Content security policy

1,561 views

Published on

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,561
On SlideShare
0
From Embeds
0
Number of Embeds
897
Actions
Shares
0
Downloads
0
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Content security policy

  1. 1. is a new addition to the web platform that promises to mitigate the risk of XSS attacks by giving admins control over the data and code to be allowed to run on their site. Another layer to a websites defenses: browser-enforced restrictions against external resources or unauthorized scripting. Extra response header instructs browsers to enforce a policy. Involves deciding what policies you want to enforce, and then configuring them and using X-Content-Security-Policy to establish your policy.
  2. 2. : best used as defense-in-depth. : declarative policy that lets admins inform the client about the sources from which the application expects to load resources. Mitigate XSS: Applications can declare that it only expects scripts from trusted sources. Allows the client to detect and block malicious scripts injected into the application by an attacker.
  3. 3.  Often a non-trivial amount of work required to apply to an existing web application. Move all inline scripts and style out-of-line.
  4. 4.  Applications opts into using by supplying a Content- Security-Policy HTTP header. To supply a policy for an entire site, the server needs to supply a policy with each resource representation
  5. 5.  You can use the X-Content-Security-Policy HTTP header to specify your policy, like this: X-Content-Security-Policy: policy The policy is a string containing the policy directives describing your Content Security Policy.
  6. 6.  Common scenarios when writing your security policy
  7. 7.  All content to come from the sites own domain, excluding even subdomains. X-Content-Security-Policy: default-src self  Allow content from a trusted domain and all its subdomains. X-Content-Security-Policy: default-src self *.mydomain.com
  8. 8.  Allow users of a web application to include images from any domain in their custom content, but to restrict audio or video media to come only from trusted providers, and all scripts only to a specific server that hosts trusted code. X-Content-Security-Policy: default-src self; img-src *; media-src media1.com media2.com; script-src userscripts.example.com Content is only permitted from the documents original host, with the following exceptions:  Images may loaded from anywhere (note the "*" wildcard).  Media is only allowed from media1.com and media2.com (and not from subdomains of those sites).  Executable script is only allowed from userscripts.example.com.
  9. 9.  Ensure content is loaded using SSL.X-Content-Security-Policy: default-src https://onlinebanking.jumbobank.com Server only permits access to documents being loaded specifically over HTTPS through the single domain onlinebanking.jumbobank.com.  Allows HTML in email, as well as images loaded from anywhere, but not JavaScript or other potentially dangerous content. X-Content-Security-Policy: default-src self *.mailsite.com; img-src
  10. 10.  Server delivers the policy to the user agent via an HTTP response header. Content-Security-Policy Header Field Content-Security-Policy header field is the preferred mechanism for delivering a CSP policy. "Content-Security-Policy:" 1#policy Server may send more than one HTTP header field named Content- Security-Policy with a given resource representation. A server may send different Content-Security-Policy header field values with different representations of the same resource or with different resources. Receiving an HTTP response containing at least one Content-Security- Policy header field, the user agent enforces each of the policies contained in each such header field.
  11. 11.  Add header in the web server config:
  12. 12.  How a CSP enabled site looks like:
  13. 13.  Unless explicitly allowed by your policy incline scripts are not executed:
  14. 14. : Defined by W3C Specs as standard header, : Used by Firefox and Internet Explorer, X-WebKit-CSP : Used by Chrome.
  15. 15.  DEFCON Hacking Conference is using (x-content-security- policy:default-src self)
  16. 16.  Facebook has started using [x-webkit-csp]
  17. 17. Questions?……..….NO …..………..OK

×