Link
Embed
Share
Beginning
This slide
Copy link URL
Copy link URL
Copy iframe embed code
Copy iframe embed code
Copy javascript embed code
Copy javascript embed code
Share
Tweet
Share
Tweet
Slide 1
Slide 1 text
Hello webclerks :)
Slide 2
Slide 2 text
Content Security Policy 101
Slide 3
Slide 3 text
Content Security Policy 101 Can Christoph do 40 slides in 5 minutes?
Slide 4
Slide 4 text
ABOUT ME
Slide 5
Slide 5 text
CHRISTOPH RUMPEL Web Developer PHP / Laravel Chatbots Talks @christophrumpel christoph-rumpel.com
Slide 6
Slide 6 text
SECURITY IS HARD
Slide 7
Slide 7 text
SSL Input Handling Updates Packages Extension CSRF NONCES Weak Typing Error Handling Storing Credentials Server Access SQL Prepared Statements Passwords Brute Force Attacks
Slide 8
Slide 8 text
Adobe Playstation Network Cloudflare FAMOUS LEAKS
Slide 9
Slide 9 text
How can we protect our sites when even big companies can't?
Slide 10
Slide 10 text
Step by step
Slide 11
Slide 11 text
CONTENT SECURITY POLICY
Slide 12
Slide 12 text
CSP lets you define trusted resources.
Slide 13
Slide 13 text
Content-Security-Policy: policies
Slide 14
Slide 14 text
Content-Security-Policy: img-src *; script-src 'self'; Policies EXAMPLE
Slide 15
Slide 15 text
img-src *; script-src 'self'; DIRECTIVES
Slide 16
Slide 16 text
img-src *; script-src 'self'; LOCATIONS
Slide 17
Slide 17 text
img-src *; script-src 'self'; TRANSLATED Images are allowed to be loaded from any resource
Slide 18
Slide 18 text
img-src *; script-src 'self'; TRANSLATED Scripts are allowed to be loaded from the current site's origin only
Slide 19
Slide 19 text
img-src script-src DIRECTIVES
Slide 20
Slide 20 text
img-src script-src style-src font-src media-src form-action ...
Slide 21
Slide 21 text
* 'self' LOCATIONS
Slide 22
Slide 22 text
* 'self' domain.example.com *.example.com 'none' ...
Slide 23
Slide 23 text
CSP christoph-rumpel.com
Slide 24
Slide 24 text
BROWSER SUPPORT
Slide 25
Slide 25 text
BROWSER SUPPORT
Slide 26
Slide 26 text
INTEGRATIONS
Slide 27
Slide 27 text
SERVER CONFIGURATION Apache
Slide 28
Slide 28 text
SERVER CONFIGURATION Nginx
Slide 29
Slide 29 text
LARAVEL MIDDLEWARE
Slide 30
Slide 30 text
WP Content Security Policy Plugin - Screenshot Policies PLUGINS
Slide 31
Slide 31 text
MUCH MORE
Slide 32
Slide 32 text
HASHES AND NONCES
Slide 33
Slide 33 text
REPORTING
Slide 34
Slide 34 text
Content Security Policy 101 Laravel Response Caching And CSP CSP, Hash-Algorithm, and Turbolinks Quick CSP Reference Guide MDN web docs CSP Level 2 W3C Recommendation CSP Level 3 Working Draft RESOURCES
Slide 35
Slide 35 text
THANKS
Slide 36
Slide 36 text
QUESTIONS?
Slide 37
Slide 37 text
THANKS AGAIN