In this workshop, we will present common flaws in current Content Security Policy deployments that reduce or remove the security value of adopting a CSP policy. Content Security Policy is a mechanism designed to prevent the exploitation of XSS – the most common high-risk web application flaw. We will work with an example production application to explain the process of refactoring the markup and client-side code to make it compatible with strict CSP. In addition, we will demonstrate several support tools (not yet released) we specifically designed for prototyping and adopting a strict policy.
The tutorial is meant for web developers with a security focus, and security specialists interested in web mitigation techniques. After the tutorial developers will be able to adopt strict CSP based on nonces/hashes instead of whitelists and should be able to avoid common mistakes that usually undermine most security guarantees CSP can offer.