Content Security Policy 101 - Lightning Talk

Transcript

1. Hello webclerks :)

2. Content Security Policy 101

3. Content Security Policy 101 Can Christoph do 40 slides in

   5 minutes?

4. ABOUT ME

5. CHRISTOPH RUMPEL Web Developer PHP / Laravel Chatbots Talks @christophrumpel

   christoph-rumpel.com

6. SECURITY IS HARD

7. SSL Input Handling Updates Packages Extension CSRF NONCES Weak Typing

   Error Handling Storing Credentials Server Access SQL Prepared Statements Passwords Brute Force Attacks

8. Adobe Playstation Network Cloudflare FAMOUS LEAKS

9. How can we protect our sites when even big companies

   can't?

10. Step by step

11. CONTENT SECURITY POLICY

12. CSP lets you define trusted resources.

13. Content-Security-Policy: policies

14. Content-Security-Policy: img-src *; script-src 'self'; Policies EXAMPLE

15. img-src *; script-src 'self'; DIRECTIVES

16. img-src *; script-src 'self'; LOCATIONS

17. img-src *; script-src 'self'; TRANSLATED Images are allowed to be

    loaded from any resource

18. img-src *; script-src 'self'; TRANSLATED Scripts are allowed to be

    loaded from the current site's origin only

19. img-src script-src DIRECTIVES

20. img-src script-src style-src font-src media-src form-action ...

21. * 'self' LOCATIONS

22. * 'self' domain.example.com *.example.com 'none' ...

23. CSP christoph-rumpel.com

24. BROWSER SUPPORT

25. BROWSER SUPPORT

26. INTEGRATIONS

27. SERVER CONFIGURATION Apache

28. SERVER CONFIGURATION Nginx

29. LARAVEL MIDDLEWARE

30. WP Content Security Policy Plugin - Screenshot Policies PLUGINS

31. MUCH MORE

32. HASHES AND NONCES

33. REPORTING

34. Content Security Policy 101 Laravel Response Caching And CSP CSP,

    Hash-Algorithm, and Turbolinks Quick CSP Reference Guide MDN web docs CSP Level 2 W3C Recommendation CSP Level 3 Working Draft RESOURCES

35. THANKS

36. QUESTIONS?

37. THANKS AGAIN