A presentation on Content Security Policy by Austin Gil, presented for Advanced WordPress San Diego. What it is, who it's for, and how to implement on your website.
More from Austin Gil at https://stegosource.com
You must have encountered the following image when using screaming frog.
Many websites do not have these parameters when crawling by screaming frog.
One of the most important issues for search engines is security.
The slides here are part of my presentation at the Confraria0day meeting in March 2017. It is an introduction to the various HTTP security headers with some insights about them. It covers HSTS, HPKP, X-Frame-Options, Content Security Policy, X-XSS-Protection, X-Content-Type-Options, Referrer-Policy and Set-Cookie options.
Brief overview about difference of adaptive and responsive web design, main principles of build responsive layout, and main component of responsive layout is media query.
You must have encountered the following image when using screaming frog.
Many websites do not have these parameters when crawling by screaming frog.
One of the most important issues for search engines is security.
The slides here are part of my presentation at the Confraria0day meeting in March 2017. It is an introduction to the various HTTP security headers with some insights about them. It covers HSTS, HPKP, X-Frame-Options, Content Security Policy, X-XSS-Protection, X-Content-Type-Options, Referrer-Policy and Set-Cookie options.
Brief overview about difference of adaptive and responsive web design, main principles of build responsive layout, and main component of responsive layout is media query.
This is the CSS Tutorial for Beginners that teach the basics of CSS. This tutorial will show the basic structure of a CSS style and will show 3 different methods to apply styles.
HTML5 Tutorial For Beginners - Learning HTML 5 in simple and easy steps with examples covering 2D Canvas, Audio, Video, New Semantic Elements, Geolocation, Persistent Local Storage, Web Storage, Forms Elements,Application Cache,Inline SVG,Document
This is the CSS Tutorial for Beginners that teach the basics of CSS. This tutorial will show the basic structure of a CSS style and will show 3 different methods to apply styles.
HTML5 Tutorial For Beginners - Learning HTML 5 in simple and easy steps with examples covering 2D Canvas, Audio, Video, New Semantic Elements, Geolocation, Persistent Local Storage, Web Storage, Forms Elements,Application Cache,Inline SVG,Document
Content-Security-Policy has a feature called report-uri where it will tell you what violations were caught on a web page. In summary, this is done to prevent leaking sensitive information about cross-origin resources
Rails security: above and beyond the defaultsMatias Korhonen
In a world with increasingly sophisticated adversaries employing both targeted and automated attacks, what can we do to keep our users and our web apps safe?
While Rails provides pretty decent security options straight out of the box, we can go further and make attacks more difficult to accomplish.
For example, why and how to implement a Content Security Policy. Should you use HTTP Public Key Pinning? How do you know if you've configured HTTPS correctly?
Browser Wars 2019 - Implementing a Content Security PolicyGeorge Boobyer
A brief look at the history of the implementation of secure web headers and an overview of creating and monitoring a content security policy (CSP).
It used to be that browsers were something we fought against to get our sites viewed the way we wanted; now they are our allies.
Far from being dumb proprietary clients that just parse our HTML the way they want, they have evolved into complex software applications.
They provide powerful security controls to make decisions about what to display and debugging tools to enable us to investigate their actions.
It is increasingly common to find malicious exploits targeting web pages within the browser; running crypto-miners, stealing credentials and forging requests.
By implementing a set of headers to be delivered alongside our web pages, we can now work with browsers to protect our site visitors from malicious content
and control what is displayed and included on our pages.
In this session we will touch on what threats face our web pages out in the wild and what measures we can employ to work with browsers to protect them.
We will focus on implementing security headers and building a Content Security Policy, and will cover
- implementation of essential security headers;
- the initial investigation and building of a Content Security Policy (CSP);
- implementation and observation of the CSP in the wild;
- monitoring of the CSP once live;
- evidence of its effectiveness (threats thwarted).
Hopefully attendees will be convinced as to why security headers and CSP are invaluable and why projects should build in time and resources to implement them.
Content Security Policy (CSP) is a browser security mechanism against content injection. Using the CSP header, browsers can restrict content from just the domains whitelisted in the policy. This session shares lessons learned with deploying CSP at Yahoo.
Short brief about some of the more important http headers that is directly or indirectly related to security and privacy both for the end user and the service provider.
Scott Helme, renowned security researcher and international speaker, shares his unique perspective on content security policy and how security has evolved.
Protecting Web App users in today’s hostile environmentajitdhumale
Modern day web applications live and operate in a complex eco-system (Browser, Network/wifi, CDN, Cert Authorities, 3rd party sub resources and more). Securing the web server and web application business logic is not sufficient. The eco-system outside your direct control also contribute to the security risk posed to users of web applications. Security weaknesses and compromised elements in the eco-system would make , otherwise secure, applications risky for the users. We need to think of protecting your users in this un-trusted environment. The presentation describes such risks and options available to deal with them.
NOTE: The same talk was presented in Armsec2016 conference (http://armsec.org/) and in OWASP Pune chapter meetup (29th Sep, 2016)
Build and launch an enterprise level application in about 5 minutes, free.
Vue CLI to get started with a modern framework with all the bells and whistles.
GitLab for your git repository.
Netlify for your front end hosting with a custom domain and awesome performance.
Cloudflare for DNS and DDoS mitigation.
Finally, GitLab again for CI/CD.
This discussion looks at different opportunities and techniques where project managers, designers, and developers can improve performance. The techniques presented range from beginner to advanced so just about anyone can walk away with something to apply to their next project. Topics cover concepts and planning, workflows, tools and services, plugin recommendations, and there are links to code examples as well.
A performance optimization presentation for WordCamp Sacramento 2016. Presented by Austin Gil.
This presentation addresses issues in design, development, and project management, where performance is most greatly affected. We look at various opportunities and techniques within each stage that may offer more speed. The subjects range from beginner to advanced with tips and advice that just about anyone can walk away with, and we end with a collection of recommended tools.
This presentation was designed so the slides would be useful even out of context of the presentation. Please enjoy.
Presentation for Advanced WordPress San Diego about discussing the benefits of incorporating JSDeliver into project development workflow to serve resources for better performance.
Visceral recently launch a project for the Healthy Newborn Network which utilizes the WP REST API to find a load posts on the homepage. This presentation was prepared by lead developer, Austin Gil, for the Advanced WordPress San Diego meetup.
The presentation covers the requirements for the project, the approach, a simplified example of the source code, the challenges faced, and solutions.
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdfFlorence Consulting
Quattordicesimo Meetup di Milano, tenutosi a Milano il 23 Maggio 2024 dalle ore 17:00 alle ore 18:30 in presenza e da remoto.
Abbiamo parlato di come Axpo Italia S.p.A. ha ridotto il technical debt migrando le proprie APIs da Mule 3.9 a Mule 4.4 passando anche da on-premises a CloudHub 1.0.
Gen Z and the marketplaces - let's translate their needsLaura Szabó
The product workshop focused on exploring the requirements of Generation Z in relation to marketplace dynamics. We delved into their specific needs, examined the specifics in their shopping preferences, and analyzed their preferred methods for accessing information and making purchases within a marketplace. Through the study of real-life cases , we tried to gain valuable insights into enhancing the marketplace experience for Generation Z.
The workshop was held on the DMA Conference in Vienna June 2024.
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC
Ellisha Heppner, Grant Management Lead, presented an update on APNIC Foundation to the PNG DNS Forum held from 6 to 10 May, 2024 in Port Moresby, Papua New Guinea.
1.Wireless Communication System_Wireless communication is a broad term that i...JeyaPerumal1
Wireless communication involves the transmission of information over a distance without the help of wires, cables or any other forms of electrical conductors.
Wireless communication is a broad term that incorporates all procedures and forms of connecting and communicating between two or more devices using a wireless signal through wireless communication technologies and devices.
Features of Wireless Communication
The evolution of wireless technology has brought many advancements with its effective features.
The transmitted distance can be anywhere between a few meters (for example, a television's remote control) and thousands of kilometers (for example, radio communication).
Wireless communication can be used for cellular telephony, wireless access to the internet, wireless home networking, and so on.
2. What is it?
“Content Security Policy (CSP) is a computer security standard introduced to prevent
cross-site scripting (XSS), clickjacking and other code injection attacks resulting from
execution of malicious content in the trusted web page context. [...] CSP provides a
standard method for website owners to declare approved origins of content that browsers
should be allowed to load on that website—covered types are JavaScript, CSS, HTML
frames, web workers, fonts, images, embeddable objects such as Java applets, ActiveX,
audio and video files, and other HTML5 features.”
- https://en.wikipedia.org/wiki/Content_Security_Policy
3. How does it work?
Applied in the Content-Security-Policy HTTP header (more on HTTP headers).
With it, you can create a whitelist of trusted content sources.
Because CSP occurs on the HTTP headers, it can implement security early on.
4. What does it look like?
The Content-Security-Policy is defined in the HTTP headers and is provided with
directives and their respective sources.
HTTP Headers:
Response Headers
...
Content-Security-Policy: <directive> <source list>; <directive> <source list>;
...
Directives can list multiple sources.
5. What are directives?
Directives define the rules the browser must follow for various types of resources.
The main ones we will most often work with are:
default-src, script-src, style-src, img-src, font-src
But there’s plenty more...
base-uri, frame-src, object-src, media-src, connect-src, form-action,
frame-ancestors, child-src, plugin-types, upgrade-insecure-requests, worker-src,
sandbox
6. What are source lists?
Source lists are sets of strings which identify content that can be fetched and
potentially embedded or executed. For example, you may load styles from your site,
and fonts from Google.
Sources can follow various formats:
● example.com - Allows resources from the specified domain name.
● *.example.com - Allows resources from any subdomain under example.com.
● https://cdn.com - Only resources over HTTPS matching the given domain.
● https: - Allows loading resources only over HTTPS on any domain.
● data: - Allows resources via the data scheme (eg Base64 encoded images).
7. What is ‘self’ all about?
Special keywords can be used instead of URLs.
● *
● 'self'
● 'unsafe-inline'
● 'unsafe-eval'
● ‘strict-dynamic’
● 'none'
● 'nonce-'
● 'sha256-'
More on these here: https://content-security-policy.com/
8. How do I implement it?
● With the .htaccess file:
<IfModule mod_headers.c>
Header set Content-Security-Policy "default-src 'self'; ..."
</IfModule>
● With PHP (must happen before any other content):
header("Content-Security-Policy: default-src 'self'; ...");
● With a <meta> tag (not recommended):
<meta http-equiv="Content-Security-Policy" content="default-src ‘self’">
● With a plugin (yay!): HTTP Headers or WP Content Security Policy Plugin
9. Will it break anything?
Quite possibly, yes.
Luckily there is the Content-Security-Policy-Report-Only header.
Allows you to test your CSP without enforcing it.
Format is the same as the Content-Security-Policy header.
10. How can I test it?
Examine your HTTP headers in browser dev tools.
Observatory by Mozilla
csp-evaluator.withgoogle.com
11. Workshop Time…
Work on an “it’s ok if I break something” website please
Install WP Plugin: https://wordpress.org/plugins/wp-content-security-policy/
Disable any caching
Testing tool: https://observatory.mozilla.org/
12. The final verdict...
CSP is an optional added layer of security.
This comes at the cost of possibly breaking things, and making debugging more
difficult.
Most sites probably won’t see benefits outweigh the costs.
However, it could be a great fit for:
● Banks, government sites, or government-funded institutions.
● Larger organizations with security as a top priority.
● Organizations at higher risk of targeted attacks.
● Recently hacked websites.