Tweet
Tweet

Slide 1

Slide 1 text

Hello WordCamp :)

Slide 2

Slide 2 text

Content Security Policy 101

Slide 3

Slide 3 text

ABOUT ME

Slide 4

Slide 4 text

CHRISTOPH RUMPEL Web Developer

Slide 5

Slide 5 text

CHRISTOPH RUMPEL Web Developer PHP / Laravel Chatbots Talks @christophrumpel christoph-rumpel.com

Slide 6

Slide 6 text

Finally a Starting Point for Your PHP Chatbot https://buildchatbotswithphp.com/

Slide 7

Slide 7 text

SECURITY IS HARD

Slide 8

Slide 8 text

SSL Input Handling Updates Packages Plugins CSRF NONCES Weak Typing Error Handling Storing Credentials Server Access SQL Prepared Statements Passwords Brute Force Attacks

Slide 9

Slide 9 text

Adobe Playstation Network Cloudflare FAMOUS LEAKS

Slide 10

Slide 10 text

How can we protect our sites when even big companies can't?

Slide 11

Slide 11 text

Step by step

Slide 12

Slide 12 text

CONTENT SECURITY POLICY

Slide 13

Slide 13 text

Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. “ „ MDN WEB DOCS

Slide 14

Slide 14 text

CSP lets you define trusted resources.

Slide 15

Slide 15 text

Content-Security-Policy: policies

Slide 16

Slide 16 text

Content-Security-Policy: policy HTTP Header name

Slide 17

Slide 17 text

Content-Security-Policy: policy HTTP Header value

Slide 18

Slide 18 text

Content-Security-Policy: img-src *; script-src 'self'; Policies EXAMPLE

Slide 19

Slide 19 text

img-src *; script-src 'self'; DIRECTIVES

Slide 20

Slide 20 text

img-src *; script-src 'self'; SOURCES

Slide 21

Slide 21 text

img-src *; script-src 'self'; TRANSLATED Images are allowed to be loaded from any resource

Slide 22

Slide 22 text

img-src *; script-src 'self'; TRANSLATED Scripts are allowed to be loaded from the current site's origin only

Slide 23

Slide 23 text

img-src script-src DIRECTIVES

Slide 24

Slide 24 text

img-src script-src style-src font-src media-src form-action ...

Slide 25

Slide 25 text

* 'self' SOURCES

Slide 26

Slide 26 text

* 'self' domain.example.com *.example.com 'none' ...

Slide 27

Slide 27 text

CSP christoph-rumpel.com

Slide 28

Slide 28 text

CSP facebook.com

Slide 29

Slide 29 text

NONCES AND HASHES

Slide 30

Slide 30 text

script-src 'unsafe-inline'; INLINE STYLES Don't do that!

Slide 31

Slide 31 text

script-src 'nonce-2726c7f26c'; NONCES

Slide 32

Slide 32 text

script-src 'sha256-B2yPHKaXn'; HASHES var isAdmin = 1;

Slide 33

Slide 33 text

BROWSER SUPPORT

Slide 34

Slide 34 text

BROWSER SUPPORT

Slide 35

Slide 35 text

CSP + WORDPRESS

Slide 36

Slide 36 text

Server Configuration Theme Plugin INTEGRATIONS

Slide 37

Slide 37 text

SERVER CONFIGURATION Apache

Slide 38

Slide 38 text

SERVER CONFIGURATION Nginx

Slide 39

Slide 39 text

THEME functions.php

Slide 40

Slide 40 text

Create your own Use a given one PLUGIN

Slide 41

Slide 41 text

WP Content Security Plugin PLUGIN https://de.wordpress.org/plugins/wp-content-security-policy/

Slide 42

Slide 42 text

WP Content Security Policy Plugin - Screenshot Controls

Slide 43

Slide 43 text

WP Content Security Policy Plugin - Screenshot Policies

Slide 44

Slide 44 text

WP Core Themes Plugins BE AWARE OF

Slide 45

Slide 45 text

Report Only Using defaults Error-Driven-Development Send Reports HOW TO START

Slide 46

Slide 46 text

Content-Security-Policy-Report-Only: script-src 'self'; 1. REPORT ONLY

Slide 47

Slide 47 text

Content-Security-Policy-Report-Only: default-src 'self'; 2. USING DEFAULTS

Slide 48

Slide 48 text

3. ERROR-DRIVEN-DEVELOPMENT

Slide 49

Slide 49 text

Content-Security-Policy: default-src 'self'; report-uri http://site.com 3. SEND REPORTS

Slide 50

Slide 50 text

CSP Report Example

Slide 51

Slide 51 text

Use CSP Don't allow inline scripts Start in report only mode Learn about dependencies SUMMARY

Slide 52

Slide 52 text

Content Security Policy 101 Laravel Response Caching And CSP CSP, Hash-Algorithm, and Turbolinks Quick CSP Reference Guide MDN web docs CSP Level 2 W3C Recommendation CSP Level 3 Working Draft RESOURCES

Slide 53

Slide 53 text

THANKS

Slide 54

Slide 54 text

QUESTIONS?

Slide 55

Slide 55 text

THANKS AGAIN