Learn how to secure your website from cross-site scripting attacks by enabling a Content Security Policy. Code examples from this video: github.com/shama/letswritecod...
Hi Kyle, great video, congratulations ! I get this error with Wordpress installation but not with a local installation. Do you know where I can find this setting ? Regards, ZP.
nice video... gained lot of knowledge . surely going to share your video ...hmmmm one thing i want to ask is if a site has implemented csp and script src is set to self ,,, along with that 3rd party sites are mentioned for executing their scripts , also used 'unsafe inline ' in the script-src tag. so how in this case an attacker or hacker can bypass csp... by taking advantage of unsafe inline
Why you set header to response rather than request? Also, instead of setting headers for all responses can we set seperately for each individual response?
there seems to be some kind of audio-problem like from minute 3:48. I tried listenging on different devices, with and without headphones, but no difference. maybe you could make an updated version with better audio?
Hi dude, i've only just heard about this CSP thing i'm trying to add it to my site but i'm having some troubles. I have some scripts from Copyright house, DMCA, and comodo ssl certificate, but as soon as i add the csp line it stops showing them. I understand that i cannot use inline js with this enabled but then how do i refernce the scripts if this is so, would a function() call not be blocked in the html file or browser... Please help, I have posted this on StackOverflow aswell.
+Vikram Jadhav Thanks! I used a vanilla JS app thrown together for demonstrating CSP. Not a great solution for building large apps, IMO but is simple and straight forward for small apps. I have some JS app architecture videos planned for the future.
Hi Kyle, this is new to me, I did not know about the content security policy. I have a question though, won't this block certain browser extensions? I imagine that could annoy some users.
+Ante Šepić I'm not too knowledgeable about writing browser extensions but I believe they can define their own CSP: developer.chrome.com/extensions/contentSecurityPolicy So if the extension action is getting blocked by a CSP, that extension probably shouldn't be doing that action. Also a user can choose to disable the CSP in their browser too if desired. It's really a protection mechanism for the users in case a website they are visiting has been hijacked. The website developer defines a CSP to inform the user about the things they can trust. So why you could easily disable CSP in your browser, you wouldn't necessarily want to.
Very nice, crisp and to the point.
Very helpful, Thanks!
Your explanations are so good! Thank you! I learned a lot 😃
Its 2021 and this content never gets old. Thankyou for posting this. ))
Super helpful and exactly what I was looking for to understand CSP
Been searching for this Kyle. Very important subject. I understand it a bit better now, thank you !
thanks for the sharing. I look forward to learning more.
These videos are really helpful. Thanks for uploading and please keep up the good work.
+Pavin Disatapundhu Thanks! :D
Amazing tutorial. Very well explained as well. Thanks very much.
Concepts are explained nicely with examples
Excelent, just what i needed, allow javascript only from two external sources
Short and helpful. Thanks.
Thanks for the video, quick understanding
Pure gold... thanks for the content
Fantastic tutorial, wish I could give a double thumbs-up!
Thanks for this guide.
This is good for basic learners... Thanks
great explanation, thanks!
i'm a simple man, i hear "bears" i like
excelent explanation !!
thank you so much
Thanks for the breakdown
Hi Kyle,
Instead of this if the text box is given validation for only alpha-numerals i.e; no special characters. Does it cause any attacks?
How do you use require in frontend javascript? I'd love to know!
Hi Kyle, great video, congratulations ! I get this error with Wordpress installation but not with a local installation. Do you know where I can find this setting ? Regards, ZP.
Very cool explanation :D
Very nice and well explained..
nice video... gained lot of knowledge . surely going to share your video ...hmmmm one thing i want to ask is if a site has implemented csp and script src is set to self ,,, along with that 3rd party sites are mentioned for executing their scripts , also used 'unsafe inline ' in the script-src tag. so how in this case an attacker or hacker can bypass csp... by taking advantage of unsafe inline
Why you set header to response rather than request? Also, instead of setting headers for all responses can we set seperately for each individual response?
Great Tutorial .. ! :-)
+Aaditya Purani Thanks!
Hey great work..
I would be glad if you could one preventing XSS using Express middleware 'Helmet'..
Great content. You deserve more likes than the 427 that is registered here.
there seems to be some kind of audio-problem like from minute 3:48. I tried listenging on different devices, with and without headphones, but no difference. maybe you could make an updated version with better audio?
Hi dude, i've only just heard about this CSP thing i'm trying to add it to my site but i'm having some troubles. I have some scripts from Copyright house, DMCA, and comodo ssl certificate, but as soon as i add the csp line it stops showing them. I understand that i cannot use inline js with this enabled but then how do i refernce the scripts if this is so, would a function() call not be blocked in the html file or browser... Please help, I have posted this on StackOverflow aswell.
Even after i've added the links and files to the trusted lists with spaces
I didn't understand how do I fix this on a site that only uses html, css and js files (frontend only)...
Wow! Nice tutorial
which JavaScript Framework you are currently using?
Could you give us a series for creating any application from scratch?
Thanks!
+Vikram Jadhav Thanks! I used a vanilla JS app thrown together for demonstrating CSP. Not a great solution for building large apps, IMO but is simple and straight forward for small apps. I have some JS app architecture videos planned for the future.
Not relevant to topic, but which program do you use to record these awesome videos ?
I think it's called screen flow
Hi Kyle,
this is new to me, I did not know about the content security policy. I have a question though, won't this block certain browser extensions? I imagine that could annoy some users.
+Ante Šepić I'm not too knowledgeable about writing browser extensions but I believe they can define their own CSP: developer.chrome.com/extensions/contentSecurityPolicy So if the extension action is getting blocked by a CSP, that extension probably shouldn't be doing that action.
Also a user can choose to disable the CSP in their browser too if desired. It's really a protection mechanism for the users in case a website they are visiting has been hijacked. The website developer defines a CSP to inform the user about the things they can trust. So why you could easily disable CSP in your browser, you wouldn't necessarily want to.
+Kyle Robinson Young Thanks, that makes sense.
Thanks man
what's the end music's name? that's amaing!
nice! Thanks!
Thanks mate
3:50 you mic has been hacked :) Cool stuf though.
Thanks for assuring me that I'm not the one who got hacked :P
npm, sanitize-html 04:05 lodash 04:52 CSP 05:25 send an http header to the browser to tell to enable this CSP 07:40 CSS
it's that easy to install security?
Dude you cannot sanitize on entering the DB and rendering, because something like would become <h1> in the DB, then <h1> on render
Thanks for the correction. You're right, you don't want to sanitize HTML twice.
Something funny happening with audio at 3:48
Sorry about that! I'm not sure what happened there.
"Get your bearings" - 0:25
+Daniel Jeffery ˁ˚ᴥ˚ˀ
+Kyle Robinson Young I'm on to you.
sound is screwed up ...
How to use this in PHP?
They are HTTP headers so with PHP you could do: header("Content-Security-Policy: default-src 'self'");
Google Chrome extension error bring me here. :D
Why do you keep saying excaping?
The audio is weird
+Ewers X Sorry about that! I'm not sure why the audio got fuzzy at that part.
Scp = secure contain protect
Ohh i think i commented the wrong video srry😅
Bears are the best. Kyle Robinson is also the best but most humans are lame (including me)