December 10, 2019

269 words 2 mins read

CSP: The good, the bad, and the ugly

CSP: The good, the bad, and the ugly

Content Security Policy (CSP) is a powerful and complex standard that allows you to bring an additional level of security to your web applications. Ilya Nesterov outlines the not-so-obvious things that lead to weak CSP, illustrates typical mistakes in CSP, based on the Alexa top 1 million sites, and explains how you can build strict CSP in your own projects.

Talk Title CSP: The good, the bad, and the ugly
Speakers Ilya Nesterov (Shape Security)
Conference O’Reilly Fluent Conference
Conf Tag The Web Platform in Practice
Location San Jose, California
Date June 20-22, 2017
URL Talk Page
Slides Talk Slides
Video

The W3C Web Application Security workgroup worked hard to establish new standards to improve web application security, such as CORS, SRI, HSTS, and HPKP. The most complicated standard is Content Security Policy (CSP), which is so complex that web application developers and DevOps teams can easily get lost when attempting to integrate it. Ilya Nesterov helps you figure out where to start, how to do it, and which issues you might face when you want to add CSP to your web application. You’ll learn the key differences between CSP levels 1, 2 and 3, what secure CSP means, and how to build it. Ilya also discusses how to create production-ready, backward-compatible policy. Ilya explores how the Alexa top 1 million websites have adopted CSP and show interesting patterns discovered among their policies, as well as typical mistakes and strategies to fix them. Ilya concludes with an examination of available tools and frameworks and a glimpse at the tools and frameworks we need to build to efficiently deploy CSP.

comments powered by Disqus