Overview
Explore the intricacies of Content Security Policy (CSP) as a defense against cross-site scripting (XSS) in this 30-minute LASCON conference talk. Delve into the differences between CSP 1.0 and 2.0, understanding their implications for web application developers. Learn how CSP protects against XSS attacks and whether traditional defenses like input validation and output encoding are still necessary. Discover practical steps to implement CSP on your website, including the use of wildcards, default policies, and monitoring techniques. Examine the challenges of inline JavaScript and how CSP addresses them through nonce and hash source mechanisms. Gain valuable insights from Senior Security Consultant Ksenia Dmitrieva on effectively leveraging CSP to enhance your web application's security posture.
Syllabus
Intro
About Ksenia
Dombased XSS
Script source
Wildcards
Default
CSS
Connect Source
Monitoring
Report Only Policy
Inline JavaScript
CSP
Nonce
Hash Source
Taught by
LASCON