Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Content Security Policy 101

Christoph Rumpel
July 25, 2018
Technology
0
240

Content Security Policy 101

As more and more services get digital these days, security has become a significant aspect of every application. Especially when it comes to third-party code, it is challenging to guarantee safety. But in general, XSS and Code Injection is a big problem these days. Content Security Policy provides another layer of security that helps to detect and protect different attacks. In this talks, I will introduce this concept and its main features, as well as show implementation examples for Laravel.

Christoph Rumpel

July 25, 2018
Tweet

More Decks by Christoph Rumpel

See All by Christoph Rumpel
Why Refactoring Is The Best Tool To Write Better Code
christophrumpel
0
410
Debugging with PhpStorm & XDebug
christophrumpel
0
140
The final Laravel Service Container talk (Laracon Online)
christophrumpel
1
660
NomadPHP - The Laravel Core - Demystify The Beast
christophrumpel
0
99
Laravel Factories Reloaded (Laracon Online)
christophrumpel
1
200
The Beauty of Laravel's Notification System (Laracon EU Amsterdam)
christophrumpel
0
190
The Laravel Core - Demystify The Beast (New York)
christophrumpel
0
120
The Laravel Core - Demystify The Beast (LaravelLive UK)
christophrumpel
0
190
The Laravel Core - Demystify The Beast (Laracon EU Madrid)
christophrumpel
0
160

Other Decks in Technology

See All in Technology
k6による負荷試験 入門から実践まで
fujiwara3
2
150
失敗から学ぶQA組織
taro_nanairo
1
270
Predictive back transition Animation on Android 14
line_developers
PRO
1
350
モノリスからの脱却に向けた 物流システムリプレイスの概要紹介 / Towards Decentralized Logistics System Replacement from Monolithic Structure
yumayabe
0
340
応用から学ぶ強化学習
nearme_tech
0
200
食べログChatGPTプラグイン導入で見えてきた未来:データサイエンティストの向き合い方
moritama1515
PRO
3
430
DMMオンラインサロン エンジニア採用資料/ for-software-engineers
onlinesalon
0
2.3k
CloudWatchでバレる 「君、仕事中にyo〇tube観てたよね?」
kadogen_0527
1
310
OCI Data Integration技術情報 / ocidi_technical_jp
oracle4engineer
PRO
0
450
WOFFの紹介
mmclsntr
0
120
無理なく始めるGoでのユニットテストの並行化戦略
shohata
1
540
Riverpodに機能追加したときの話
k9i
4
280

Featured

See All Featured
We Have a Design System, Now What?
morganepeng
38
6.2k
Building a Modern Day 
E-commerce SEO Strategy
aleyda
9
5.3k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
110
17k
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
rmw
23
1.8k
Building an army of robots
kneath
300
41k
Facilitating Awesome Meetings
lara
35
4.8k
Documentation Writing (for coders)
carmenintech
53
3.1k
Art Directing for the Web. Five minutes with CSS Template Areas
malarkey
197
11k
GraphQLとの向き合い方2022年版
quramy
23
11k
Art, The Web, and Tiny UX
lynnandtonic
285
18k
How New CSS Is Changing Everything About Graphic Design on the Web
jensimmons
214
12k
A Modern Web Designer's Workflow
chriscoyier
689
190k

Transcript

  1. Content Security
    Policy 101

    View Slide

  2. ABOUT ME

    View Slide

  3. CHRISTOPH RUMPEL
    Web Developer

    View Slide

  4. CHRISTOPH RUMPEL
    Web Developer
    PHP / Laravel
    Chatbots
    Talks
    @christophrumpel
    christoph-rumpel.com

    View Slide

  5. store.christoph-rumpel.com

    View Slide

  6. SECURITY IS HARD

    View Slide

  7. SSL
    Input Handling
    Updates
    Packages
    CSRF
    Rate Limits
    Weak Typing
    Error Handling
    Storing Credentials
    Server Access
    SQL Prepared Statements
    Passwords
    Brute Force Attacks

    View Slide

  8. Adobe
    Playstation Network
    Cloudflare
    FAMOUS LEAKS

    View Slide

  9. How can we protect our sites when
    even big companies can't?

    View Slide

  10. Step by step

    View Slide

  11. CONTENT SECURITY
    POLICY

    View Slide

  12. Content Security Policy (CSP) is an added
    layer of security that helps to detect and
    mitigate certain types of attacks,
    including Cross Site Scripting (XSS) and
    data injection attacks.


    MDN WEB DOCS

    View Slide

  13. CSP lets you define trusted resources.

    View Slide

  14. Content-Security-Policy: policies

    View Slide

  15. Content-Security-Policy: policy
    HTTP Header name

    View Slide

  16. Content-Security-Policy: policy
    HTTP Header value

    View Slide

  17. Content-Security-Policy: img-src *; script-src 'self';
    Policies
    EXAMPLE

    View Slide

  18. img-src *; script-src 'self';
    DIRECTIVES

    View Slide

  19. img-src *; script-src 'self';
    SOURCES

    View Slide

  20. img-src *; script-src 'self';
    TRANSLATED
    Images are allowed to be loaded from any resource

    View Slide

  21. img-src *; script-src 'self';
    TRANSLATED
    Scripts are allowed to be loaded from the current site's origin only

    View Slide

  22. img-src
    script-src
    DIRECTIVES

    View Slide

  23. img-src
    script-src
    style-src
    font-src
    media-src
    form-action
    ...

    View Slide

  24. *
    'self'
    SOURCES

    View Slide

  25. *
    'self'
    domain.example.com
    *.example.com
    'none'
    ...

    View Slide

  26. CSP christoph-rumpel.com

    View Slide

  27. CSP facebook.com

    View Slide

  28. NONCES AND HASHES

    View Slide

  29. script-src 'unsafe-inline';
    INLINE STYLES
    Don't do that!

    View Slide

  30. script-src 'nonce-2726c7f26c';
    NONCES

    View Slide

  31. script-src 'sha256-B2yPHKaXn';
    HASHES
    var isAdmin = 1;

    View Slide

  32. BROWSER SUPPORT

    View Slide

  33. BROWSER SUPPORT

    View Slide

  34. INTEGRATIONS

    View Slide

  35. Server Configuration
    Middleware
    Package
    INTEGRATIONS

    View Slide

  36. SERVER CONFIGURATION
    Apache

    View Slide

  37. SERVER CONFIGURATION
    Nginx

    View Slide

  38. Middleware
    Package
    DEMO

    View Slide

  39. REPORTING

    View Slide

  40. Content-Security-Policy-Report-Only: script-src 'self';
    REPORT HEADER

    View Slide

  41. Content-Security-Policy: default-src 'self'; report-uri http://site.com
    SENDING REPORTS

    View Slide

  42. CSP Report Example

    View Slide

  43. SUMMARY

    View Slide

  44. Make it harder for attackers
    Find mixed content
    Learn about your resources
    Take control
    ADVANTAGES

    View Slide

  45. Use CSP
    Don't allow inline stuff
    Start in report-only mode
    Learn about dependencies
    TAKE WITH YOU

    View Slide

  46. FUTURE

    View Slide

  47. Feature-Policy: vibrate 'none'; geolocation 'none'
    FEATURE POLICY

    View Slide

  48. Content Security Policy 101
    Laravel Response Caching And CSP
    CSP, Hash-Algorithm, and Turbolinks
    Quick CSP Reference Guide
    MDN web docs
    CSP Level 2 W3C Recommendation
    CSP Level 3 Working Draft
    Feature Policy Draft
    RESOURCES

    View Slide

  49. HAVE FUN WITH WORDPRESS

    View Slide

  50. @christophrumpel
    THANKS

    View Slide

  51. @christophrumpel
    QUESTIONS?

    View Slide

  52. @christophrumpel
    THANKS AGAIN

    View Slide