  33. BROWSER SUPPORT

    View Slide

  34. BROWSER SUPPORT

    View Slide

  35. CSP + WORDPRESS

    View Slide

  36. Server Configuration
    Theme
    Plugin
    INTEGRATIONS

    View Slide

  37. SERVER CONFIGURATION
    Apache

    View Slide

  38. SERVER CONFIGURATION
    Nginx

    View Slide

  39. THEME
    functions.php

    View Slide

  40. Create your own
    Use a given one
    PLUGIN

    View Slide

  41. WP Content Security Plugin
    PLUGIN
    https://de.wordpress.org/plugins/wp-content-security-policy/

    View Slide

  42. WP Content Security Policy Plugin - Screenshot Controls

    View Slide

  43. WP Content Security Policy Plugin - Screenshot Policies

    View Slide

  44. WP Core
    Themes
    Plugins
    BE AWARE OF

    View Slide

  45. Report Only
    Using defaults
    Error-Driven-Development
    Send Reports
    HOW TO START

    View Slide

  46. Content-Security-Policy-Report-Only: script-src 'self';
    1. REPORT ONLY

    View Slide

  47. Content-Security-Policy-Report-Only: default-src 'self';
    2. USING DEFAULTS

    View Slide

  48. 3. ERROR-DRIVEN-DEVELOPMENT

    View Slide

  49. Content-Security-Policy: default-src 'self'; report-uri http://site.com
    3. SEND REPORTS

    View Slide

  50. CSP Report Example

    View Slide

  51. Use CSP
    Don't allow inline scripts
    Start in report only mode
    Learn about dependencies
    SUMMARY

    View Slide

  52. Content Security Policy 101
    Laravel Response Caching And CSP
    CSP, Hash-Algorithm, and Turbolinks
    Quick CSP Reference Guide
    MDN web docs
    CSP Level 2 W3C Recommendation
    CSP Level 3 Working Draft
    RESOURCES

    View Slide

  53. THANKS

    View Slide

  54. QUESTIONS?

    View Slide

  55. THANKS AGAIN

    View Slide