Slide 1

Slide 1 text

Hello webclerks :)

Slide 2

Slide 2 text

Content Security Policy 101

Slide 3

Slide 3 text

Content Security Policy 101 Can Christoph do 40 slides in 5 minutes?

Slide 4

Slide 4 text

ABOUT ME

Slide 5

Slide 5 text

CHRISTOPH RUMPEL Web Developer PHP / Laravel Chatbots Talks @christophrumpel christoph-rumpel.com

Slide 6

Slide 6 text

SECURITY IS HARD

Slide 7

Slide 7 text

SSL Input Handling Updates Packages Extension CSRF NONCES Weak Typing Error Handling Storing Credentials Server Access SQL Prepared Statements Passwords Brute Force Attacks

Slide 8

Slide 8 text

Adobe Playstation Network Cloudflare FAMOUS LEAKS

Slide 9

Slide 9 text

How can we protect our sites when even big companies can't?

Slide 10

Slide 10 text

Step by step

Slide 11

Slide 11 text

CONTENT SECURITY POLICY

Slide 12

Slide 12 text

CSP lets you define trusted resources.

Slide 13

Slide 13 text

Content-Security-Policy: policies

Slide 14

Slide 14 text

Content-Security-Policy: img-src *; script-src 'self'; Policies EXAMPLE

Slide 15

Slide 15 text

img-src *; script-src 'self'; DIRECTIVES

Slide 16

Slide 16 text

img-src *; script-src 'self'; LOCATIONS

Slide 17

Slide 17 text

img-src *; script-src 'self'; TRANSLATED Images are allowed to be loaded from any resource

Slide 18

Slide 18 text

img-src *; script-src 'self'; TRANSLATED Scripts are allowed to be loaded from the current site's origin only

Slide 19

Slide 19 text

img-src script-src DIRECTIVES

Slide 20

Slide 20 text

img-src script-src style-src font-src media-src form-action ...

Slide 21

Slide 21 text

* 'self' LOCATIONS

Slide 22

Slide 22 text

* 'self' domain.example.com *.example.com 'none' ...

Slide 23

Slide 23 text

CSP christoph-rumpel.com

Slide 24

Slide 24 text

BROWSER SUPPORT

Slide 25

Slide 25 text

BROWSER SUPPORT

Slide 26

Slide 26 text

INTEGRATIONS

Slide 27

Slide 27 text

SERVER CONFIGURATION Apache

Slide 28

Slide 28 text

SERVER CONFIGURATION Nginx

Slide 29

Slide 29 text

LARAVEL MIDDLEWARE

Slide 30

Slide 30 text

WP Content Security Policy Plugin - Screenshot Policies PLUGINS

Slide 31

Slide 31 text

MUCH MORE

Slide 32

Slide 32 text

HASHES AND NONCES

Slide 33

Slide 33 text

REPORTING

Slide 34

Slide 34 text

Content Security Policy 101 Laravel Response Caching And CSP CSP, Hash-Algorithm, and Turbolinks Quick CSP Reference Guide MDN web docs CSP Level 2 W3C Recommendation CSP Level 3 Working Draft RESOURCES

Slide 35

Slide 35 text

THANKS

Slide 36

Slide 36 text

QUESTIONS?

Slide 37

Slide 37 text

THANKS AGAIN