Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Content Security Policy 101 - Lightning Talk
Search
Christoph Rumpel
April 24, 2018
Technology
130
1
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
Content Security Policy 101 - Lightning Talk
This is a 5min talk version of Content Security Policy 101 talk.
Christoph Rumpel
April 24, 2018
More Decks by Christoph Rumpel
See All by Christoph Rumpel
How To Manage 5000+ Tests Efficiently
christophrumpel
0
140
Christoph Dreams Of Simple Code (Laravel Vienna Meetup)
christophrumpel
0
190
Why Refactoring Is The Best Tool To Write Better Code
christophrumpel
0
600
Debugging with PhpStorm & XDebug
christophrumpel
0
300
The final Laravel Service Container talk (Laracon Online)
christophrumpel
1
820
NomadPHP - The Laravel Core - Demystify The Beast
christophrumpel
0
180
Laravel Factories Reloaded (Laracon Online)
christophrumpel
1
340
The Beauty of Laravel's Notification System (Laracon EU Amsterdam)
christophrumpel
0
280
The Laravel Core - Demystify The Beast (New York)
christophrumpel
0
240
Other Decks in Technology
See All in Technology
フルAIで個人開発して学んだあれこれ / yuruai vol.1
isaoshimizu
0
170
背中から、背中へ /paying forward to community
naitosatoshi
0
210
Keeping applications secure by evolving OAuth 2.0 and OpenID Connect
ahus1
PRO
1
130
打造你的 AI 工作流:Agent Skill + MCP 實戰工作坊
appleboy
0
480
インフラ寄りSREでも 開発に踏み出せる〜境界を越えてユーザー体験に向き合いたい〜
sansantech
PRO
0
120
5分でわかる Amazon Connect_20260608
hwangbyeonghun
0
170
product engineering with qa
nealle
0
140
アラート調査向けAIエージェントの本番導入とその後/AI Agents for Alert Investigation: Production Deployment and After
taddy_919
1
330
AIをフル活用してオンコール機能のプロトタイプを2日で作った話 / Building an AI-Powered On-Call Prototype in Just Two Days
nari_ex
0
170
AI時代のエンジニアキャリアについて今一度考える
sakamoto_582
1
990
なぜ私たちのSREプラクティスはなかなか機能しないのか 〜システムより先に組織を見る〜 / Why our SRE practices aren't really working
vtryo
0
160
ループエンジニアリングでE2Eテストを実践
noriyukitakei
0
250
Featured
See All Featured
What’s in a name? Adding method to the madness
productmarketing
PRO
24
4.1k
職位にかかわらず全員がリーダーシップを発揮するチーム作り / Building a team where everyone can demonstrate leadership regardless of position
madoxten
62
55k
Java REST API Framework Comparison - PWX 2021
mraible
34
9.4k
brightonSEO & MeasureFest 2025 - Christian Goodrich - Winning strategies for Black Friday CRO & PPC
cargoodrich
3
750
Designing for Timeless Needs
cassininazir
1
270
Building a Modern Day E-commerce SEO Strategy
aleyda
45
9.1k
What does AI have to do with Human Rights?
axbom
PRO
1
2.2k
Rails Girls Zürich Keynote
gr2m
96
14k
Lightning talk: Run Django tests with GitHub Actions
sabderemane
0
210
A designer walks into a library…
pauljervisheath
211
24k
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
mongodb
49
10k
Large-scale JavaScript Application Architecture
addyosmani
515
110k
Transcript
Hello webclerks :)
Content Security Policy 101
Content Security Policy 101 Can Christoph do 40 slides in
5 minutes?
ABOUT ME
CHRISTOPH RUMPEL Web Developer PHP / Laravel Chatbots Talks @christophrumpel
christoph-rumpel.com
SECURITY IS HARD
SSL Input Handling Updates Packages Extension CSRF NONCES Weak Typing
Error Handling Storing Credentials Server Access SQL Prepared Statements Passwords Brute Force Attacks
Adobe Playstation Network Cloudflare FAMOUS LEAKS
How can we protect our sites when even big companies
can't?
Step by step
CONTENT SECURITY POLICY
CSP lets you define trusted resources.
Content-Security-Policy: policies
Content-Security-Policy: img-src *; script-src 'self'; Policies EXAMPLE
img-src *; script-src 'self'; DIRECTIVES
img-src *; script-src 'self'; LOCATIONS
img-src *; script-src 'self'; TRANSLATED Images are allowed to be
loaded from any resource
img-src *; script-src 'self'; TRANSLATED Scripts are allowed to be
loaded from the current site's origin only
img-src script-src DIRECTIVES
img-src script-src style-src font-src media-src form-action ...
* 'self' LOCATIONS
* 'self' domain.example.com *.example.com 'none' ...
CSP christoph-rumpel.com
BROWSER SUPPORT
BROWSER SUPPORT
INTEGRATIONS
SERVER CONFIGURATION Apache
SERVER CONFIGURATION Nginx
LARAVEL MIDDLEWARE
WP Content Security Policy Plugin - Screenshot Policies PLUGINS
MUCH MORE
HASHES AND NONCES
REPORTING
Content Security Policy 101 Laravel Response Caching And CSP CSP,
Hash-Algorithm, and Turbolinks Quick CSP Reference Guide MDN web docs CSP Level 2 W3C Recommendation CSP Level 3 Working Draft RESOURCES
THANKS
QUESTIONS?
THANKS AGAIN