Ignite content security policy
•Transferir como PPTX, PDF•
0 gostou•161 visualizações
5 minute ignite about securingyour users by implementing browser restrictions.
Recomendados
Mais conteúdo relacionado
Destaque
Semelhante a Ignite content security policy
Semelhante a Ignite content security policy (20)
Mais de jstack
Último
Último (20)
Ignite content security policy
- 2. Content Security Policy https://nl.linkedin.com/in/hugogroeneveld Hugo Groeneveld https://nl.linkedin.com/in/hugogroeneveldPublic Profile https://nl.linkedin.com/in/hugogroeneveldPublic Profile https://nl.linkedin.com/in/hugogroeneveld
- 8. Content Security Policy (CSP) is a computer security standard introduced to prevent cross-site scripting (XSS), clickjacking and other code injection attacks resulting from execution of malicious content in the trusted web page context.[1] It is a Candidate Recommendation of the W3C working group on Web Application Security,[2] widely supported by the modern web browsers.[3] CSP provides a standard method for website owners to declare approved origins of content that browsers should be allowed to load on that website — covered types are JavaScript, CSS, HTML frames, web workers, fonts, images, embeddable objects such as Java applets, ActiveX, audio and video files, and other HTML5 features.
- 9. Header: Content-Security-Policy base-uri restricts the URLs that can appear in a page’s <base> element. child-src lists the URLs for workers and embedded frame contents. For example: child-src https://youtube.com would enable embedding videos from YouTube but not from other origins. Use this in place of the deprecated frame-src directive. connect-src limits the origins to which you can connect (via XHR, WebSockets, and EventSource). font-src specifies the origins that can serve web fonts. Google’s Web Fonts could be enabled via font-src https://themes.googleusercontent.com
- 10. Header: Content-Security-Policy form-action lists valid endpoints for submission from <form> tags. frame-ancestors specifies the sources that can embed the current page. This directive applies to <frame>, <iframe>, <embed>, and <applet> tags. This directive can’t be used in <meta> tags and applies only to non-HTML resources. frame-src deprecated. Use child-src instead. img-src defines the origins from which images can be loaded. media-src restricts the origins allowed to deliver video and audio. object-src allows control over Flash and other plugins.
- 11. Header: Content-Security-Policy plugin-types limits the kinds of plugins a page may invoke. report-uri specifies a URL where a browser will send reports when a content security policy is violated. This directive can’t be used in <meta> tags. style-src is script-src’s counterpart for stylesheets. upgrade-insecure-requests Instructs user agents to rewrite URL schemes, changing HTTP to HTTPS. This directive is for web sites with large numbers of old URLs that need to be rewritten.
- 15. report-uri specifies a URL where a browser will send reports when a content security policy is violated. This directive can’t be used in <meta> tags.
- 16. report-uri specifies a URL where a browser will send reports when a content security policy is violated. This directive can’t be used in <meta> tags.
- 18. Content-Security-Policy: script-src 'self' 'nonce-$RANDOM'; <script nonce="$RANDOM">...</script>
- 19. Content-Security-Policy: script-src 'self' 'nonce-$RANDOM'; <script nonce="$RANDOM">...</script>