No More XSS - Deploying CSP with Nonces and Strict-Dynamic

Overview

Explore a comprehensive conference talk on implementing Content Security Policy (CSP) to prevent cross-site scripting (XSS) vulnerabilities. Learn about the evolution of CSP, focusing on version 3's strict-dynamic mechanism, which simplifies application to existing web pages without major refactoring. Discover how Pinterest and Instapaper successfully deployed strict CSP, including implementation tips and potential pitfalls. Gain insights into topics such as nonces, hashes, whitelisting, and JavaScript templates. Understand the deployment process, necessary code changes, and the benefits of report-only mode. Equip yourself with practical knowledge to enhance web application security and effectively combat XSS attacks.

Syllabus

Introduction
Agenda
Crosssite scripting
Templates and autoescape
No crosssite scripting
Content security policy
Domain whitelist
Object source base URI
HTML injection
Inline scripts
CSP nonces
What can go wrong
Hashes
Whitelisting
Strictdynamic
JavaScript templates
Deploying CSP
Easier to deploy
Code changes
Nonces
Change templates
Report only mode
CSP policy
Resources
Questions
Report URL

Taught by

Security BSides San Francisco

Reviews

Start your review of No More XSS - Deploying CSP with Nonces and Strict-Dynamic

From Zero to Cybersecurity Analyst

Most common

Popular subjects

Popular courses

No More XSS - Deploying CSP with Nonces and Strict-Dynamic

Overview

Syllabus

Taught by

Reviews

From Zero to Cybersecurity Analyst

Taught by

Fixing XSS with Content Security Policy

CSP Oddities

Content Security Policies - Let's Break Stuff

Roadblocks for Content Security Policy (CSP) Implementation - Developer Challenges and Solutions

XSS is Dead - We Just Don't Get It

Evaluating the Effectiveness of Content Security Policy in the Wild

5 Best Free Web Development Courses for 2024: Over 900 Hours of Learning

Never Stop Learning.