Content Security Policy Explained
ฝัง
- เผยแพร่เมื่อ 23 ก.ค. 2024
- Content Security Policies (CSP) are a powerful safety feature of the modern web. This video aims to lay a foundation for anyone to add a CSP to their web applications.
In this video, we're going to take a look at content security policy, what it is, why you need it, and how to create a content security policy using the OWASP Content Security Policy Template.
If you work with web applications or have any sort of online presence, you need to know about content security policy. This video will explain everything you need to know in easy to understand terms, including why you need it, how to create a content security policy, and how to protect your web applications with it.
One note that isn't as clear in the video - the directives are universal and can also be added to meta tag-based CSPs if one does not have access to the server.
Have more thoughts? Leave a comment or @-me on / tejaskumar_
Don't forget to like and subscribe with notifications for future videos!
More resources:
- OWASP Cheat Sheet: cheatsheetseries.owasp.org/ch...
- Complete list of CSP directives: developer.mozilla.org/en-US/d...
Chapters:
00:00 Intro
00:08 Why Should I Care?
01:00 Where Do I Add One?
01:12 1. HTTP Headers
01:36 2. Meta Tag
01:43 3. manifest.json
01:59 How Do I Add One to a Web App?
03:42 (Demo) Implementing a Content Security Policy
04:10 Report-Only Mode for Iterative Development
04:42 Sending Content Security Policy Reports
05:13 Conclusion - วิทยาศาสตร์และเทคโนโลยี
Quick, concise and right to the point (and without running over us like a Fireship road roller)! Great work Tejas.
Hey thanks a lot Kostas!!!
great explanation
Glad it was helpful!
explained in best possible way
Thanks!!
thank you
Great explanation 👍👍
Glad you liked it
Hi Tejas, Thank you for explaining the content-security-policy. What are your thoughts on adding the content-security-policy header to web-servers like nginx, apache tomcat etc,. directly?
It depends on the surface of the servers and what they serve. Generally, it's a good idea if the scope is isolated IMO.
is it good to block csp reports in ublock origin's settings ? or should it leave in off
The scripts on the screen are much too small. No one can read them.
zoom in
That’s a precise explanation, although would have been better if there was an explanation provided for nonce and hashes as well. As with just ‘self’ and other domain we cant really mitigate xss anymore. Just a feedback!
Good video though :)