CSP: The good, the bad, and the ugly
Content Security Policy (CSP) is a powerful and complex standard that allows you to bring an additional level of security to your web applications. Ilya Nesterov outlines the not-so-obvious things that lead to weak CSP, illustrates typical mistakes in CSP, based on the Alexa top 1 million sites, and explains how you can build strict CSP in your own projects.
| Talk Title | CSP: The good, the bad, and the ugly |
| Speakers | Ilya Nesterov (Shape Security) |
| Conference | O’Reilly Fluent Conference |
| Conf Tag | The Web Platform in Practice |
| Location | San Jose, California |
| Date | June 20-22, 2017 |
| URL | Talk Page |
| Slides | Talk Slides |
| Video | |
The W3C Web Application Security workgroup worked hard to establish new standards to improve web application security, such as CORS, SRI, HSTS, and HPKP. The most complicated standard is Content Security Policy (CSP), which is so complex that web application developers and DevOps teams can easily get lost when attempting to integrate it. Ilya Nesterov helps you figure out where to start, how to do it, and which issues you might face when you want to add CSP to your web application. You’ll learn the key differences between CSP levels 1, 2 and 3, what secure CSP means, and how to build it. Ilya also discusses how to create production-ready, backward-compatible policy. Ilya explores how the Alexa top 1 million websites have adopted CSP and show interesting patterns discovered among their policies, as well as typical mistakes and strategies to fix them. Ilya concludes with an examination of available tools and frameworks and a glimpse at the tools and frameworks we need to build to efficiently deploy CSP.
![Real Security for Services on Kubernetes [I]](/2017/images/all/lf_huffc03acb4b89c823f315cae16e4b2e6b_29065_700x350_resize_q75_box.jpg)
