Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Content Security Policy 101 - Lightning Talk
Search
Sponsored
·
SiteGround - Reliable hosting with speed, security, and support you can count on.
→
Christoph Rumpel
April 24, 2018
Technology
120
1
Share
Content Security Policy 101 - Lightning Talk
This is a 5min talk version of Content Security Policy 101 talk.
Christoph Rumpel
April 24, 2018
More Decks by Christoph Rumpel
See All by Christoph Rumpel
How To Manage 5000+ Tests Efficiently
christophrumpel
0
130
Christoph Dreams Of Simple Code (Laravel Vienna Meetup)
christophrumpel
0
190
Why Refactoring Is The Best Tool To Write Better Code
christophrumpel
0
590
Debugging with PhpStorm & XDebug
christophrumpel
0
290
The final Laravel Service Container talk (Laracon Online)
christophrumpel
1
810
NomadPHP - The Laravel Core - Demystify The Beast
christophrumpel
0
180
Laravel Factories Reloaded (Laracon Online)
christophrumpel
1
330
The Beauty of Laravel's Notification System (Laracon EU Amsterdam)
christophrumpel
0
270
The Laravel Core - Demystify The Beast (New York)
christophrumpel
0
240
Other Decks in Technology
See All in Technology
クラウドからエッジまで ~ 1,700台を支える監視設計~
optfit
0
110
クラウドネイティブ DB はいかにして制約を 克服したか? 〜進化歴史から紐解く、スケーラブルアーキテクチャ設計指針〜
hacomono
PRO
6
1.1k
インプロセスQAのための要因から捉えるプロジェクトリスクマネジメントnano #1 開発リソース効率状態への対処 #jasstnano
barus_qa
0
190
20260515 ログイン機能だけではないアカウント管理を全体で考える~サービス設計者向け~
oidfj
1
810
分断された OT と IT を繋ぐ架け橋 -Kubernetes が切り拓く 産業用組み込み製品の現在地 -
yudaiono
1
120
Every Conversation Counts
kawaguti
PRO
0
260
業務に残された「良くない型」で考える「TypeScriptの難しさ」
sajikix
2
520
そのSLO 99.9%、本当に必要ですか? 〜優先度付きSLOによる責任共有の設計思想〜 / Is that 99.9% SLO really necessary? Design philosophy of shared responsibility through prioritized SLOs
vtryo
0
830
なぜ、IAMロールのプリンシパルに*による部分マッチングが使えないのか? / 20260518-ssmjp-iam-role-principal
opelab
2
140
PdM・Eng・QAで進めるAI駆動開発の現在地/aidd-with-pdm-eng-qa
shota_kusaba
0
250
全社統制を維持しながら現場負担をどう減らすか〜プラットフォームチームとセキュリティチームで進めたSecurity Hub活用によるAWS統制の見直し〜/secjaws-security-hub-custom-insights
mhrtech
1
590
サイボウズ、プラットフォームエンジニアリング始めるってよ ― プラットフォームチームの事業貢献と組織アラインメントの強化
ueokande
0
120
Featured
See All Featured
Agile Leadership in an Agile Organization
kimpetersen
PRO
0
150
Gemini Prompt Engineering: Practical Techniques for Tangible AI Outcomes
mfonobong
2
390
Un-Boring Meetings
codingconduct
0
290
Jess Joyce - The Pitfalls of Following Frameworks
techseoconnect
PRO
1
150
Scaling GitHub
holman
464
140k
A Guide to Academic Writing Using Generative AI - A Workshop
ks91
PRO
1
300
Between Models and Reality
mayunak
4
290
How GitHub (no longer) Works
holman
316
150k
Bioeconomy Workshop: Dr. Julius Ecuru, Opportunities for a Bioeconomy in West Africa
akademiya2063
PRO
1
110
CSS Pre-Processors: Stylus, Less & Sass
bermonpainter
360
30k
Making the Leap to Tech Lead
cromwellryan
135
9.8k
jQuery: Nuts, Bolts and Bling
dougneiner
66
8.5k
Transcript
Hello webclerks :)
Content Security Policy 101
Content Security Policy 101 Can Christoph do 40 slides in
5 minutes?
ABOUT ME
CHRISTOPH RUMPEL Web Developer PHP / Laravel Chatbots Talks @christophrumpel
christoph-rumpel.com
SECURITY IS HARD
SSL Input Handling Updates Packages Extension CSRF NONCES Weak Typing
Error Handling Storing Credentials Server Access SQL Prepared Statements Passwords Brute Force Attacks
Adobe Playstation Network Cloudflare FAMOUS LEAKS
How can we protect our sites when even big companies
can't?
Step by step
CONTENT SECURITY POLICY
CSP lets you define trusted resources.
Content-Security-Policy: policies
Content-Security-Policy: img-src *; script-src 'self'; Policies EXAMPLE
img-src *; script-src 'self'; DIRECTIVES
img-src *; script-src 'self'; LOCATIONS
img-src *; script-src 'self'; TRANSLATED Images are allowed to be
loaded from any resource
img-src *; script-src 'self'; TRANSLATED Scripts are allowed to be
loaded from the current site's origin only
img-src script-src DIRECTIVES
img-src script-src style-src font-src media-src form-action ...
* 'self' LOCATIONS
* 'self' domain.example.com *.example.com 'none' ...
CSP christoph-rumpel.com
BROWSER SUPPORT
BROWSER SUPPORT
INTEGRATIONS
SERVER CONFIGURATION Apache
SERVER CONFIGURATION Nginx
LARAVEL MIDDLEWARE
WP Content Security Policy Plugin - Screenshot Policies PLUGINS
MUCH MORE
HASHES AND NONCES
REPORTING
Content Security Policy 101 Laravel Response Caching And CSP CSP,
Hash-Algorithm, and Turbolinks Quick CSP Reference Guide MDN web docs CSP Level 2 W3C Recommendation CSP Level 3 Working Draft RESOURCES
THANKS
QUESTIONS?
THANKS AGAIN
SiteGround - Reliable hosting with speed, security, and support you can count on.
christophrumpel
optfit
hacomono
barus_qa
.png){kind=avatar}
oidfj
yudaiono
kawaguti
sajikix
vtryo
opelab
.jpg){kind=avatar}
shota_kusaba
mhrtech
ueokande
kimpetersen
mfonobong
codingconduct
techseoconnect
holman
ks91
mayunak
akademiya2063
bermonpainter
cromwellryan
dougneiner
