No More XSS - Deploying CSP with Nonces and Strict-Dynamic
Offered By: Security BSides San Francisco via YouTube
Course Description
Overview
Explore a comprehensive conference talk on implementing Content Security Policy (CSP) to prevent cross-site scripting (XSS) vulnerabilities. Learn about the evolution of CSP, focusing on version 3's strict-dynamic mechanism, which simplifies application to existing web pages without major refactoring. Discover how Pinterest and Instapaper successfully deployed strict CSP, including implementation tips and potential pitfalls. Gain insights into topics such as nonces, hashes, whitelisting, and JavaScript templates. Understand the deployment process, necessary code changes, and the benefits of report-only mode. Equip yourself with practical knowledge to enhance web application security and effectively combat XSS attacks.
Syllabus
Introduction
Agenda
Crosssite scripting
Templates and autoescape
No crosssite scripting
Content security policy
Domain whitelist
Object source base URI
HTML injection
Inline scripts
CSP nonces
What can go wrong
Hashes
Whitelisting
Strictdynamic
JavaScript templates
Deploying CSP
Easier to deploy
Code changes
Nonces
Change templates
Report only mode
CSP policy
Resources
Questions
Report URL
Taught by
Security BSides San Francisco
Related Courses
Web Hacking Expert - Full-Stack Exploitation MasteryPackt via Coursera OWASP Top 10: #7 XSS and #8 Insecure Deserialization
LinkedIn Learning Web Security: Same-Origin Policies
LinkedIn Learning Configuring Security Headers in ASP.NET and ASP.NET Core Applications
Pluralsight Defeating Cross-site Scripting with Content Security Policy 2
Pluralsight