Content Security Policy 101 - Lightning Talk

14d39e65f615fd6dcb9dd44ea7f7995b?s=47 Christoph Rumpel
April 24, 2018
Technology
1
72

Content Security Policy 101 - Lightning Talk

This is a 5min talk version of Content Security Policy 101 talk.

14d39e65f615fd6dcb9dd44ea7f7995b?s=128

Christoph Rumpel

April 24, 2018
Tweet

Want more?

14d39e65f615fd6dcb9dd44ea7f7995b?s=48 christophrumpel
1
50
14d39e65f615fd6dcb9dd44ea7f7995b?s=48 christophrumpel
0
140
14d39e65f615fd6dcb9dd44ea7f7995b?s=48 christophrumpel
0
78
3ab1249be442027903e1180025340b3f?s=48 reverentgeek
9
470
A9a491b0fcbe0fbce3d64063a37add99?s=48 rmw
1
250
766b9746b59e6f09e280cd33cf4ed419?s=48 skipperchong
0
160
61857dafbd287b3027c4dcea9008ad3c?s=48 carmenhchung
6
310
06f8b41980eb4c577fa40c41d5030c19?s=48 keathley
6
210
C0390e8b11079f8761c0cd3274ed61cb?s=48 productmarketing
3
290
C35e01544a0dd94a2cf1619ee8a42ebb?s=48 clairelew
4
550
6bb82b13cda86d3b821fa44100335ddf?s=48 thoeni
1
160
B3ace07412a5178ea778e7eec161fc0a?s=48 jcasabona
4
250

Transcript

  1. 1.

    Hello webclerks :)

  2. 2.

    Content Security Policy 101

  3. 3.

    Content Security Policy 101 Can Christoph do 40 slides in

    5 minutes?
  4. 4.

    ABOUT ME

  5. 5.

    CHRISTOPH RUMPEL Web Developer PHP / Laravel Chatbots Talks @christophrumpel

    christoph-rumpel.com
  6. 6.

    SECURITY IS HARD

  7. 7.

    SSL Input Handling Updates Packages Extension CSRF NONCES Weak Typing

    Error Handling Storing Credentials Server Access SQL Prepared Statements Passwords Brute Force Attacks
  8. 8.

    Adobe Playstation Network Cloudflare FAMOUS LEAKS

  9. 9.

    How can we protect our sites when even big companies

    can't?
  10. 10.

    Step by step

  11. 11.

    CONTENT SECURITY POLICY

  12. 12.

    CSP lets you define trusted resources.

  13. 13.

    Content-Security-Policy: policies

  14. 14.

    Content-Security-Policy: img-src *; script-src 'self'; Policies EXAMPLE

  15. 15.

    img-src *; script-src 'self'; DIRECTIVES

  16. 16.

    img-src *; script-src 'self'; LOCATIONS

  17. 17.

    img-src *; script-src 'self'; TRANSLATED Images are allowed to be

    loaded from any resource
  18. 18.

    img-src *; script-src 'self'; TRANSLATED Scripts are allowed to be

    loaded from the current site's origin only
  19. 19.

    img-src script-src DIRECTIVES

  20. 20.

    img-src script-src style-src font-src media-src form-action ...

  21. 21.

    * 'self' LOCATIONS

  22. 22.

    * 'self' domain.example.com *.example.com 'none' ...

  23. 23.

    CSP christoph-rumpel.com

  24. 24.

    BROWSER SUPPORT

  25. 25.

    BROWSER SUPPORT

  26. 26.

    INTEGRATIONS

  27. 27.

    SERVER CONFIGURATION Apache

  28. 28.

    SERVER CONFIGURATION Nginx

  29. 29.

    LARAVEL MIDDLEWARE

  30. 30.

    WP Content Security Policy Plugin - Screenshot Policies PLUGINS

  31. 31.

    MUCH MORE

  32. 32.

    HASHES AND NONCES

  33. 33.

    REPORTING

  34. 34.

    Content Security Policy 101 Laravel Response Caching And CSP CSP,

    Hash-Algorithm, and Turbolinks Quick CSP Reference Guide MDN web docs CSP Level 2 W3C Recommendation CSP Level 3 Working Draft RESOURCES
  35. 35.

    THANKS

  36. 36.

    QUESTIONS?

  37. 37.

    THANKS AGAIN