Slide 1

Slide 1 text

Content Security Policy 101

Slide 2

Slide 2 text

ABOUT ME

Slide 3

Slide 3 text

CHRISTOPH RUMPEL Web Developer

Slide 4

Slide 4 text

CHRISTOPH RUMPEL Web Developer PHP / Laravel Chatbots Talks @christophrumpel christoph-rumpel.com

Slide 5

Slide 5 text

store.christoph-rumpel.com

Slide 6

Slide 6 text

SECURITY IS HARD

Slide 7

Slide 7 text

SSL Input Handling Updates Packages CSRF Rate Limits Weak Typing Error Handling Storing Credentials Server Access SQL Prepared Statements Passwords Brute Force Attacks

Slide 8

Slide 8 text

Adobe Playstation Network Cloudflare FAMOUS LEAKS

Slide 9

Slide 9 text

How can we protect our sites when even big companies can't?

Slide 10

Slide 10 text

Step by step

Slide 11

Slide 11 text

CONTENT SECURITY POLICY

Slide 12

Slide 12 text

Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. “ „ MDN WEB DOCS

Slide 13

Slide 13 text

CSP lets you define trusted resources.

Slide 14

Slide 14 text

Content-Security-Policy: policies

Slide 15

Slide 15 text

Content-Security-Policy: policy HTTP Header name

Slide 16

Slide 16 text

Content-Security-Policy: policy HTTP Header value

Slide 17

Slide 17 text

Content-Security-Policy: img-src *; script-src 'self'; Policies EXAMPLE

Slide 18

Slide 18 text

img-src *; script-src 'self'; DIRECTIVES

Slide 19

Slide 19 text

img-src *; script-src 'self'; SOURCES

Slide 20

Slide 20 text

img-src *; script-src 'self'; TRANSLATED Images are allowed to be loaded from any resource

Slide 21

Slide 21 text

img-src *; script-src 'self'; TRANSLATED Scripts are allowed to be loaded from the current site's origin only

Slide 22

Slide 22 text

img-src script-src DIRECTIVES

Slide 23

Slide 23 text

img-src script-src style-src font-src media-src form-action ...

Slide 24

Slide 24 text

* 'self' SOURCES

Slide 25

Slide 25 text

* 'self' domain.example.com *.example.com 'none' ...

Slide 26

Slide 26 text

CSP christoph-rumpel.com

Slide 27

Slide 27 text

CSP facebook.com

Slide 28

Slide 28 text

NONCES AND HASHES

Slide 29

Slide 29 text

script-src 'unsafe-inline'; INLINE STYLES Don't do that!

Slide 30

Slide 30 text

script-src 'nonce-2726c7f26c'; NONCES

Slide 31

Slide 31 text

script-src 'sha256-B2yPHKaXn'; HASHES var isAdmin = 1;

Slide 32

Slide 32 text

BROWSER SUPPORT

Slide 33

Slide 33 text

BROWSER SUPPORT

Slide 34

Slide 34 text

INTEGRATIONS

Slide 35

Slide 35 text

Server Configuration Middleware Package INTEGRATIONS

Slide 36

Slide 36 text

SERVER CONFIGURATION Apache

Slide 37

Slide 37 text

SERVER CONFIGURATION Nginx

Slide 38

Slide 38 text

Middleware Package DEMO

Slide 39

Slide 39 text

REPORTING

Slide 40

Slide 40 text

Content-Security-Policy-Report-Only: script-src 'self'; REPORT HEADER

Slide 41

Slide 41 text

Content-Security-Policy: default-src 'self'; report-uri http://site.com SENDING REPORTS

Slide 42

Slide 42 text

CSP Report Example

Slide 43

Slide 43 text

SUMMARY

Slide 44

Slide 44 text

Make it harder for attackers Find mixed content Learn about your resources Take control ADVANTAGES

Slide 45

Slide 45 text

Use CSP Don't allow inline stuff Start in report-only mode Learn about dependencies TAKE WITH YOU

Slide 46

Slide 46 text

FUTURE

Slide 47

Slide 47 text

Feature-Policy: vibrate 'none'; geolocation 'none' FEATURE POLICY

Slide 48

Slide 48 text

Content Security Policy 101 Laravel Response Caching And CSP CSP, Hash-Algorithm, and Turbolinks Quick CSP Reference Guide MDN web docs CSP Level 2 W3C Recommendation CSP Level 3 Working Draft Feature Policy Draft RESOURCES

Slide 49

Slide 49 text

HAVE FUN WITH WORDPRESS

Slide 50

Slide 50 text

@christophrumpel THANKS

Slide 51

Slide 51 text

@christophrumpel QUESTIONS?

Slide 52

Slide 52 text

@christophrumpel THANKS AGAIN