Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Content Security Policy 101 - Lightning Talk

Avatar for Christoph Rumpel Christoph Rumpel
April 24, 2018
Technology
1
110

Content Security Policy 101 - Lightning Talk

This is a 5min talk version of Content Security Policy 101 talk.
Avatar for Christoph Rumpel

Christoph Rumpel

April 24, 2018
Tweet

More Decks by Christoph Rumpel

See All by Christoph Rumpel
How To Manage 5000+ Tests Efficiently
Avatar for Christoph Rumpel christophrumpel
0
65
Christoph Dreams Of Simple Code (Laravel Vienna Meetup)
Avatar for Christoph Rumpel christophrumpel
0
130
Why Refactoring Is The Best Tool To Write Better Code
Avatar for Christoph Rumpel christophrumpel
0
530
Debugging with PhpStorm & XDebug
Avatar for Christoph Rumpel christophrumpel
0
220
The final Laravel Service Container talk (Laracon Online)
Avatar for Christoph Rumpel christophrumpel
1
750
NomadPHP - The Laravel Core - Demystify The Beast
Avatar for Christoph Rumpel christophrumpel
0
130
Laravel Factories Reloaded (Laracon Online)
Avatar for Christoph Rumpel christophrumpel
1
280
The Beauty of Laravel's Notification System (Laracon EU Amsterdam)
Avatar for Christoph Rumpel christophrumpel
0
240
The Laravel Core - Demystify The Beast (New York)
Avatar for Christoph Rumpel christophrumpel
0
190

Other Decks in Technology

See All in Technology
Amazon Bedrockで実現する 新たな学習体験
Avatar for Kazuki Maeda kzkmaeda
1
400
IIWレポートからみるID業界で話題のMCP
Avatar for Naohiro Fujie fujie
0
740
変化する開発、進化する体系時代に適応するソフトウェアエンジニアの知識と考え方(JaSST'25 Kansai)
Avatar for みずのり mizunori
0
140
第9回情シス転職ミートアップ_テックタッチ株式会社
Avatar for forester3003 forester3003
0
150
AWS Summit Japan 2025 Community Stage - App workflow automation by AWS Step Functions
Avatar for matsuihidetoshi matsuihidetoshi
1
140
AWS CDK 実践的アプローチ N選 / aws-cdk-practical-approaches
Avatar for k.goto gotok365
4
520
Amazon ECS & AWS Fargate 運用アーキテクチャ2025 / Amazon ECS and AWS Fargate Ops Architecture 2025
Avatar for iselegant iselegant
16
4.7k
ObsidianをMCP連携させてみる
Avatar for ttnyt8701 ttnyt8701
2
140
菸酒生在 LINE Taiwan 的後端雙刀流
Avatar for LINE Developers Taiwan line_developers_tw
PRO
0
1.1k
ハノーバーメッセ2025座談会.pdf
Avatar for AIxIoTビジネス共創ラボ iotcomjpadmin
0
150
ひとり情シスなCTOがLLMと始めるオペレーション最適化 / CTO's LLM-Powered Ops
Avatar for Mitsuki Ogasahara yamitzky
0
380
Observability infrastructure behind the trillion-messages scale Kafka platform
Avatar for LINEヤフーTech (LY Corporation Tech) lycorptech_jp
PRO
0
130

Featured

See All Featured
Embracing the Ebb and Flow
Avatar for Simon Collison colly
86
4.7k
How GitHub (no longer) Works
Avatar for Zach Holman holman
314
140k
Docker and Python
Avatar for Tania Allard trallard
44
3.4k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
Avatar for soudai sone soudai
PRO
181
53k
VelocityConf: Rendering Performance Case Studies
Avatar for Addy Osmani addyosmani
330
24k
The Invisible Side of Design
Avatar for Vitaly Friedman smashingmag
299
51k
Practical Tips for Bootstrapping Information Extraction Pipelines
Avatar for Matthew Honnibal honnibal
PRO
20
1.3k
[RailsConf 2023 Opening Keynote] The Magic of Rails
Avatar for Eileen M. Uchitelle eileencodes
29
9.5k
Why Our Code Smells
Avatar for Brandon Keepers bkeepers
PRO
337
57k
Music & Morning Musume
Avatar for Bryan Veloso bryan
46
6.6k
Code Review Best Practice
Avatar for Trisha Gee trishagee
68
18k
The Cult of Friendly URLs
Avatar for Andy Hume andyhume
79
6.4k

Transcript

  1. Hello webclerks :)

  2. Content Security Policy 101

  3. Content Security Policy 101 Can Christoph do 40 slides in

    5 minutes?

  4. ABOUT ME

  5. CHRISTOPH RUMPEL Web Developer PHP / Laravel Chatbots Talks @christophrumpel

    christoph-rumpel.com

  6. SECURITY IS HARD

  7. SSL Input Handling Updates Packages Extension CSRF NONCES Weak Typing

    Error Handling Storing Credentials Server Access SQL Prepared Statements Passwords Brute Force Attacks

  8. Adobe Playstation Network Cloudflare FAMOUS LEAKS

  9. How can we protect our sites when even big companies

    can't?

  10. Step by step

  11. CONTENT SECURITY POLICY

  12. CSP lets you define trusted resources.

  13. Content-Security-Policy: policies

  14. Content-Security-Policy: img-src *; script-src 'self'; Policies EXAMPLE

  15. img-src *; script-src 'self'; DIRECTIVES

  16. img-src *; script-src 'self'; LOCATIONS

  17. img-src *; script-src 'self'; TRANSLATED Images are allowed to be

    loaded from any resource

  18. img-src *; script-src 'self'; TRANSLATED Scripts are allowed to be

    loaded from the current site's origin only

  19. img-src script-src DIRECTIVES

  20. img-src script-src style-src font-src media-src form-action ...

  21. * 'self' LOCATIONS

  22. * 'self' domain.example.com *.example.com 'none' ...

  23. CSP christoph-rumpel.com

  24. BROWSER SUPPORT

  25. BROWSER SUPPORT

  26. INTEGRATIONS

  27. SERVER CONFIGURATION Apache

  28. SERVER CONFIGURATION Nginx

  29. LARAVEL MIDDLEWARE

  30. WP Content Security Policy Plugin - Screenshot Policies PLUGINS

  31. MUCH MORE

  32. HASHES AND NONCES

  33. REPORTING

  34. Content Security Policy 101 Laravel Response Caching And CSP CSP,

    Hash-Algorithm, and Turbolinks Quick CSP Reference Guide MDN web docs CSP Level 2 W3C Recommendation CSP Level 3 Working Draft RESOURCES

  35. THANKS

  36. QUESTIONS?

  37. THANKS AGAIN