Content Security Policies (CSP) are an additional layer of security that you can add to your websites to protect your users from XSS attacks, but it is only used by about 2% of the Internet. This presentation was given at WordCamp Europe 2018 and explains the threats posted to website visitors, how CSPs can help, and how they work. #wceu
11. 3 types of XSS
Persistent Originates in the database Comment injection
Reflected Originates in victim’s request
http://www.goodsite.com/search
?keyword=<script>...</script>
DOM-based
Payload injected into client-
side code (not server-side)
Executed after the page has loaded
26. CSP Syntax
Directives
Strings specifying type of resource,
taken from predefined list
• font-src
• frame-src
• img-src
• media-src
• object-src
• script-src
• style-src
Source expressions
Patterns describing one or more servers
that resources can be downloaded from
https://website.com
'none'
'self’
*
'unsafe-inline'
'unsafe-eval'
60. Media credits
• Browser icon: Icons made by Freepik from Flaticon is licensed by Creative Commons BY 3.0
• JS icons: Icons made by Vectors Market from Flaticon is licensed by Creative Commons BY 3.0
• CSS icon: Icons made by Freepik from Flaticon is licensed by Creative Commons BY 3.0
• Font icon: Icons made by Dave Gandy from Flaticon is licensed by Creative Commons BY 3.0
• Image icon: Icons made by Smashicons from Flaticon is licensed by Creative Commons BY 3.0
• Grumpy Sheep: https://pixabay.com/en/sheep-grumpy-animal-humor-funny-2825100/
• Frustrated filmmaker: https://pixabay.com/en/filmmaker-youtuber-screenwriter-2838945/
• Pile of bitcoin: https://pixabay.com/en/bitcoin-crypto-virtual-money-3024279/
• Snail: https://pixabay.com/en/snail-rainy-day-spring-animal-slow-3385348/
• Cryptomining guy: https://pixabay.com/en/bitcoin-mining-crypto-currency-2714192/
• Smiley icon: Icons made by Roundicons from Flaticon is licensed by Creative Commons BY 3.0
• Tools: https://pixabay.com/en/tools-vintage-woodworking-saw-1209764/