SlideShare a Scribd company logo

Secure coding guidelines for content security policy

V
vivekanandan r

This is browser side security protecting the Cross-site scripting (XSS). The Server needs to clearly mention the trusted origin for the resources like javascript,images etc for each page as part of HTTP header response

Software
1 of 4
Download to read offline
11/11/2015 Secure Coding Guidelines for Content Security Policy | GnuDeveloper.com http://www.gnudeveloper.com/cyber_security/secure_coding_guidelines_for_content_security_policy.html 1/4 Home Search Groups About Us Contact SignUp Home > Groups > CyberSecurity Secure Coding Guidelines for Content Security Policy Submitted by vivekanandan on Wed, 11/04/2015 ­ 23:23 The CSP is the key concept for protecting the Cross­site scripting (XSS) from the browser side. Since XSS is the top most vulenerable injection attack. The content  means  the  web  page  resource  as  javascript,  images  etc..  For  browser  side  security  we  need  to  understand  the  same­origin  policy,  cross­  origin  policy (COP) Why we need Content Security Policy: The Server needs to clearly mention the trusted origin for the resources like javascript,images etc.. so that client will take the action accordingly. Since The browser(client) and server are disconnected the server needs to mention the security policy for each page as part of HTTP header response Secure coding guidelines for CSP: 1. Always use JavaScript in separate js file. 2. Always bind HTML element with Event Handlers so that clear separation of HTML & JavaScript can be maintained. js framework like jQuery supports this feature . example for button click event in jquery : $("#btnClick").click(function() { } 3. If legacy project already had inline JavaScript add script nonce with it, but consider unsafe and reduce ASAP. 4. Avoid use eval statement in JavaScript code. 5. Avoid using setTimeout methods since it internally the eval statement. 6. Always have separate css file means don't use inline styles. Same­ origin policy (SOP): The browser will decide the same ­origin policy based on 3 parts of URL http://www.gnudeveloper.com:80/ Protocol: HTTP Domain name: www.gnudeveloper.com Port number: 80 Based on the URL information browser will consider the web page belongs to same­ origin policy or cross­origin policy Self: it represents same­origin policy    script­src 'self'  ; Cross­ origin policy (COP) or Cross­Origin Resource Sharing (CORS): It represents content belongs to different origin, opposed to same­origin policy. By default Firefox browser won't allow cross­origin policy for the web pages since it will create chance for Cross­site scripting (XSS). To allow all host specify as asterisk character *    script­src *  ;  The CSP Violation message can be viewed in the console. self DIRECTIVE value  enforce the source domain(gnudeveloper.com) and image src,script src should be same hence error message as below    Content Security Policy: The page's settings blocked the loading of a resource at infotree.in/themes/bartik/logo.png ("img‐src gnudeveloper.com"). Content Security Policy: The page's settings blocked the loading of a resource at code.jquery.com/jquery‐1.9.1.js ("script‐src gnudeveloper.com 'unsa Since eval‐script is missing http header response, browser blocked the eval method  call to eval() or related function blocked by CSP Note: setTimeout will be allowed since it is indirect eval statement
11/11/2015 Secure Coding Guidelines for Content Security Policy | GnuDeveloper.com http://www.gnudeveloper.com/cyber_security/secure_coding_guidelines_for_content_security_policy.html 2/4 The Firefox default settings as below   default‐src *; script‐src 'self'; object‐src 'none'; style‐src 'self'  'unsafe‐inline'
11/11/2015 Secure Coding Guidelines for Content Security Policy | GnuDeveloper.com http://www.gnudeveloper.com/cyber_security/secure_coding_guidelines_for_content_security_policy.html 3/4 Output: HTTP header Response   HTTP/1.1 304 Not Modified   Server: Apache‐Coyote/1.1   Content‐Security‐Policy: default‐src 'none'; script‐src 'self' 'unsafe‐inline' ; options   inline‐script eval‐script; xhr‐src 'self'; object‐src 'self'; style‐src   'self'; img‐src 'self'; form‐action 'self'; connect‐src 'self';   frame‐src 'self';sandbox;frame‐ancestors 'self'   ETag: W/"268381‐1446607260430"   Date: Sun, 08 Nov 2015 01:32:04 GMT ContentSecurityPolicyFilter.java import java.io.IOException; import java.util.ArrayList; import java.util.List; import javax.servlet.Filter; import javax.servlet.FilterChain; import javax.servlet.FilterConfig; import javax.servlet.ServletException; import javax.servlet.ServletRequest; import javax.servlet.ServletResponse; import javax.servlet.annotation.WebFilter; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse;   @WebFilter("/*") public class ContentSecurityPolicyFilter implements Filter {     /** Filter configuration */   @SuppressWarnings("unused")   private FilterConfig filterConfig = null;     /** List CSP HTTP Headers */   private List<String> cspHeaders = new ArrayList<String>();     /** Collection of CSP polcies that will be applied */   private String policies = null;     /**    * Used to prepare (one time for all) set of CSP policies that will be    * applied on each HTTP response.    *     * @see javax.servlet.Filter#init(javax.servlet.FilterConfig)    */   @Override   public void init(FilterConfig fConfig) throws ServletException {     // Get filter configuration     this.filterConfig = fConfig;       // Define list of CSP HTTP Headers     this.cspHeaders.add("Content‐Security‐Policy");     this.cspHeaders.add("X‐Content‐Security‐Policy");     this.cspHeaders.add("X‐WebKit‐CSP");         // Define CSP policies     // Loading policies for Frame and Sandboxing will be dynamically defined     // : We need to know if context use Frame     List<String> cspPolicies = new ArrayList<String>();     String originSOPRef = "'self'";     String originAllRef = "*";       cspPolicies.add("default‐src 'none'");     // cspPolicies.add("script‐src " + "*" + " 'unsafe‐inline' ");     cspPolicies.add("script‐src " + originSOPRef + " 'unsafe‐inline' ");     // ‐‐Define loading policies for Styles (CSS)     cspPolicies.add("style‐src " + originSOPRef);     // ‐‐Define loading policies for Images     cspPolicies.add("img‐src " + originSOPRef);     // ‐‐Define loading policies for Form     cspPolicies.add("form‐action " + originSOPRef);       // ‐‐Define loading policies for Connection     cspPolicies.add("connect‐src " + originSOPRef);
11/11/2015 Secure Coding Guidelines for Content Security Policy | GnuDeveloper.com http://www.gnudeveloper.com/cyber_security/secure_coding_guidelines_for_content_security_policy.html 4/4       // Target formating     this.policies = cspPolicies.toString().replaceAll("([|])", "")         .replaceAll(",", ";").trim();   }     @Override   public void doFilter(ServletRequest request, ServletResponse response,       FilterChain fchain) throws IOException, ServletException {     HttpServletRequest httpRequest = ((HttpServletRequest) request);     HttpServletResponse httpResponse = ((HttpServletResponse) response);       /* Step 2 : Add CSP policies to HTTP response */     StringBuilder policiesBuffer = new StringBuilder(this.policies);       // Add policies to all HTTP headers     for (String header : this.cspHeaders) {       httpResponse.setHeader(header, policiesBuffer.toString());     }       /* Step 3 : Let request continue chain filter */     fchain.doFilter(request, response);   }     @Override   public void destroy() {     // TODO Auto‐generated method stub   } } Source Code Download : ContentSecurityPolicyFilter.java CSPFilter.war Groups: CyberSecurity

Recommended

Web content security policies
Web content security policiesWeb content security policies
Web content security policies
Dhanu Gupta
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & Guidelines
Prabath Siriwardena
 
Data Security - Storage Security
Data Security - Storage SecurityData Security - Storage Security
Data Security - Storage Security
Eng Teong Cheah
 
Security in microservices architectures
Security in microservices architecturesSecurity in microservices architectures
Security in microservices architectures
inovia
 
Application Security - Key Vault
Application Security - Key VaultApplication Security - Key Vault
Application Security - Key Vault
Eng Teong Cheah
 
Spring security
Spring securitySpring security
Spring security
sakhibarun
 
How Encryption for Strong Security Works
How Encryption for Strong Security WorksHow Encryption for Strong Security Works
How Encryption for Strong Security Works
s1170087
 
MongoDB World 2018: Simplified Encryption & Key Management for MongoDB
MongoDB World 2018: Simplified Encryption & Key Management for MongoDBMongoDB World 2018: Simplified Encryption & Key Management for MongoDB
MongoDB World 2018: Simplified Encryption & Key Management for MongoDB
MongoDB
 

Recommended

Web content security policies
Web content security policiesWeb content security policies
Web content security policies
Dhanu Gupta
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & Guidelines
Prabath Siriwardena
 
Data Security - Storage Security
Data Security - Storage SecurityData Security - Storage Security
Data Security - Storage Security
Eng Teong Cheah
 
Security in microservices architectures
Security in microservices architecturesSecurity in microservices architectures
Security in microservices architectures
inovia
 
Application Security - Key Vault
Application Security - Key VaultApplication Security - Key Vault
Application Security - Key Vault
Eng Teong Cheah
 
Spring security
Spring securitySpring security
Spring security
sakhibarun
 
How Encryption for Strong Security Works
How Encryption for Strong Security WorksHow Encryption for Strong Security Works
How Encryption for Strong Security Works
s1170087
 
MongoDB World 2018: Simplified Encryption & Key Management for MongoDB
MongoDB World 2018: Simplified Encryption & Key Management for MongoDBMongoDB World 2018: Simplified Encryption & Key Management for MongoDB
MongoDB World 2018: Simplified Encryption & Key Management for MongoDB
MongoDB
 
Web Security - CSP & Web Cryptography
Web Security - CSP & Web CryptographyWeb Security - CSP & Web Cryptography
Web Security - CSP & Web Cryptography
Samsung Open Source Group
 
Ignite content security policy
Ignite content security policyIgnite content security policy
Ignite content security policy
jstack
 
Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation
Ikhade Maro Igbape
 
Content Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at YahooContent Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at Yahoo
Binu Ramakrishnan
 
Securing Your PHP Applications Best Practices for Developers.pdf
Securing Your PHP Applications Best Practices for Developers.pdfSecuring Your PHP Applications Best Practices for Developers.pdf
Securing Your PHP Applications Best Practices for Developers.pdf
BitCot
 
Content security policy
Content security policyContent security policy
Content security policy
Ronan Dunne, CEH, SSCP
 
USENIX CollSec 2010 - Conundrum of Declarative Security in HTTP Response Headers
USENIX CollSec 2010 - Conundrum of Declarative Security in HTTP Response HeadersUSENIX CollSec 2010 - Conundrum of Declarative Security in HTTP Response Headers
USENIX CollSec 2010 - Conundrum of Declarative Security in HTTP Response Headers
Aditya K Sood
 
http security response headers for web security
http security response headers for web securityhttp security response headers for web security
http security response headers for web security
Olatunji Adetunji
 
Content Security Policy
Content Security PolicyContent Security Policy
Content Security Policy
Ryan LaBouve
 
HTTP_Header_Security.pdf
HTTP_Header_Security.pdfHTTP_Header_Security.pdf
HTTP_Header_Security.pdf
ksudhakarreddy5
 
Tsc summit #2 - HTTP Header Security
Tsc summit #2 - HTTP Header SecurityTsc summit #2 - HTTP Header Security
Tsc summit #2 - HTTP Header Security
Mikal Villa
 
A security note for web developers
A security note for web developersA security note for web developers
A security note for web developers
John Ombagi
 
Browser Wars 2019 - Implementing a Content Security Policy
Browser Wars 2019 - Implementing a Content Security PolicyBrowser Wars 2019 - Implementing a Content Security Policy
Browser Wars 2019 - Implementing a Content Security Policy
George Boobyer
 
Web security for developers
Web security for developersWeb security for developers
Web security for developers
Sunny Neo
 
Future of Web Security Opened up by CSP
Future of Web Security Opened up by CSPFuture of Web Security Opened up by CSP
Future of Web Security Opened up by CSP
Muneaki Nishimura
 
Securing the Ecosystem - Collaborating Inside & Out
Securing the Ecosystem - Collaborating Inside & OutSecuring the Ecosystem - Collaborating Inside & Out
Securing the Ecosystem - Collaborating Inside & Out
Trent Adams
 
Browser Security – Issues and Best Practices1Outli
Browser Security – Issues and Best Practices1OutliBrowser Security – Issues and Best Practices1Outli
Browser Security – Issues and Best Practices1Outli
VannaSchrader3
 
Appsec XSS Case Study
Appsec XSS Case StudyAppsec XSS Case Study
Appsec XSS Case Study
Mohamed Ridha CHEBBI, CISSP
 
The most Common Website Security Threats
The most Common Website Security ThreatsThe most Common Website Security Threats
The most Common Website Security Threats
HTS Hosting
 
Securing your EmberJS Application
Securing your EmberJS ApplicationSecuring your EmberJS Application
Securing your EmberJS Application
Philippe De Ryck
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
ThousandEyes
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
OnePlan Solutions
 

More Related Content

Similar to Secure coding guidelines for content security policy

Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation
Ikhade Maro Igbape
 
USENIX CollSec 2010 - Conundrum of Declarative Security in HTTP Response Headers
USENIX CollSec 2010 - Conundrum of Declarative Security in HTTP Response HeadersUSENIX CollSec 2010 - Conundrum of Declarative Security in HTTP Response Headers
USENIX CollSec 2010 - Conundrum of Declarative Security in HTTP Response Headers
Aditya K Sood
 
Browser Wars 2019 - Implementing a Content Security Policy
Browser Wars 2019 - Implementing a Content Security PolicyBrowser Wars 2019 - Implementing a Content Security Policy
Browser Wars 2019 - Implementing a Content Security Policy
George Boobyer
 
Securing the Ecosystem - Collaborating Inside & Out
Securing the Ecosystem - Collaborating Inside & OutSecuring the Ecosystem - Collaborating Inside & Out
Securing the Ecosystem - Collaborating Inside & Out
Trent Adams
 
Browser Security – Issues and Best Practices1Outli
Browser Security – Issues and Best Practices1OutliBrowser Security – Issues and Best Practices1Outli
Browser Security – Issues and Best Practices1Outli
VannaSchrader3
 

Similar to Secure coding guidelines for content security policy (20)

Web Security - CSP & Web Cryptography
Web Security - CSP & Web CryptographyWeb Security - CSP & Web Cryptography
Web Security - CSP & Web Cryptography
 
Ignite content security policy
Ignite content security policyIgnite content security policy
Ignite content security policy
 
Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation
 
Content Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at YahooContent Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at Yahoo
 
Securing Your PHP Applications Best Practices for Developers.pdf
Securing Your PHP Applications Best Practices for Developers.pdfSecuring Your PHP Applications Best Practices for Developers.pdf
Securing Your PHP Applications Best Practices for Developers.pdf
 
Content security policy
Content security policyContent security policy
Content security policy
 
USENIX CollSec 2010 - Conundrum of Declarative Security in HTTP Response Headers
USENIX CollSec 2010 - Conundrum of Declarative Security in HTTP Response HeadersUSENIX CollSec 2010 - Conundrum of Declarative Security in HTTP Response Headers
USENIX CollSec 2010 - Conundrum of Declarative Security in HTTP Response Headers
 
http security response headers for web security
http security response headers for web securityhttp security response headers for web security
http security response headers for web security
 
Content Security Policy
Content Security PolicyContent Security Policy
Content Security Policy
 
HTTP_Header_Security.pdf
HTTP_Header_Security.pdfHTTP_Header_Security.pdf
HTTP_Header_Security.pdf
 
Tsc summit #2 - HTTP Header Security
Tsc summit #2 - HTTP Header SecurityTsc summit #2 - HTTP Header Security
Tsc summit #2 - HTTP Header Security
 
A security note for web developers
A security note for web developersA security note for web developers
A security note for web developers
 
Browser Wars 2019 - Implementing a Content Security Policy
Browser Wars 2019 - Implementing a Content Security PolicyBrowser Wars 2019 - Implementing a Content Security Policy
Browser Wars 2019 - Implementing a Content Security Policy
 
Web security for developers
Web security for developersWeb security for developers
Web security for developers
 
Future of Web Security Opened up by CSP
Future of Web Security Opened up by CSPFuture of Web Security Opened up by CSP
Future of Web Security Opened up by CSP
 
Securing the Ecosystem - Collaborating Inside & Out
Securing the Ecosystem - Collaborating Inside & OutSecuring the Ecosystem - Collaborating Inside & Out
Securing the Ecosystem - Collaborating Inside & Out
 
Browser Security – Issues and Best Practices1Outli
Browser Security – Issues and Best Practices1OutliBrowser Security – Issues and Best Practices1Outli
Browser Security – Issues and Best Practices1Outli
 
Appsec XSS Case Study
Appsec XSS Case StudyAppsec XSS Case Study
Appsec XSS Case Study
 
The most Common Website Security Threats
The most Common Website Security ThreatsThe most Common Website Security Threats
The most Common Website Security Threats
 
Securing your EmberJS Application
Securing your EmberJS ApplicationSecuring your EmberJS Application
Securing your EmberJS Application
 

Recently uploaded

Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Steffen Staab
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
MyIntelliSource, Inc.
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
harshavardhanraghave
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Alberto González Trastoy
 
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS LiveVip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Call Girls In Delhi Whatsup 9873940964 Enjoy Unlimited Pleasure
 
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
anilsa9823
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
mohitmore19
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
panagenda
 

Recently uploaded (20)

How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
 
Microsoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdfMicrosoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdf
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS LiveVip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
 
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
 
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AISyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.js
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Models
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial Goals
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with Precision
 

Secure coding guidelines for content security policy

  • 1. 11/11/2015 Secure Coding Guidelines for Content Security Policy | GnuDeveloper.com http://www.gnudeveloper.com/cyber_security/secure_coding_guidelines_for_content_security_policy.html 1/4 Home Search Groups About Us Contact SignUp Home > Groups > CyberSecurity Secure Coding Guidelines for Content Security Policy Submitted by vivekanandan on Wed, 11/04/2015 ­ 23:23 The CSP is the key concept for protecting the Cross­site scripting (XSS) from the browser side. Since XSS is the top most vulenerable injection attack. The content  means  the  web  page  resource  as  javascript,  images  etc..  For  browser  side  security  we  need  to  understand  the  same­origin  policy,  cross­  origin  policy (COP) Why we need Content Security Policy: The Server needs to clearly mention the trusted origin for the resources like javascript,images etc.. so that client will take the action accordingly. Since The browser(client) and server are disconnected the server needs to mention the security policy for each page as part of HTTP header response Secure coding guidelines for CSP: 1. Always use JavaScript in separate js file. 2. Always bind HTML element with Event Handlers so that clear separation of HTML & JavaScript can be maintained. js framework like jQuery supports this feature . example for button click event in jquery : $("#btnClick").click(function() { } 3. If legacy project already had inline JavaScript add script nonce with it, but consider unsafe and reduce ASAP. 4. Avoid use eval statement in JavaScript code. 5. Avoid using setTimeout methods since it internally the eval statement. 6. Always have separate css file means don't use inline styles. Same­ origin policy (SOP): The browser will decide the same ­origin policy based on 3 parts of URL http://www.gnudeveloper.com:80/ Protocol: HTTP Domain name: www.gnudeveloper.com Port number: 80 Based on the URL information browser will consider the web page belongs to same­ origin policy or cross­origin policy Self: it represents same­origin policy    script­src 'self'  ; Cross­ origin policy (COP) or Cross­Origin Resource Sharing (CORS): It represents content belongs to different origin, opposed to same­origin policy. By default Firefox browser won't allow cross­origin policy for the web pages since it will create chance for Cross­site scripting (XSS). To allow all host specify as asterisk character *    script­src *  ;  The CSP Violation message can be viewed in the console. self DIRECTIVE value  enforce the source domain(gnudeveloper.com) and image src,script src should be same hence error message as below    Content Security Policy: The page's settings blocked the loading of a resource at infotree.in/themes/bartik/logo.png ("img‐src gnudeveloper.com"). Content Security Policy: The page's settings blocked the loading of a resource at code.jquery.com/jquery‐1.9.1.js ("script‐src gnudeveloper.com 'unsa Since eval‐script is missing http header response, browser blocked the eval method  call to eval() or related function blocked by CSP Note: setTimeout will be allowed since it is indirect eval statement
  • 3. 11/11/2015 Secure Coding Guidelines for Content Security Policy | GnuDeveloper.com http://www.gnudeveloper.com/cyber_security/secure_coding_guidelines_for_content_security_policy.html 3/4 Output: HTTP header Response   HTTP/1.1 304 Not Modified   Server: Apache‐Coyote/1.1   Content‐Security‐Policy: default‐src 'none'; script‐src 'self' 'unsafe‐inline' ; options   inline‐script eval‐script; xhr‐src 'self'; object‐src 'self'; style‐src   'self'; img‐src 'self'; form‐action 'self'; connect‐src 'self';   frame‐src 'self';sandbox;frame‐ancestors 'self'   ETag: W/"268381‐1446607260430"   Date: Sun, 08 Nov 2015 01:32:04 GMT ContentSecurityPolicyFilter.java import java.io.IOException; import java.util.ArrayList; import java.util.List; import javax.servlet.Filter; import javax.servlet.FilterChain; import javax.servlet.FilterConfig; import javax.servlet.ServletException; import javax.servlet.ServletRequest; import javax.servlet.ServletResponse; import javax.servlet.annotation.WebFilter; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse;   @WebFilter("/*") public class ContentSecurityPolicyFilter implements Filter {     /** Filter configuration */   @SuppressWarnings("unused")   private FilterConfig filterConfig = null;     /** List CSP HTTP Headers */   private List<String> cspHeaders = new ArrayList<String>();     /** Collection of CSP polcies that will be applied */   private String policies = null;     /**    * Used to prepare (one time for all) set of CSP policies that will be    * applied on each HTTP response.    *     * @see javax.servlet.Filter#init(javax.servlet.FilterConfig)    */   @Override   public void init(FilterConfig fConfig) throws ServletException {     // Get filter configuration     this.filterConfig = fConfig;       // Define list of CSP HTTP Headers     this.cspHeaders.add("Content‐Security‐Policy");     this.cspHeaders.add("X‐Content‐Security‐Policy");     this.cspHeaders.add("X‐WebKit‐CSP");         // Define CSP policies     // Loading policies for Frame and Sandboxing will be dynamically defined     // : We need to know if context use Frame     List<String> cspPolicies = new ArrayList<String>();     String originSOPRef = "'self'";     String originAllRef = "*";       cspPolicies.add("default‐src 'none'");     // cspPolicies.add("script‐src " + "*" + " 'unsafe‐inline' ");     cspPolicies.add("script‐src " + originSOPRef + " 'unsafe‐inline' ");     // ‐‐Define loading policies for Styles (CSS)     cspPolicies.add("style‐src " + originSOPRef);     // ‐‐Define loading policies for Images     cspPolicies.add("img‐src " + originSOPRef);     // ‐‐Define loading policies for Form     cspPolicies.add("form‐action " + originSOPRef);       // ‐‐Define loading policies for Connection     cspPolicies.add("connect‐src " + originSOPRef);
  • 4. 11/11/2015 Secure Coding Guidelines for Content Security Policy | GnuDeveloper.com http://www.gnudeveloper.com/cyber_security/secure_coding_guidelines_for_content_security_policy.html 4/4       // Target formating     this.policies = cspPolicies.toString().replaceAll("([|])", "")         .replaceAll(",", ";").trim();   }     @Override   public void doFilter(ServletRequest request, ServletResponse response,       FilterChain fchain) throws IOException, ServletException {     HttpServletRequest httpRequest = ((HttpServletRequest) request);     HttpServletResponse httpResponse = ((HttpServletResponse) response);       /* Step 2 : Add CSP policies to HTTP response */     StringBuilder policiesBuffer = new StringBuilder(this.policies);       // Add policies to all HTTP headers     for (String header : this.cspHeaders) {       httpResponse.setHeader(header, policiesBuffer.toString());     }       /* Step 3 : Let request continue chain filter */     fchain.doFilter(request, response);   }     @Override   public void destroy() {     // TODO Auto‐generated method stub   } } Source Code Download : ContentSecurityPolicyFilter.java CSPFilter.war Groups: CyberSecurity