Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Content Security Policy 101

Content Security Policy 101

As more and more services get digital these days, security has become a significant aspect of every application. Especially when it comes to third-party code, it is challenging to guarantee safety. But in general, XSS and Code Injection is a big problem these days. Content Security Policy provides another layer of security that helps to detect and protect different attacks. In this talks, I will introduce this concept and its main features, as well as show implementation examples for Laravel.

14d39e65f615fd6dcb9dd44ea7f7995b?s=128

Christoph Rumpel

July 25, 2018
Tweet

Transcript

  1. Content Security Policy 101

  2. ABOUT ME

  3. CHRISTOPH RUMPEL Web Developer

  4. CHRISTOPH RUMPEL Web Developer PHP / Laravel Chatbots Talks @christophrumpel

    christoph-rumpel.com
  5. store.christoph-rumpel.com

  6. SECURITY IS HARD

  7. SSL Input Handling Updates Packages CSRF Rate Limits Weak Typing

    Error Handling Storing Credentials Server Access SQL Prepared Statements Passwords Brute Force Attacks
  8. Adobe Playstation Network Cloudflare FAMOUS LEAKS

  9. How can we protect our sites when even big companies

    can't?
  10. Step by step

  11. CONTENT SECURITY POLICY

  12. Content Security Policy (CSP) is an added layer of security

    that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. “ „ MDN WEB DOCS
  13. CSP lets you define trusted resources.

  14. Content-Security-Policy: policies

  15. Content-Security-Policy: policy HTTP Header name

  16. Content-Security-Policy: policy HTTP Header value

  17. Content-Security-Policy: img-src *; script-src 'self'; Policies EXAMPLE

  18. img-src *; script-src 'self'; DIRECTIVES

  19. img-src *; script-src 'self'; SOURCES

  20. img-src *; script-src 'self'; TRANSLATED Images are allowed to be

    loaded from any resource
  21. img-src *; script-src 'self'; TRANSLATED Scripts are allowed to be

    loaded from the current site's origin only
  22. img-src script-src DIRECTIVES

  23. img-src script-src style-src font-src media-src form-action ...

  24. * 'self' SOURCES

  25. * 'self' domain.example.com *.example.com 'none' ...

  26. CSP christoph-rumpel.com

  27. CSP facebook.com

  28. NONCES AND HASHES

  29. script-src 'unsafe-inline'; INLINE STYLES Don't do that!

  30. script-src 'nonce-2726c7f26c'; NONCES <script nonce='2726c7f26c'></script>

  31. script-src 'sha256-B2yPHKaXn'; HASHES <script>var isAdmin = 1;</script>

  32. BROWSER SUPPORT

  33. BROWSER SUPPORT

  34. INTEGRATIONS

  35. Server Configuration Middleware Package INTEGRATIONS

  36. SERVER CONFIGURATION Apache

  37. SERVER CONFIGURATION Nginx

  38. Middleware Package DEMO

  39. REPORTING

  40. Content-Security-Policy-Report-Only: script-src 'self'; REPORT HEADER

  41. Content-Security-Policy: default-src 'self'; report-uri http://site.com SENDING REPORTS

  42. CSP Report Example

  43. SUMMARY

  44. Make it harder for attackers Find mixed content Learn about

    your resources Take control ADVANTAGES
  45. Use CSP Don't allow inline stuff Start in report-only mode

    Learn about dependencies TAKE WITH YOU
  46. FUTURE

  47. Feature-Policy: vibrate 'none'; geolocation 'none' FEATURE POLICY

  48. Content Security Policy 101 Laravel Response Caching And CSP CSP,

    Hash-Algorithm, and Turbolinks Quick CSP Reference Guide MDN web docs CSP Level 2 W3C Recommendation CSP Level 3 Working Draft Feature Policy Draft RESOURCES
  49. HAVE FUN WITH WORDPRESS

  50. @christophrumpel THANKS

  51. @christophrumpel QUESTIONS?

  52. @christophrumpel THANKS AGAIN