Speaker Deck

Adopting a Strict Content Security Policy for XSS Protection - IEEE SecDev, Boston 2016

by Lukas Weichselbaum

Published November 4, 2016 in Technology

In this workshop, we will present common flaws in current Content Security Policy deployments that reduce or remove the security value of adopting a CSP policy. Content Security Policy is a mechanism designed to prevent the exploitation of XSS – the most common high-risk web application flaw. We will work with an example production application to explain the process of refactoring the markup and client-side code to make it compatible with strict CSP. In addition, we will demonstrate several support tools (not yet released) we specifically designed for prototyping and adopting a strict policy.

The tutorial is meant for web developers with a security focus, and security specialists interested in web mitigation techniques. After the tutorial developers will be able to adopt strict CSP based on nonces/hashes instead of whitelists and should be able to avoid common mistakes that usually undermine most security guarantees CSP can offer.

Other Presentations by this Speaker