Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

CSP - What? Why? How? PHPNW16

207 views

Published on

In this brief lightning talk, we'll cover the what, the why and the how of CSP, including directives to implement and tools to help us along the way.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

CSP - What? Why? How? PHPNW16

  1. 1. CONTENT SECURITY POLICIES WHAT? WHY? HOW?
  2. 2. PHP EAST MIDLANDS UNCONFERENCE HTTP://BIT.LY/PHPEM16-EB
  3. 3. HTTP RESPONSE HEADER TO HELP REDUCE XSS RISKS
  4. 4. DECLARES WHAT DYNAMIC RESOURCES ARE ALLOWED TO LOAD
  5. 5. A FEW OF THE DIRECTIVES
  6. 6. DEFAULT-SRC
  7. 7. SCRIPT-SRC
  8. 8. STYLE-SRC
  9. 9. FULL REFERENCE: HTTPS://CONTENT-SECURITY-POLICY.COM
  10. 10. IMG-SRC * WILDCARD, ALLOWS ANY URL EXCEPT DATA: BLOB: FILESYSTEM: SCHEMES.
  11. 11. OBJECT-SRC 'NONE' DON’T LOAD RESOURCES FROM ANY SOURCE
  12. 12. SCRIPT-SRC ‘SELF' ALLOW LOADING FROM SAME ORIGIN (SAME SCHEME, HOST AND PORT)
  13. 13. SCRIPT-SRC 'UNSAFE-INLINE' ALLOWS USE OF INLINE SOURCE ELEMENTS SUCH AS STYLE ATTRIBUTE, ONCLICK, OR SCRIPT TAG BODIES
  14. 14. DON’T USE UNSAFE-INLINE
  15. 15. <script nonce="$RANDOM">...</script> script-src 'self' 'nonce-$RANDOM'
  16. 16. REPORT-URI
  17. 17. WHEN A POLICY FAILURE OCCURS, THE BROWSER SENDS A JSON PAYLOAD TO THAT URL
  18. 18. HTTP://REPORT-URI.IO
  19. 19. REPORT-ONLY
  20. 20. Content-Security-Policy-Report-Only: script-src 'self' https://*.google.com; style-src 'self'; report-uri https://mfyu.report-uri.io/r/default/csp/reportOnly;
  21. 21. BROWSER SUPPORT
  22. 22. @SCOTT_HELME (HE KNOWS HIS STUFF!) (THIS ISN’T ME)
  23. 23. THANKS! https://joind.in/talk/296a1

×