SlideShare a Scribd company logo

Content security policy

Ronan Dunne, CEH, SSCP
Ronan Dunne, CEH, SSCP

Content Security Policy (CSP) is a security policy that helps mitigate cross-site scripting attacks by whitelisting approved sources of executable content on a web page. An extra HTTP header instructs browsers to enforce the policy by blocking or warning about resources loaded from disallowed origins. CSP adoption involves deciding which policy directives to apply and configuring web servers to send the CSP HTTP header with resources.

1 of 20
is a new addition to the web platform that promises to mitigate the risk of XSS attacks by giving admins control over the data and code to be allowed to run on their site.  Another layer to a website's defenses: browser-enforced restrictions against external resources or unauthorized scripting.  Extra response header instructs browsers to enforce a policy.  Involves deciding what policies you want to enforce, and then configuring them and using X-Content-Security-Policy to establish your policy.
: best used as defense-in-depth. : declarative policy that lets admins inform the client about the sources from which the application expects to load resources.  Mitigate XSS: Applications can declare that it only expects scripts from trusted sources.  Allows the client to detect and block malicious scripts injected into the application by an attacker.
 Often a non-trivial amount of work required to apply to an existing web application.  Move all inline scripts and style out-of-line.
 Applications opts into using by supplying a Content- Security-Policy HTTP header.  To supply a policy for an entire site, the server needs to supply a policy with each resource representation
 You can use the X-Content-Security-Policy HTTP header to specify your policy, like this: X-Content-Security-Policy: policy  The policy is a string containing the policy directives describing your Content Security Policy.
 Common scenarios when writing your security policy
 All content to come from the site's own domain, excluding even subdomains. X-Content-Security-Policy: default-src 'self'  Allow content from a trusted domain and all its subdomains. X-Content-Security-Policy: default-src 'self' *.mydomain.com
 Allow users of a web application to include images from any domain in their custom content, but to restrict audio or video media to come only from trusted providers, and all scripts only to a specific server that hosts trusted code. X-Content-Security-Policy: default-src 'self'; img-src *; media-src media1.com media2.com; script-src userscripts.example.com  Content is only permitted from the document's original host, with the following exceptions:  Images may loaded from anywhere (note the "*" wildcard).  Media is only allowed from media1.com and media2.com (and not from subdomains of those sites).  Executable script is only allowed from userscripts.example.com.
 Ensure content is loaded using SSL. X-Content-Security-Policy: default-src https://onlinebanking.jumbobank.com  Server only permits access to documents being loaded specifically over HTTPS through the single domain onlinebanking.jumbobank.com.  Allows HTML in email, as well as images loaded from anywhere, but not JavaScript or other potentially dangerous content. X-Content-Security-Policy: default-src 'self' *.mailsite.com; img-src
 Server delivers the policy to the user agent via an HTTP response header. Content-Security-Policy Header Field  Content-Security-Policy header field is the preferred mechanism for delivering a CSP policy. "Content-Security-Policy:" 1#policy  Server may send more than one HTTP header field named Content- Security-Policy with a given resource representation.  A server may send different Content-Security-Policy header field values with different representations of the same resource or with different resources.  Receiving an HTTP response containing at least one Content-Security- Policy header field, the user agent enforces each of the policies contained in each such header field.
 Add header in the web server config:
 How a CSP enabled site looks like:
 Unless explicitly allowed by your policy incline scripts are not executed:
: Defined by W3C Specs as standard header, : Used by Firefox and Internet Explorer,  X-WebKit-CSP : Used by Chrome.
 DEFCON Hacking Conference is using (x-content-security- policy:default-src 'self')
 Facebook has started using [x-webkit-csp]
Questions?……..….NO …..………..OK

Recommended

Content Security Policy
Content Security PolicyContent Security Policy
Content Security Policy
Austin Gil
 
Preventing XSS with Content Security Policy
Preventing XSS with Content Security PolicyPreventing XSS with Content Security Policy
Preventing XSS with Content Security Policy
Ksenia Peguero
 
W3C Content Security Policy
W3C Content Security PolicyW3C Content Security Policy
W3C Content Security Policy
Markus Wichmann
 
Http security response headers
Http security response headers Http security response headers
Http security response headers
mohammadhosseinrouha
 
HTTP Security Headers
HTTP Security HeadersHTTP Security Headers
HTTP Security Headers
Ismael Goncalves
 
Sessions and cookies
Sessions and cookiesSessions and cookies
Sessions and cookies
www.netgains.org
 
Deep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionDeep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL Injection
Vishal Kumar
 
The Same-Origin Policy
The Same-Origin PolicyThe Same-Origin Policy
The Same-Origin Policy
Fabrizio Farinacci
 

Recommended

Content Security Policy
Content Security PolicyContent Security Policy
Content Security Policy
Austin Gil
 
Preventing XSS with Content Security Policy
Preventing XSS with Content Security PolicyPreventing XSS with Content Security Policy
Preventing XSS with Content Security Policy
Ksenia Peguero
 
W3C Content Security Policy
W3C Content Security PolicyW3C Content Security Policy
W3C Content Security Policy
Markus Wichmann
 
Http security response headers
Http security response headers Http security response headers
Http security response headers
mohammadhosseinrouha
 
HTTP Security Headers
HTTP Security HeadersHTTP Security Headers
HTTP Security Headers
Ismael Goncalves
 
Sessions and cookies
Sessions and cookiesSessions and cookies
Sessions and cookies
www.netgains.org
 
Deep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionDeep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL Injection
Vishal Kumar
 
The Same-Origin Policy
The Same-Origin PolicyThe Same-Origin Policy
The Same-Origin Policy
Fabrizio Farinacci
 
File upload vulnerabilities & mitigation
File upload vulnerabilities & mitigationFile upload vulnerabilities & mitigation
File upload vulnerabilities & mitigationOnwukike Chinedu. CISA, CEH, COBIT5 LI, CCNP
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scripting
kinish kumar
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protection
Mikhail Egorov
 
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
Marco Balduzzi
 
Css ppt
Css pptCss ppt
Css ppt
Nidhi mishra
 
Click jacking
Click jackingClick jacking
Click jacking
Ronan Dunne, CEH, SSCP
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scripting
n|u - The Open Security Community
 
ASP.NET Web Security
ASP.NET Web SecurityASP.NET Web Security
ASP.NET Web Security
SharePointRadi
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)
Amit Tyagi
 
Xss
XssXss
XssRajendra Dangwal
 
A story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEMA story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEM
Frans Rosén
 
XSS Magic tricks
XSS Magic tricksXSS Magic tricks
XSS Magic tricks
GarethHeyes
 
HTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsHTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versions
neexemil
 
Reflective and Stored XSS- Cross Site Scripting
Reflective and Stored XSS- Cross Site ScriptingReflective and Stored XSS- Cross Site Scripting
Reflective and Stored XSS- Cross Site Scripting
InMobi Technology
 
Unrestricted file upload CWE-434 - Adam Nurudini (ISACA)
Unrestricted file upload CWE-434 - Adam Nurudini (ISACA)Unrestricted file upload CWE-434 - Adam Nurudini (ISACA)
Unrestricted file upload CWE-434 - Adam Nurudini (ISACA)
Adam Nurudini
 
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS FilterX-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
Masato Kinugawa
 
DVWA BruCON Workshop
DVWA BruCON WorkshopDVWA BruCON Workshop
DVWA BruCON Workshop
testuser1223
 
Introducing Cascading Style Sheets
Introducing Cascading Style SheetsIntroducing Cascading Style Sheets
Introducing Cascading Style SheetsSt. Petersburg College
 
Tailwind CSS.11.pptx
Tailwind CSS.11.pptxTailwind CSS.11.pptx
Tailwind CSS.11.pptx
Harish Verma
 
Cross site scripting (xss)
Cross site scripting (xss)Cross site scripting (xss)
Cross site scripting (xss)Manish Kumar
 
Cross site scripting XSS
Cross site scripting XSSCross site scripting XSS
Cross site scripting XSSRonan Dunne, CEH, SSCP
 
Blind xss
Blind xssBlind xss
Blind xss
Ronan Dunne, CEH, SSCP
 

More Related Content

What's hot

Cross site scripting
Cross site scriptingCross site scripting
Cross site scripting
kinish kumar
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protection
Mikhail Egorov
 
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
Marco Balduzzi
 
Css ppt
Css pptCss ppt
Css ppt
Nidhi mishra
 
Click jacking
Click jackingClick jacking
Click jacking
Ronan Dunne, CEH, SSCP
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scripting
n|u - The Open Security Community
 
ASP.NET Web Security
ASP.NET Web SecurityASP.NET Web Security
ASP.NET Web Security
SharePointRadi
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)
Amit Tyagi
 
A story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEMA story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEM
Frans Rosén
 
XSS Magic tricks
XSS Magic tricksXSS Magic tricks
XSS Magic tricks
GarethHeyes
 
HTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsHTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versions
neexemil
 
Reflective and Stored XSS- Cross Site Scripting
Reflective and Stored XSS- Cross Site ScriptingReflective and Stored XSS- Cross Site Scripting
Reflective and Stored XSS- Cross Site Scripting
InMobi Technology
 
Unrestricted file upload CWE-434 - Adam Nurudini (ISACA)
Unrestricted file upload CWE-434 - Adam Nurudini (ISACA)Unrestricted file upload CWE-434 - Adam Nurudini (ISACA)
Unrestricted file upload CWE-434 - Adam Nurudini (ISACA)
Adam Nurudini
 
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS FilterX-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
Masato Kinugawa
 
DVWA BruCON Workshop
DVWA BruCON WorkshopDVWA BruCON Workshop
DVWA BruCON Workshop
testuser1223
 
Tailwind CSS.11.pptx
Tailwind CSS.11.pptxTailwind CSS.11.pptx
Tailwind CSS.11.pptx
Harish Verma
 
Cross site scripting (xss)
Cross site scripting (xss)Cross site scripting (xss)
Cross site scripting (xss)Manish Kumar
 

What's hot (20)

File upload vulnerabilities & mitigation
File upload vulnerabilities & mitigationFile upload vulnerabilities & mitigation
File upload vulnerabilities & mitigation
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scripting
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protection
 
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
 
Css ppt
Css pptCss ppt
Css ppt
 
Click jacking
Click jackingClick jacking
Click jacking
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scripting
 
ASP.NET Web Security
ASP.NET Web SecurityASP.NET Web Security
ASP.NET Web Security
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)
 
Xss
XssXss
Xss
 
A story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEMA story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEM
 
XSS Magic tricks
XSS Magic tricksXSS Magic tricks
XSS Magic tricks
 
HTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsHTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versions
 
Reflective and Stored XSS- Cross Site Scripting
Reflective and Stored XSS- Cross Site ScriptingReflective and Stored XSS- Cross Site Scripting
Reflective and Stored XSS- Cross Site Scripting
 
Unrestricted file upload CWE-434 - Adam Nurudini (ISACA)
Unrestricted file upload CWE-434 - Adam Nurudini (ISACA)Unrestricted file upload CWE-434 - Adam Nurudini (ISACA)
Unrestricted file upload CWE-434 - Adam Nurudini (ISACA)
 
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS FilterX-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
 
DVWA BruCON Workshop
DVWA BruCON WorkshopDVWA BruCON Workshop
DVWA BruCON Workshop
 
Introducing Cascading Style Sheets
Introducing Cascading Style SheetsIntroducing Cascading Style Sheets
Introducing Cascading Style Sheets
 
Tailwind CSS.11.pptx
Tailwind CSS.11.pptxTailwind CSS.11.pptx
Tailwind CSS.11.pptx
 
Cross site scripting (xss)
Cross site scripting (xss)Cross site scripting (xss)
Cross site scripting (xss)
 

Viewers also liked

Blind xss
Blind xssBlind xss
Blind xss
Ronan Dunne, CEH, SSCP
 
ASP.NET View State - Security Issues
ASP.NET View State - Security IssuesASP.NET View State - Security Issues
ASP.NET View State - Security Issues
Ronan Dunne, CEH, SSCP
 
Cross Domain Hijacking - File Upload Vulnerability
Cross Domain Hijacking - File Upload VulnerabilityCross Domain Hijacking - File Upload Vulnerability
Cross Domain Hijacking - File Upload VulnerabilityRonan Dunne, CEH, SSCP
 
B wapp – bee bug – installation
B wapp – bee bug – installationB wapp – bee bug – installation
B wapp – bee bug – installation
Ronan Dunne, CEH, SSCP
 
Bank One App Sec Training
Bank One App Sec TrainingBank One App Sec Training
Bank One App Sec Training
Mike Spaulding
 
Hacking sites for fun and profit
Hacking sites for fun and profitHacking sites for fun and profit
Hacking sites for fun and profit
David Stockton
 
Qr codes
Qr codesQr codes
Qr codes
Ronan Dunne, CEH, SSCP
 
Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation
Ikhade Maro Igbape
 
Time tested php with libtimemachine
Time tested php with libtimemachineTime tested php with libtimemachine
Time tested php with libtimemachine
Nick Galbreath
 
Content Security Policy
Content Security PolicyContent Security Policy
Content Security Policy
Ryan LaBouve
 
Surfer en toute legalite sur le net
Surfer en toute legalite sur le netSurfer en toute legalite sur le net
Surfer en toute legalite sur le net
AAT's
 
Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS)Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS)
Daniel Tumser
 
Content Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at YahooContent Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at Yahoo
Binu Ramakrishnan
 
AppSec California 2017 CSP: The Good, the Bad and the Ugly
AppSec California 2017 CSP: The Good, the Bad and the UglyAppSec California 2017 CSP: The Good, the Bad and the Ugly
AppSec California 2017 CSP: The Good, the Bad and the Ugly
Eli Nesterov
 
AppSec USA 2016: Demystifying CSP
AppSec USA 2016: Demystifying CSPAppSec USA 2016: Demystifying CSP
AppSec USA 2016: Demystifying CSP
Eli Nesterov
 

Viewers also liked (20)

Cross site scripting XSS
Cross site scripting XSSCross site scripting XSS
Cross site scripting XSS
 
Blind xss
Blind xssBlind xss
Blind xss
 
ASP.NET View State - Security Issues
ASP.NET View State - Security IssuesASP.NET View State - Security Issues
ASP.NET View State - Security Issues
 
Cross Domain Hijacking - File Upload Vulnerability
Cross Domain Hijacking - File Upload VulnerabilityCross Domain Hijacking - File Upload Vulnerability
Cross Domain Hijacking - File Upload Vulnerability
 
Error codes & custom 404s
Error codes & custom 404sError codes & custom 404s
Error codes & custom 404s
 
Mime sniffing
Mime sniffingMime sniffing
Mime sniffing
 
B wapp – bee bug – installation
B wapp – bee bug – installationB wapp – bee bug – installation
B wapp – bee bug – installation
 
Unicode
UnicodeUnicode
Unicode
 
Bank One App Sec Training
Bank One App Sec TrainingBank One App Sec Training
Bank One App Sec Training
 
Hacking sites for fun and profit
Hacking sites for fun and profitHacking sites for fun and profit
Hacking sites for fun and profit
 
Qr codes
Qr codesQr codes
Qr codes
 
Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation
 
Time tested php with libtimemachine
Time tested php with libtimemachineTime tested php with libtimemachine
Time tested php with libtimemachine
 
Content Security Policy
Content Security PolicyContent Security Policy
Content Security Policy
 
Surfer en toute legalite sur le net
Surfer en toute legalite sur le netSurfer en toute legalite sur le net
Surfer en toute legalite sur le net
 
Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS)Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS)
 
Web Apps Security
Web Apps SecurityWeb Apps Security
Web Apps Security
 
Content Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at YahooContent Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at Yahoo
 
AppSec California 2017 CSP: The Good, the Bad and the Ugly
AppSec California 2017 CSP: The Good, the Bad and the UglyAppSec California 2017 CSP: The Good, the Bad and the Ugly
AppSec California 2017 CSP: The Good, the Bad and the Ugly
 
AppSec USA 2016: Demystifying CSP
AppSec USA 2016: Demystifying CSPAppSec USA 2016: Demystifying CSP
AppSec USA 2016: Demystifying CSP
 

Similar to Content security policy

Content Security Policy (CSP)
Content Security Policy (CSP)Content Security Policy (CSP)
Content Security Policy (CSP)
Arun Kumar
 
http security response headers for web security
http security response headers for web securityhttp security response headers for web security
http security response headers for web security
Olatunji Adetunji
 
Analysis of HTTP Security Headers in Turkey
Analysis of HTTP Security Headers in TurkeyAnalysis of HTTP Security Headers in Turkey
Analysis of HTTP Security Headers in Turkey
Dr. Emin İslam Tatlı
 
Ignite content security policy
Ignite content security policyIgnite content security policy
Ignite content security policy
jstack
 
List of useful security related http headers
List of useful security related http headersList of useful security related http headers
List of useful security related http headers
한익 주
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesBrad Hill
 
A Practical Guide to Securing Modern Web Applications
A Practical Guide to Securing Modern Web ApplicationsA Practical Guide to Securing Modern Web Applications
A Practical Guide to Securing Modern Web Applications
Manish Shekhawat
 
Browser Wars 2019 - Implementing a Content Security Policy
Browser Wars 2019 - Implementing a Content Security PolicyBrowser Wars 2019 - Implementing a Content Security Policy
Browser Wars 2019 - Implementing a Content Security Policy
George Boobyer
 
HTTP_Header_Security.pdf
HTTP_Header_Security.pdfHTTP_Header_Security.pdf
HTTP_Header_Security.pdf
ksudhakarreddy5
 
Rails and Content Security Policies
Rails and Content Security PoliciesRails and Content Security Policies
Rails and Content Security Policies
Matias Korhonen
 
Protecting Web App users in today’s hostile environment
Protecting Web App users in today’s hostile environmentProtecting Web App users in today’s hostile environment
Protecting Web App users in today’s hostile environment
ajitdhumale
 
Future of Web Security Opened up by CSP
Future of Web Security Opened up by CSPFuture of Web Security Opened up by CSP
Future of Web Security Opened up by CSP
Muneaki Nishimura
 
10X More Secure with Content Security Policy
10X More Secure with Content Security Policy10X More Secure with Content Security Policy
10X More Secure with Content Security Policy
chw
 
QA Fest 2016. Per Thorsheim. Website security 101
QA Fest 2016. Per Thorsheim. Website security 101QA Fest 2016. Per Thorsheim. Website security 101
QA Fest 2016. Per Thorsheim. Website security 101
QAFest
 
Securing AWS environments by Ankit Giri
Securing AWS environments by Ankit GiriSecuring AWS environments by Ankit Giri
Securing AWS environments by Ankit Giri
OWASP Delhi
 
On demand video_streaming_apps_and_its_server_side_cloud_infrastructure_at_aws
On demand video_streaming_apps_and_its_server_side_cloud_infrastructure_at_awsOn demand video_streaming_apps_and_its_server_side_cloud_infrastructure_at_aws
On demand video_streaming_apps_and_its_server_side_cloud_infrastructure_at_aws
Sumit Arora
 
Csp and http headers
Csp and http headersCsp and http headers
Csp and http headers
devObjective
 
Csp and http headers
Csp and http headersCsp and http headers
Csp and http headers
ColdFusionConference
 
USENIX CollSec 2010 - Conundrum of Declarative Security in HTTP Response Headers
USENIX CollSec 2010 - Conundrum of Declarative Security in HTTP Response HeadersUSENIX CollSec 2010 - Conundrum of Declarative Security in HTTP Response Headers
USENIX CollSec 2010 - Conundrum of Declarative Security in HTTP Response HeadersAditya K Sood
 

Similar to Content security policy (20)

Content Security Policy (CSP)
Content Security Policy (CSP)Content Security Policy (CSP)
Content Security Policy (CSP)
 
http security response headers for web security
http security response headers for web securityhttp security response headers for web security
http security response headers for web security
 
Analysis of HTTP Security Headers in Turkey
Analysis of HTTP Security Headers in TurkeyAnalysis of HTTP Security Headers in Turkey
Analysis of HTTP Security Headers in Turkey
 
Ignite content security policy
Ignite content security policyIgnite content security policy
Ignite content security policy
 
Web Security - CSP & Web Cryptography
Web Security - CSP & Web CryptographyWeb Security - CSP & Web Cryptography
Web Security - CSP & Web Cryptography
 
List of useful security related http headers
List of useful security related http headersList of useful security related http headers
List of useful security related http headers
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realities
 
A Practical Guide to Securing Modern Web Applications
A Practical Guide to Securing Modern Web ApplicationsA Practical Guide to Securing Modern Web Applications
A Practical Guide to Securing Modern Web Applications
 
Browser Wars 2019 - Implementing a Content Security Policy
Browser Wars 2019 - Implementing a Content Security PolicyBrowser Wars 2019 - Implementing a Content Security Policy
Browser Wars 2019 - Implementing a Content Security Policy
 
HTTP_Header_Security.pdf
HTTP_Header_Security.pdfHTTP_Header_Security.pdf
HTTP_Header_Security.pdf
 
Rails and Content Security Policies
Rails and Content Security PoliciesRails and Content Security Policies
Rails and Content Security Policies
 
Protecting Web App users in today’s hostile environment
Protecting Web App users in today’s hostile environmentProtecting Web App users in today’s hostile environment
Protecting Web App users in today’s hostile environment
 
Future of Web Security Opened up by CSP
Future of Web Security Opened up by CSPFuture of Web Security Opened up by CSP
Future of Web Security Opened up by CSP
 
10X More Secure with Content Security Policy
10X More Secure with Content Security Policy10X More Secure with Content Security Policy
10X More Secure with Content Security Policy
 
QA Fest 2016. Per Thorsheim. Website security 101
QA Fest 2016. Per Thorsheim. Website security 101QA Fest 2016. Per Thorsheim. Website security 101
QA Fest 2016. Per Thorsheim. Website security 101
 
Securing AWS environments by Ankit Giri
Securing AWS environments by Ankit GiriSecuring AWS environments by Ankit Giri
Securing AWS environments by Ankit Giri
 
On demand video_streaming_apps_and_its_server_side_cloud_infrastructure_at_aws
On demand video_streaming_apps_and_its_server_side_cloud_infrastructure_at_awsOn demand video_streaming_apps_and_its_server_side_cloud_infrastructure_at_aws
On demand video_streaming_apps_and_its_server_side_cloud_infrastructure_at_aws
 
Csp and http headers
Csp and http headersCsp and http headers
Csp and http headers
 
Csp and http headers
Csp and http headersCsp and http headers
Csp and http headers
 
USENIX CollSec 2010 - Conundrum of Declarative Security in HTTP Response Headers
USENIX CollSec 2010 - Conundrum of Declarative Security in HTTP Response HeadersUSENIX CollSec 2010 - Conundrum of Declarative Security in HTTP Response Headers
USENIX CollSec 2010 - Conundrum of Declarative Security in HTTP Response Headers
 

Recently uploaded

Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AIEnchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Vladimir Iglovikov, Ph.D.
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
sonjaschweigert1
 
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
Neo4j
 
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
James Anderson
 
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
Neo4j
 
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Aggregage
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
Alan Dix
 
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
Neo4j
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Paige Cruz
 
Full-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalizationFull-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalization
Zilliz
 
Large Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial ApplicationsLarge Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial Applications
Rohit Gautam
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
Neo4j
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
Kari Kakkonen
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
Matthew Sinclair
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
DianaGray10
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
Matthew Sinclair
 
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
Neo4j
 
By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024
Pierluigi Pugliese
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
mikeeftimakis1
 

Recently uploaded (20)

Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AIEnchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
 
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
 
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
 
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
 
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
 
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
 
Full-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalizationFull-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalization
 
Large Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial ApplicationsLarge Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial Applications
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
 
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
 
By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
 

Content security policy

  • 1.
  • 2.
  • 3.
  • 4. is a new addition to the web platform that promises to mitigate the risk of XSS attacks by giving admins control over the data and code to be allowed to run on their site.  Another layer to a website's defenses: browser-enforced restrictions against external resources or unauthorized scripting.  Extra response header instructs browsers to enforce a policy.  Involves deciding what policies you want to enforce, and then configuring them and using X-Content-Security-Policy to establish your policy.
  • 5. : best used as defense-in-depth. : declarative policy that lets admins inform the client about the sources from which the application expects to load resources.  Mitigate XSS: Applications can declare that it only expects scripts from trusted sources.  Allows the client to detect and block malicious scripts injected into the application by an attacker.
  • 6. Often a non-trivial amount of work required to apply to an existing web application.  Move all inline scripts and style out-of-line.
  • 7. Applications opts into using by supplying a Content- Security-Policy HTTP header.  To supply a policy for an entire site, the server needs to supply a policy with each resource representation
  • 8. You can use the X-Content-Security-Policy HTTP header to specify your policy, like this: X-Content-Security-Policy: policy  The policy is a string containing the policy directives describing your Content Security Policy.
  • 9. Common scenarios when writing your security policy
  • 10. All content to come from the site's own domain, excluding even subdomains. X-Content-Security-Policy: default-src 'self'  Allow content from a trusted domain and all its subdomains. X-Content-Security-Policy: default-src 'self' *.mydomain.com
  • 11. Allow users of a web application to include images from any domain in their custom content, but to restrict audio or video media to come only from trusted providers, and all scripts only to a specific server that hosts trusted code. X-Content-Security-Policy: default-src 'self'; img-src *; media-src media1.com media2.com; script-src userscripts.example.com  Content is only permitted from the document's original host, with the following exceptions:  Images may loaded from anywhere (note the "*" wildcard).  Media is only allowed from media1.com and media2.com (and not from subdomains of those sites).  Executable script is only allowed from userscripts.example.com.
  • 12. Ensure content is loaded using SSL. X-Content-Security-Policy: default-src https://onlinebanking.jumbobank.com  Server only permits access to documents being loaded specifically over HTTPS through the single domain onlinebanking.jumbobank.com.  Allows HTML in email, as well as images loaded from anywhere, but not JavaScript or other potentially dangerous content. X-Content-Security-Policy: default-src 'self' *.mailsite.com; img-src
  • 13. Server delivers the policy to the user agent via an HTTP response header. Content-Security-Policy Header Field  Content-Security-Policy header field is the preferred mechanism for delivering a CSP policy. "Content-Security-Policy:" 1#policy  Server may send more than one HTTP header field named Content- Security-Policy with a given resource representation.  A server may send different Content-Security-Policy header field values with different representations of the same resource or with different resources.  Receiving an HTTP response containing at least one Content-Security- Policy header field, the user agent enforces each of the policies contained in each such header field.
  • 14. Add header in the web server config:
  • 15. How a CSP enabled site looks like:
  • 16. Unless explicitly allowed by your policy incline scripts are not executed:
  • 17. : Defined by W3C Specs as standard header, : Used by Firefox and Internet Explorer,  X-WebKit-CSP : Used by Chrome.
  • 18. DEFCON Hacking Conference is using (x-content-security- policy:default-src 'self')
  • 19. Facebook has started using [x-webkit-csp]