Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Introduction to Content Security Policies (CSPs)

Shawn Hooper
October 05, 2024
62

Introduction to Content Security Policies (CSPs)

A Content Security Policy (CSP) is a great tool for helping keep your site’s users safe from common forms of front-end attack types including cross site scripting, packet sniffing, and click-jacking. During this talk you will learn:

* What are content security policies are?
* How do I implement a content security policy in WordPress?
* How to monitor your site’s content security policy reports

Delivered at WordCamp Rochester 2024

Shawn Hooper

October 05, 2024
Tweet

Transcript

  1. Introduction to Content Security Policies (CSPs) Presented by Shawn Hooper

    WordCamp Rochester October 5, 2024 Rochester, New York, USA Blog & Contact Information @ ShawnHooper.ca
  2. Content Security Policies 1. What are Content Security Policies 2.

    How do they work? 3. Attack Types Prevented 4. Supported Directives 5. Getting Started 6. Integrating in WordPress
  3. What is a Content Security Policy? Content Security Policy (CSP)

    is a computer security standard introduced to prevent: cross-site scripting (XSS) clickjacking and other code injection attacks resulting from execution of malicious content in the trusted web page context.
  4. How do they work? They instruct the user agent (your

    web browser) to only load resources from a speci fi c set of sources (domains, endpoints). If the resource doesn’t match the CSP, it is blocked from being loaded.
  5. How do they work? Content Security Policies can be set

    as an HTTP Response Header: cache-control: no-cache, must-revalidate, max-age=0, no-store, private content-type: text/html;charset=UTF-8 content-security-policy: default-src ‘self’; script-src https://cdn.example.com/; link: <https://shawnhooper.ca/wp-json/>; rel="https://api.w.org/" vary: Accept-Encoding
  6. Fetch Directives default-src child-src connect-src font-src frame-src img-src manifest-src media-src

    object-src script-src script-src-attr script-src-elem style-src style-src-attr style-src-elem worker-src
  7. default-src This is the fallback directive. If you specify values

    for this directive, they will be used in cases where you haven’t speci fi ed another directive, like img-src or script-src
  8. child-src Speci fi es the URLs that can be loaded

    via iframe or the URL of Web Worker processes.
  9. script-src Replace event handlers (blocked) <button id="btn" onclick=“doSomething()"></button> With addEventListener

    calls: document.getElementById("btn").addEventListener("click", doSomething);
  10. worker-src Content-Security-Policy: worker-src example.com <script> let blockedWorker = new Worker("data:application/javascript,…");

    blockedWorker = new SharedWorker("https://not-example.com/"); navigator.serviceWorker.register("https://not-example.com/sw.js"); </script>
  11. sandbox Loads the resources in a sandboxed environment like the

    <iframe sandbox> attribute. The sandboxed environment can restrict what the page can do.
  12. report-to Sends a report with the contents of each CSP

    violation to the speci fi ed URL as a POST request.
  13. Getting Started Add the Content-Security-Policy-Report-Only with a sensible defaults like

    default-src ‘self’; and set it to send violation reports. Update your Content Security Policy based on the violation reports When you’re happy you’ve addressed any violations, change the header to Content-Security-Policy and it will start blocking resources that don’t match your policy. Use the Content-Security-Policy-Report-Only header to test changes