SlideShare a Scribd company logo

Ignite content security policy

Download as PPTX, PDF
jstack
jstack

Content Security Policy (CSP) is a security standard that helps prevent cross-site scripting and other code injection attacks. It works by requiring web sites to declare approved sources of content that browsers should be allowed to load on that site, such as JavaScript, CSS, fonts, and media files. The CSP defines directives for controlling different content types and reporting policy violations.

1 of 30
Content Security Policy https://nl.linkedin.com/in/hugogroeneveld Hugo Groeneveld https://nl.linkedin.com/in/hugogroeneveldPublic Profile https://nl.linkedin.com/in/hugogroeneveldPublic Profile https://nl.linkedin.com/in/hugogroeneveld
Content Security Policy (CSP) is a computer security standard introduced to prevent cross-site scripting (XSS), clickjacking and other code injection attacks resulting from execution of malicious content in the trusted web page context.[1] It is a Candidate Recommendation of the W3C working group on Web Application Security,[2] widely supported by the modern web browsers.[3] CSP provides a standard method for website owners to declare approved origins of content that browsers should be allowed to load on that website — covered types are JavaScript, CSS, HTML frames, web workers, fonts, images, embeddable objects such as Java applets, ActiveX, audio and video files, and other HTML5 features.
Header: Content-Security-Policy base-uri restricts the URLs that can appear in a page’s <base> element. child-src lists the URLs for workers and embedded frame contents. For example: child-src https://youtube.com would enable embedding videos from YouTube but not from other origins. Use this in place of the deprecated frame-src directive. connect-src limits the origins to which you can connect (via XHR, WebSockets, and EventSource). font-src specifies the origins that can serve web fonts. Google’s Web Fonts could be enabled via font-src https://themes.googleusercontent.com
Header: Content-Security-Policy form-action lists valid endpoints for submission from <form> tags. frame-ancestors specifies the sources that can embed the current page. This directive applies to <frame>, <iframe>, <embed>, and <applet> tags. This directive can’t be used in <meta> tags and applies only to non-HTML resources. frame-src deprecated. Use child-src instead. img-src defines the origins from which images can be loaded. media-src restricts the origins allowed to deliver video and audio. object-src allows control over Flash and other plugins.
Header: Content-Security-Policy plugin-types limits the kinds of plugins a page may invoke. report-uri specifies a URL where a browser will send reports when a content security policy is violated. This directive can’t be used in <meta> tags. style-src is script-src’s counterpart for stylesheets. upgrade-insecure-requests Instructs user agents to rewrite URL schemes, changing HTTP to HTTPS. This directive is for web sites with large numbers of old URLs that need to be rewritten.
Header: Content-Security-Policy default-src
Header: Content-Security-Policy default-src
Header: Content-Security-Policy default-src
report-uri specifies a URL where a browser will send reports when a content security policy is violated. This directive can’t be used in <meta> tags.
report-uri specifies a URL where a browser will send reports when a content security policy is violated. This directive can’t be used in <meta> tags.
Content-Security-Policy: script-src 'self' 'nonce-$RANDOM'; <script nonce="$RANDOM">...</script>
Content-Security-Policy: script-src 'self' 'nonce-$RANDOM'; <script nonce="$RANDOM">...</script>
Ignite content security policy
Ignite content security policy
Ignite content security policy
Ignite content security policy
Ignite content security policy
Ignite content security policy
Ignite content security policy
Ignite content security policy
Ignite content security policy
Ignite content security policy
Ignite content security policy

Recommended

Azure 13 effective security controls for iso 27001 compliance
Azure 13 effective security controls for iso 27001 complianceAzure 13 effective security controls for iso 27001 compliance
Azure 13 effective security controls for iso 27001 compliance
Erlinkencana
 
WSJ -- Boom Time in Texas
WSJ -- Boom Time in TexasWSJ -- Boom Time in Texas
WSJ -- Boom Time in Texas
Nathan Koppel
 
RESIDENTIAL BUILDING - METRO
RESIDENTIAL BUILDING - METRORESIDENTIAL BUILDING - METRO
RESIDENTIAL BUILDING - METRO
Adin Salkovic
 
Michael Lewis Resume 2016
Michael Lewis Resume 2016Michael Lewis Resume 2016
Michael Lewis Resume 2016
Michael Lewis
 
Resume 2015
Resume 2015Resume 2015
Resume 2015
Alexis Michael
 
Building Alumni Relations
Building Alumni RelationsBuilding Alumni Relations
Building Alumni Relations
Julie Clemens
 
Termoquimica
TermoquimicaTermoquimica
Termoquimica
nohemi contreras
 
Presentation 24
Presentation 24Presentation 24
Presentation 24
NoahAshley
 

Recommended

Azure 13 effective security controls for iso 27001 compliance
Azure 13 effective security controls for iso 27001 complianceAzure 13 effective security controls for iso 27001 compliance
Azure 13 effective security controls for iso 27001 compliance
Erlinkencana
 
WSJ -- Boom Time in Texas
WSJ -- Boom Time in TexasWSJ -- Boom Time in Texas
WSJ -- Boom Time in Texas
Nathan Koppel
 
RESIDENTIAL BUILDING - METRO
RESIDENTIAL BUILDING - METRORESIDENTIAL BUILDING - METRO
RESIDENTIAL BUILDING - METRO
Adin Salkovic
 
Michael Lewis Resume 2016
Michael Lewis Resume 2016Michael Lewis Resume 2016
Michael Lewis Resume 2016
Michael Lewis
 
Resume 2015
Resume 2015Resume 2015
Resume 2015
Alexis Michael
 
Building Alumni Relations
Building Alumni RelationsBuilding Alumni Relations
Building Alumni Relations
Julie Clemens
 
Termoquimica
TermoquimicaTermoquimica
Termoquimica
nohemi contreras
 
Presentation 24
Presentation 24Presentation 24
Presentation 24
NoahAshley
 
Auto Merge Queue
Auto Merge QueueAuto Merge Queue
Auto Merge Queue
jstack
 
Utility Alternative Savings -- Brochure -- FINAL
Utility Alternative Savings -- Brochure -- FINALUtility Alternative Savings -- Brochure -- FINAL
Utility Alternative Savings -- Brochure -- FINAL
Jared Bruley
 
WSJ - Lawyers Gear Up Grand New Fees
WSJ - Lawyers Gear Up Grand New FeesWSJ - Lawyers Gear Up Grand New Fees
WSJ - Lawyers Gear Up Grand New FeesNathan Koppel
 
Summary of bio char activities carried out in egypt
Summary of bio char activities carried out in egyptSummary of bio char activities carried out in egypt
Summary of bio char activities carried out in egypt
Magdy Mohamed
 
Nuclear Medicine World Market report and Directory 2016
Nuclear Medicine World Market report and Directory 2016Nuclear Medicine World Market report and Directory 2016
Nuclear Medicine World Market report and Directory 2016
Paul-Emmanuel Goethals
 
Next Generation Education: Technology in the Classroom and Beyond
Next Generation Education: Technology in the Classroom and BeyondNext Generation Education: Technology in the Classroom and Beyond
Next Generation Education: Technology in the Classroom and Beyond
Amazon Web Services
 
Content Security Policy (CSP)
Content Security Policy (CSP)Content Security Policy (CSP)
Content Security Policy (CSP)
Arun Kumar
 
http security response headers for web security
http security response headers for web securityhttp security response headers for web security
http security response headers for web security
Olatunji Adetunji
 
HTTP_Header_Security.pdf
HTTP_Header_Security.pdfHTTP_Header_Security.pdf
HTTP_Header_Security.pdf
ksudhakarreddy5
 
Content security policy
Content security policyContent security policy
Content security policy
Ronan Dunne, CEH, SSCP
 
Content Security Policy
Content Security PolicyContent Security Policy
Content Security Policy
Austin Gil
 
Web Security - CSP & Web Cryptography
Web Security - CSP & Web CryptographyWeb Security - CSP & Web Cryptography
Web Security - CSP & Web Cryptography
Samsung Open Source Group
 
Browser Wars 2019 - Implementing a Content Security Policy
Browser Wars 2019 - Implementing a Content Security PolicyBrowser Wars 2019 - Implementing a Content Security Policy
Browser Wars 2019 - Implementing a Content Security Policy
George Boobyer
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realities
Brad Hill
 
Analysis of HTTP Security Headers in Turkey
Analysis of HTTP Security Headers in TurkeyAnalysis of HTTP Security Headers in Turkey
Analysis of HTTP Security Headers in Turkey
Dr. Emin İslam Tatlı
 
Content Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at YahooContent Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at Yahoo
Binu Ramakrishnan
 
A security note for web developers
A security note for web developersA security note for web developers
A security note for web developers
John Ombagi
 
A Practical Guide to Securing Modern Web Applications
A Practical Guide to Securing Modern Web ApplicationsA Practical Guide to Securing Modern Web Applications
A Practical Guide to Securing Modern Web Applications
Manish Shekhawat
 
W3C Content Security Policy
W3C Content Security PolicyW3C Content Security Policy
W3C Content Security Policy
Markus Wichmann
 
Secure coding guidelines for content security policy
Secure coding guidelines for content security policySecure coding guidelines for content security policy
Secure coding guidelines for content security policy
vivekanandan r
 
List of useful security related http headers
List of useful security related http headersList of useful security related http headers
List of useful security related http headers
한익 주
 
Protecting Web App users in today’s hostile environment
Protecting Web App users in today’s hostile environmentProtecting Web App users in today’s hostile environment
Protecting Web App users in today’s hostile environment
ajitdhumale
 

More Related Content

Viewers also liked

Auto Merge Queue
Auto Merge QueueAuto Merge Queue
Auto Merge Queue
jstack
 
Utility Alternative Savings -- Brochure -- FINAL
Utility Alternative Savings -- Brochure -- FINALUtility Alternative Savings -- Brochure -- FINAL
Utility Alternative Savings -- Brochure -- FINAL
Jared Bruley
 
WSJ - Lawyers Gear Up Grand New Fees
WSJ - Lawyers Gear Up Grand New FeesWSJ - Lawyers Gear Up Grand New Fees
WSJ - Lawyers Gear Up Grand New FeesNathan Koppel
 
Summary of bio char activities carried out in egypt
Summary of bio char activities carried out in egyptSummary of bio char activities carried out in egypt
Summary of bio char activities carried out in egypt
Magdy Mohamed
 
Nuclear Medicine World Market report and Directory 2016
Nuclear Medicine World Market report and Directory 2016Nuclear Medicine World Market report and Directory 2016
Nuclear Medicine World Market report and Directory 2016
Paul-Emmanuel Goethals
 
Next Generation Education: Technology in the Classroom and Beyond
Next Generation Education: Technology in the Classroom and BeyondNext Generation Education: Technology in the Classroom and Beyond
Next Generation Education: Technology in the Classroom and Beyond
Amazon Web Services
 

Viewers also liked (6)

Auto Merge Queue
Auto Merge QueueAuto Merge Queue
Auto Merge Queue
 
Utility Alternative Savings -- Brochure -- FINAL
Utility Alternative Savings -- Brochure -- FINALUtility Alternative Savings -- Brochure -- FINAL
Utility Alternative Savings -- Brochure -- FINAL
 
WSJ - Lawyers Gear Up Grand New Fees
WSJ - Lawyers Gear Up Grand New FeesWSJ - Lawyers Gear Up Grand New Fees
WSJ - Lawyers Gear Up Grand New Fees
 
Summary of bio char activities carried out in egypt
Summary of bio char activities carried out in egyptSummary of bio char activities carried out in egypt
Summary of bio char activities carried out in egypt
 
Nuclear Medicine World Market report and Directory 2016
Nuclear Medicine World Market report and Directory 2016Nuclear Medicine World Market report and Directory 2016
Nuclear Medicine World Market report and Directory 2016
 
Next Generation Education: Technology in the Classroom and Beyond
Next Generation Education: Technology in the Classroom and BeyondNext Generation Education: Technology in the Classroom and Beyond
Next Generation Education: Technology in the Classroom and Beyond
 

Similar to Ignite content security policy

Content Security Policy (CSP)
Content Security Policy (CSP)Content Security Policy (CSP)
Content Security Policy (CSP)
Arun Kumar
 
http security response headers for web security
http security response headers for web securityhttp security response headers for web security
http security response headers for web security
Olatunji Adetunji
 
HTTP_Header_Security.pdf
HTTP_Header_Security.pdfHTTP_Header_Security.pdf
HTTP_Header_Security.pdf
ksudhakarreddy5
 
Content security policy
Content security policyContent security policy
Content security policy
Ronan Dunne, CEH, SSCP
 
Content Security Policy
Content Security PolicyContent Security Policy
Content Security Policy
Austin Gil
 
Web Security - CSP & Web Cryptography
Web Security - CSP & Web CryptographyWeb Security - CSP & Web Cryptography
Web Security - CSP & Web Cryptography
Samsung Open Source Group
 
Browser Wars 2019 - Implementing a Content Security Policy
Browser Wars 2019 - Implementing a Content Security PolicyBrowser Wars 2019 - Implementing a Content Security Policy
Browser Wars 2019 - Implementing a Content Security Policy
George Boobyer
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realities
Brad Hill
 
Analysis of HTTP Security Headers in Turkey
Analysis of HTTP Security Headers in TurkeyAnalysis of HTTP Security Headers in Turkey
Analysis of HTTP Security Headers in Turkey
Dr. Emin İslam Tatlı
 
Content Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at YahooContent Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at Yahoo
Binu Ramakrishnan
 
A security note for web developers
A security note for web developersA security note for web developers
A security note for web developers
John Ombagi
 
A Practical Guide to Securing Modern Web Applications
A Practical Guide to Securing Modern Web ApplicationsA Practical Guide to Securing Modern Web Applications
A Practical Guide to Securing Modern Web Applications
Manish Shekhawat
 
W3C Content Security Policy
W3C Content Security PolicyW3C Content Security Policy
W3C Content Security Policy
Markus Wichmann
 
Secure coding guidelines for content security policy
Secure coding guidelines for content security policySecure coding guidelines for content security policy
Secure coding guidelines for content security policy
vivekanandan r
 
List of useful security related http headers
List of useful security related http headersList of useful security related http headers
List of useful security related http headers
한익 주
 
Protecting Web App users in today’s hostile environment
Protecting Web App users in today’s hostile environmentProtecting Web App users in today’s hostile environment
Protecting Web App users in today’s hostile environment
ajitdhumale
 
Csp july2015
Csp july2015Csp july2015
Csp july2015
n|u - The Open Security Community
 
Java Web Security ISSUES.pptx
Java Web Security ISSUES.pptxJava Web Security ISSUES.pptx
Java Web Security ISSUES.pptx
KamalakshaNC1
 
Web Architecture - Mechanism and Threats
Web Architecture - Mechanism and ThreatsWeb Architecture - Mechanism and Threats
Web Architecture - Mechanism and Threats
Sumedt Jitpukdebodin
 
10X More Secure with Content Security Policy
10X More Secure with Content Security Policy10X More Secure with Content Security Policy
10X More Secure with Content Security Policy
chw
 

Similar to Ignite content security policy (20)

Content Security Policy (CSP)
Content Security Policy (CSP)Content Security Policy (CSP)
Content Security Policy (CSP)
 
http security response headers for web security
http security response headers for web securityhttp security response headers for web security
http security response headers for web security
 
HTTP_Header_Security.pdf
HTTP_Header_Security.pdfHTTP_Header_Security.pdf
HTTP_Header_Security.pdf
 
Content security policy
Content security policyContent security policy
Content security policy
 
Content Security Policy
Content Security PolicyContent Security Policy
Content Security Policy
 
Web Security - CSP & Web Cryptography
Web Security - CSP & Web CryptographyWeb Security - CSP & Web Cryptography
Web Security - CSP & Web Cryptography
 
Browser Wars 2019 - Implementing a Content Security Policy
Browser Wars 2019 - Implementing a Content Security PolicyBrowser Wars 2019 - Implementing a Content Security Policy
Browser Wars 2019 - Implementing a Content Security Policy
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realities
 
Analysis of HTTP Security Headers in Turkey
Analysis of HTTP Security Headers in TurkeyAnalysis of HTTP Security Headers in Turkey
Analysis of HTTP Security Headers in Turkey
 
Content Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at YahooContent Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at Yahoo
 
A security note for web developers
A security note for web developersA security note for web developers
A security note for web developers
 
A Practical Guide to Securing Modern Web Applications
A Practical Guide to Securing Modern Web ApplicationsA Practical Guide to Securing Modern Web Applications
A Practical Guide to Securing Modern Web Applications
 
W3C Content Security Policy
W3C Content Security PolicyW3C Content Security Policy
W3C Content Security Policy
 
Secure coding guidelines for content security policy
Secure coding guidelines for content security policySecure coding guidelines for content security policy
Secure coding guidelines for content security policy
 
List of useful security related http headers
List of useful security related http headersList of useful security related http headers
List of useful security related http headers
 
Protecting Web App users in today’s hostile environment
Protecting Web App users in today’s hostile environmentProtecting Web App users in today’s hostile environment
Protecting Web App users in today’s hostile environment
 
Csp july2015
Csp july2015Csp july2015
Csp july2015
 
Java Web Security ISSUES.pptx
Java Web Security ISSUES.pptxJava Web Security ISSUES.pptx
Java Web Security ISSUES.pptx
 
Web Architecture - Mechanism and Threats
Web Architecture - Mechanism and ThreatsWeb Architecture - Mechanism and Threats
Web Architecture - Mechanism and Threats
 
10X More Secure with Content Security Policy
10X More Secure with Content Security Policy10X More Secure with Content Security Policy
10X More Secure with Content Security Policy
 

More from jstack

Ignite docker
Ignite dockerIgnite docker
Ignite docker
jstack
 
Git branching strategies
Git branching strategiesGit branching strategies
Git branching strategies
jstack
 
Ionic
IonicIonic
Ionic
jstack
 
Gradle
GradleGradle
Gradle
jstack
 
Flyway - database migrations made easy
Flyway - database migrations made easyFlyway - database migrations made easy
Flyway - database migrations made easy
jstack
 
Domain driven design
Domain driven designDomain driven design
Domain driven design
jstack
 
Ignite es6
Ignite es6Ignite es6
Ignite es6
jstack
 
Software development terminology
Software development terminologySoftware development terminology
Software development terminology
jstack
 

More from jstack (8)

Ignite docker
Ignite dockerIgnite docker
Ignite docker
 
Git branching strategies
Git branching strategiesGit branching strategies
Git branching strategies
 
Ionic
IonicIonic
Ionic
 
Gradle
GradleGradle
Gradle
 
Flyway - database migrations made easy
Flyway - database migrations made easyFlyway - database migrations made easy
Flyway - database migrations made easy
 
Domain driven design
Domain driven designDomain driven design
Domain driven design
 
Ignite es6
Ignite es6Ignite es6
Ignite es6
 
Software development terminology
Software development terminologySoftware development terminology
Software development terminology
 

Recently uploaded

J-Spring 2024 - Going serverless with Quarkus, GraalVM native images and AWS ...
J-Spring 2024 - Going serverless with Quarkus, GraalVM native images and AWS ...J-Spring 2024 - Going serverless with Quarkus, GraalVM native images and AWS ...
J-Spring 2024 - Going serverless with Quarkus, GraalVM native images and AWS ...
Bert Jan Schrijver
 
Unlock the Secrets to Effortless Video Creation with Invideo: Your Ultimate G...
Unlock the Secrets to Effortless Video Creation with Invideo: Your Ultimate G...Unlock the Secrets to Effortless Video Creation with Invideo: Your Ultimate G...
Unlock the Secrets to Effortless Video Creation with Invideo: Your Ultimate G...
The Third Creative Media
 
ALGIT - Assembly Line for Green IT - Numbers, Data, Facts
ALGIT - Assembly Line for Green IT - Numbers, Data, FactsALGIT - Assembly Line for Green IT - Numbers, Data, Facts
ALGIT - Assembly Line for Green IT - Numbers, Data, Facts
Green Software Development
 
Energy consumption of Database Management - Florina Jonuzi
Energy consumption of Database Management - Florina JonuziEnergy consumption of Database Management - Florina Jonuzi
Energy consumption of Database Management - Florina Jonuzi
Green Software Development
 
WWDC 2024 Keynote Review: For CocoaCoders Austin
WWDC 2024 Keynote Review: For CocoaCoders AustinWWDC 2024 Keynote Review: For CocoaCoders Austin
WWDC 2024 Keynote Review: For CocoaCoders Austin
Patrick Weigel
 
Safelyio Toolbox Talk Softwate & App (How To Digitize Safety Meetings)
Safelyio Toolbox Talk Softwate & App (How To Digitize Safety Meetings)Safelyio Toolbox Talk Softwate & App (How To Digitize Safety Meetings)
Safelyio Toolbox Talk Softwate & App (How To Digitize Safety Meetings)
safelyiotech
 
Baha Majid WCA4Z IBM Z Customer Council Boston June 2024.pdf
Baha Majid WCA4Z IBM Z Customer Council Boston June 2024.pdfBaha Majid WCA4Z IBM Z Customer Council Boston June 2024.pdf
Baha Majid WCA4Z IBM Z Customer Council Boston June 2024.pdf
Baha Majid
 
Project Management: The Role of Project Dashboards.pdf
Project Management: The Role of Project Dashboards.pdfProject Management: The Role of Project Dashboards.pdf
Project Management: The Role of Project Dashboards.pdf
Karya Keeper
 
E-commerce Development Services- Hornet Dynamics
E-commerce Development Services- Hornet DynamicsE-commerce Development Services- Hornet Dynamics
E-commerce Development Services- Hornet Dynamics
Hornet Dynamics
 
Why Apache Kafka Clusters Are Like Galaxies (And Other Cosmic Kafka Quandarie...
Why Apache Kafka Clusters Are Like Galaxies (And Other Cosmic Kafka Quandarie...Why Apache Kafka Clusters Are Like Galaxies (And Other Cosmic Kafka Quandarie...
Why Apache Kafka Clusters Are Like Galaxies (And Other Cosmic Kafka Quandarie...
Paul Brebner
 
Microservice Teams - How the cloud changes the way we work
Microservice Teams - How the cloud changes the way we workMicroservice Teams - How the cloud changes the way we work
Microservice Teams - How the cloud changes the way we work
Sven Peters
 
Mobile App Development Company In Noida | Drona Infotech
Mobile App Development Company In Noida | Drona InfotechMobile App Development Company In Noida | Drona Infotech
Mobile App Development Company In Noida | Drona Infotech
Drona Infotech
 
Using Query Store in Azure PostgreSQL to Understand Query Performance
Using Query Store in Azure PostgreSQL to Understand Query PerformanceUsing Query Store in Azure PostgreSQL to Understand Query Performance
Using Query Store in Azure PostgreSQL to Understand Query Performance
Grant Fritchey
 
E-Invoicing Implementation: A Step-by-Step Guide for Saudi Arabian Companies
E-Invoicing Implementation: A Step-by-Step Guide for Saudi Arabian CompaniesE-Invoicing Implementation: A Step-by-Step Guide for Saudi Arabian Companies
E-Invoicing Implementation: A Step-by-Step Guide for Saudi Arabian Companies
Quickdice ERP
 
Unveiling the Advantages of Agile Software Development.pdf
Unveiling the Advantages of Agile Software Development.pdfUnveiling the Advantages of Agile Software Development.pdf
Unveiling the Advantages of Agile Software Development.pdf
brainerhub1
 
UI5con 2024 - Keynote: Latest News about UI5 and it’s Ecosystem
UI5con 2024 - Keynote: Latest News about UI5 and it’s EcosystemUI5con 2024 - Keynote: Latest News about UI5 and it’s Ecosystem
UI5con 2024 - Keynote: Latest News about UI5 and it’s Ecosystem
Peter Muessig
 
All you need to know about Spring Boot and GraalVM
All you need to know about Spring Boot and GraalVMAll you need to know about Spring Boot and GraalVM
All you need to know about Spring Boot and GraalVM
Alina Yurenko
 
DECODING JAVA THREAD DUMPS: MASTER THE ART OF ANALYSIS
DECODING JAVA THREAD DUMPS: MASTER THE ART OF ANALYSISDECODING JAVA THREAD DUMPS: MASTER THE ART OF ANALYSIS
DECODING JAVA THREAD DUMPS: MASTER THE ART OF ANALYSIS
Tier1 app
 
UI5con 2024 - Bring Your Own Design System
UI5con 2024 - Bring Your Own Design SystemUI5con 2024 - Bring Your Own Design System
UI5con 2024 - Bring Your Own Design System
Peter Muessig
 
8 Best Automated Android App Testing Tool and Framework in 2024.pdf
8 Best Automated Android App Testing Tool and Framework in 2024.pdf8 Best Automated Android App Testing Tool and Framework in 2024.pdf
8 Best Automated Android App Testing Tool and Framework in 2024.pdf
kalichargn70th171
 

Recently uploaded (20)

J-Spring 2024 - Going serverless with Quarkus, GraalVM native images and AWS ...
J-Spring 2024 - Going serverless with Quarkus, GraalVM native images and AWS ...J-Spring 2024 - Going serverless with Quarkus, GraalVM native images and AWS ...
J-Spring 2024 - Going serverless with Quarkus, GraalVM native images and AWS ...
 
Unlock the Secrets to Effortless Video Creation with Invideo: Your Ultimate G...
Unlock the Secrets to Effortless Video Creation with Invideo: Your Ultimate G...Unlock the Secrets to Effortless Video Creation with Invideo: Your Ultimate G...
Unlock the Secrets to Effortless Video Creation with Invideo: Your Ultimate G...
 
ALGIT - Assembly Line for Green IT - Numbers, Data, Facts
ALGIT - Assembly Line for Green IT - Numbers, Data, FactsALGIT - Assembly Line for Green IT - Numbers, Data, Facts
ALGIT - Assembly Line for Green IT - Numbers, Data, Facts
 
Energy consumption of Database Management - Florina Jonuzi
Energy consumption of Database Management - Florina JonuziEnergy consumption of Database Management - Florina Jonuzi
Energy consumption of Database Management - Florina Jonuzi
 
WWDC 2024 Keynote Review: For CocoaCoders Austin
WWDC 2024 Keynote Review: For CocoaCoders AustinWWDC 2024 Keynote Review: For CocoaCoders Austin
WWDC 2024 Keynote Review: For CocoaCoders Austin
 
Safelyio Toolbox Talk Softwate & App (How To Digitize Safety Meetings)
Safelyio Toolbox Talk Softwate & App (How To Digitize Safety Meetings)Safelyio Toolbox Talk Softwate & App (How To Digitize Safety Meetings)
Safelyio Toolbox Talk Softwate & App (How To Digitize Safety Meetings)
 
Baha Majid WCA4Z IBM Z Customer Council Boston June 2024.pdf
Baha Majid WCA4Z IBM Z Customer Council Boston June 2024.pdfBaha Majid WCA4Z IBM Z Customer Council Boston June 2024.pdf
Baha Majid WCA4Z IBM Z Customer Council Boston June 2024.pdf
 
Project Management: The Role of Project Dashboards.pdf
Project Management: The Role of Project Dashboards.pdfProject Management: The Role of Project Dashboards.pdf
Project Management: The Role of Project Dashboards.pdf
 
E-commerce Development Services- Hornet Dynamics
E-commerce Development Services- Hornet DynamicsE-commerce Development Services- Hornet Dynamics
E-commerce Development Services- Hornet Dynamics
 
Why Apache Kafka Clusters Are Like Galaxies (And Other Cosmic Kafka Quandarie...
Why Apache Kafka Clusters Are Like Galaxies (And Other Cosmic Kafka Quandarie...Why Apache Kafka Clusters Are Like Galaxies (And Other Cosmic Kafka Quandarie...
Why Apache Kafka Clusters Are Like Galaxies (And Other Cosmic Kafka Quandarie...
 
Microservice Teams - How the cloud changes the way we work
Microservice Teams - How the cloud changes the way we workMicroservice Teams - How the cloud changes the way we work
Microservice Teams - How the cloud changes the way we work
 
Mobile App Development Company In Noida | Drona Infotech
Mobile App Development Company In Noida | Drona InfotechMobile App Development Company In Noida | Drona Infotech
Mobile App Development Company In Noida | Drona Infotech
 
Using Query Store in Azure PostgreSQL to Understand Query Performance
Using Query Store in Azure PostgreSQL to Understand Query PerformanceUsing Query Store in Azure PostgreSQL to Understand Query Performance
Using Query Store in Azure PostgreSQL to Understand Query Performance
 
E-Invoicing Implementation: A Step-by-Step Guide for Saudi Arabian Companies
E-Invoicing Implementation: A Step-by-Step Guide for Saudi Arabian CompaniesE-Invoicing Implementation: A Step-by-Step Guide for Saudi Arabian Companies
E-Invoicing Implementation: A Step-by-Step Guide for Saudi Arabian Companies
 
Unveiling the Advantages of Agile Software Development.pdf
Unveiling the Advantages of Agile Software Development.pdfUnveiling the Advantages of Agile Software Development.pdf
Unveiling the Advantages of Agile Software Development.pdf
 
UI5con 2024 - Keynote: Latest News about UI5 and it’s Ecosystem
UI5con 2024 - Keynote: Latest News about UI5 and it’s EcosystemUI5con 2024 - Keynote: Latest News about UI5 and it’s Ecosystem
UI5con 2024 - Keynote: Latest News about UI5 and it’s Ecosystem
 
All you need to know about Spring Boot and GraalVM
All you need to know about Spring Boot and GraalVMAll you need to know about Spring Boot and GraalVM
All you need to know about Spring Boot and GraalVM
 
DECODING JAVA THREAD DUMPS: MASTER THE ART OF ANALYSIS
DECODING JAVA THREAD DUMPS: MASTER THE ART OF ANALYSISDECODING JAVA THREAD DUMPS: MASTER THE ART OF ANALYSIS
DECODING JAVA THREAD DUMPS: MASTER THE ART OF ANALYSIS
 
UI5con 2024 - Bring Your Own Design System
UI5con 2024 - Bring Your Own Design SystemUI5con 2024 - Bring Your Own Design System
UI5con 2024 - Bring Your Own Design System
 
8 Best Automated Android App Testing Tool and Framework in 2024.pdf
8 Best Automated Android App Testing Tool and Framework in 2024.pdf8 Best Automated Android App Testing Tool and Framework in 2024.pdf
8 Best Automated Android App Testing Tool and Framework in 2024.pdf
 

Ignite content security policy

  • 1.
  • 2. Content Security Policy https://nl.linkedin.com/in/hugogroeneveld Hugo Groeneveld https://nl.linkedin.com/in/hugogroeneveldPublic Profile https://nl.linkedin.com/in/hugogroeneveldPublic Profile https://nl.linkedin.com/in/hugogroeneveld
  • 3.
  • 4.
  • 5.
  • 6.
  • 7.
  • 8. Content Security Policy (CSP) is a computer security standard introduced to prevent cross-site scripting (XSS), clickjacking and other code injection attacks resulting from execution of malicious content in the trusted web page context.[1] It is a Candidate Recommendation of the W3C working group on Web Application Security,[2] widely supported by the modern web browsers.[3] CSP provides a standard method for website owners to declare approved origins of content that browsers should be allowed to load on that website — covered types are JavaScript, CSS, HTML frames, web workers, fonts, images, embeddable objects such as Java applets, ActiveX, audio and video files, and other HTML5 features.
  • 9. Header: Content-Security-Policy base-uri restricts the URLs that can appear in a page’s <base> element. child-src lists the URLs for workers and embedded frame contents. For example: child-src https://youtube.com would enable embedding videos from YouTube but not from other origins. Use this in place of the deprecated frame-src directive. connect-src limits the origins to which you can connect (via XHR, WebSockets, and EventSource). font-src specifies the origins that can serve web fonts. Google’s Web Fonts could be enabled via font-src https://themes.googleusercontent.com
  • 10. Header: Content-Security-Policy form-action lists valid endpoints for submission from <form> tags. frame-ancestors specifies the sources that can embed the current page. This directive applies to <frame>, <iframe>, <embed>, and <applet> tags. This directive can’t be used in <meta> tags and applies only to non-HTML resources. frame-src deprecated. Use child-src instead. img-src defines the origins from which images can be loaded. media-src restricts the origins allowed to deliver video and audio. object-src allows control over Flash and other plugins.
  • 11. Header: Content-Security-Policy plugin-types limits the kinds of plugins a page may invoke. report-uri specifies a URL where a browser will send reports when a content security policy is violated. This directive can’t be used in <meta> tags. style-src is script-src’s counterpart for stylesheets. upgrade-insecure-requests Instructs user agents to rewrite URL schemes, changing HTTP to HTTPS. This directive is for web sites with large numbers of old URLs that need to be rewritten.
  • 15. report-uri specifies a URL where a browser will send reports when a content security policy is violated. This directive can’t be used in <meta> tags.
  • 16. report-uri specifies a URL where a browser will send reports when a content security policy is violated. This directive can’t be used in <meta> tags.
  • 17.
  • 18. Content-Security-Policy: script-src 'self' 'nonce-$RANDOM'; <script nonce="$RANDOM">...</script>
  • 19. Content-Security-Policy: script-src 'self' 'nonce-$RANDOM'; <script nonce="$RANDOM">...</script>