Oh my god I was looking all over the web what the meaning behind meta tags and CSP was until I found this video. It's crystal clear to me now. Thank you so much sir.
Thank you. I first read the article but I was a bit confused because I never heard of XSS before so I came here an after the first 3 mins it was crystal clear to me. :D
Think it would’ve been helpful if you did actually demo a few examples with setting the various directives. Hard to make sense of how each works by just reading the MDN pages that you showed.
Thanks for explanation. I've searched resources, that can explain me in simple way what is CSP and what it for. After this video I have superficial understanding that is enough for my purposes
I can't figure out how to implement this in practice!! I'm trying to put a google maps on a statistical html page, but it keeps giving a csp warning or the map doesn't load.
So if im understanding this correctly, this just prevents loading scripts, from sources not allowed by the CSP. But an attacker could still use an inline script tag to run any javascript they could fit everything they need within the comment box (assuming stored and in a comment input)?
CSPs block all inline scripts by default, though if you have specific inline scripts you want to allow you can identify them with hashes or nonces to whitelist with the CSP.
What do you think about unsafe-inline in style? i have an app with firebase + react... managed to use nonces but in client side rendering, so styles are broken
on my wordpress website -chrome on my phone says not secure, safari on laptop also says not secure but my SSL certificate is good i checked. also chrome on my laptop doesn't say not secure. I went to inspect >console on website and this error was there but I don't know what it means or where the error is located. The Source Location is blank - "Content Security Policy of your site blocks the use of 'eval' in JavaScript` The Content Security Policy (CSP) prevents the evaluation of arbitrary strings as JavaScript to make it more difficult for an attacker to inject unathorized code on your site. To solve this issue, avoid using eval(), new Function(), setTimeout([string], ...) and setInterval([string], ...) for evaluating strings. If you absolutely must: you can enable string evaluation by adding unsafe-eval as an allowed source in a script-src directive. ⚠ Allowing string evaluation comes at the risk of inline script injection. 1 directive Source location Directive Status script-src blocked
Not literally like this. You have to replace and with your own directive and value you would like to use. Also make sure to separate these two placeholders with a space. So an example would be
Hey, Is there a secure way in storing/using JWT with CORS to prevent XSS? Hosted Client and Server Separately so can't do httponly. Just wondering if you have any material I could look at.
Hi Chad, if you store a JWT inside of a cookie then your api-gateway needs a strict CORS policy and ideally HttpOnly and Secure cookies to prevent CSRF. However, CORS and cookies do not sufficiently protect you against XSS. Because with XSS some malicious code is running in browser. So in case the JWT is stored in a cookie - even if it is HttpOnly - the attacker can still make authenticated requests. The only "advantage" over using local storage here is that the attacker would need to run the full attack over the browser. This is still bad and the attacker can do pretty much anything he wants to do but at least the attacker does not get access to the actual token. So while the attacker could still do everything via the browser, it would be slightly harder. To protect against XSS, a Content Security Policy is very useful as well as sanitizing user input when it is sent to the server. I think I don't really have a dedicated video that yet.
Hi Johnny, here is a really nice answer for your question: webmasters.stackexchange.com/questions/104857/when-should-i-not-to-use-page-meta-security-headers
Hi Yuvraj, https is TLS over HTTP and all headers that can be encrypted, are encrypted (hostname / IP headers are not encrypted because otherwise routing of the package would be impossible: stackoverflow.com/a/187679/2328833)
Hi Saurav, while you could allow any script this would defeat the purpose of having a CSP in the first place. So I figure the only way would be to explicitly add the sources where you want to load scripts from. If you specify self, then this means that you only allow scripts to come from the origin where the webpage was originally loaded from
![ทุกครั้งที่หลับตา (Lucid Dream) - AYLA's [ Official MV ]](http://i.ytimg.com/vi/4i1OBAQyv58/mqdefault.jpg)
What do you think about this video?
Let me know in the comments below.
Loved it. Thank you.
Thanks man.
i needed a good rule for a modern website. not only why, but some kind of common what.
Thanks, man!
5:48 default-src default of switch statement wow. Explained in just a single statement 👍👍👍
you're most welcome
Oh my god I was looking all over the web what the meaning behind meta tags and CSP was until I found this video. It's crystal clear to me now. Thank you so much sir.
Thank you! You’re a fantastic teacher.
I'm glad you liked it
Dude.... Thank's a ton for that objective video.
Glad it was helpful!
Great explanation. Thanks
Thank you. I first read the article but I was a bit confused because I never heard of XSS before so I came here an after the first 3 mins it was crystal clear to me. :D
thx Noel, I'm glad I could help!
straight to the point, thanks
you're welcome Hekar
Think it would’ve been helpful if you did actually demo a few examples with setting the various directives. Hard to make sense of how each works by just reading the MDN pages that you showed.
The best as always
thx Ahmed 👍
fixing one missing content security policy header is it impacts the entire website?
Thanks for explanation. I've searched resources, that can explain me in simple way what is CSP and what it for. After this video I have superficial understanding that is enough for my purposes
I can't figure out how to implement this in practice!! I'm trying to put a google maps on a statistical html page, but it keeps giving a csp warning or the map doesn't load.
So if im understanding this correctly, this just prevents loading scripts, from sources not allowed by the CSP. But an attacker could still use an inline script tag to run any javascript they could fit everything they need within the comment box (assuming stored and in a comment input)?
CSPs block all inline scripts by default, though if you have specific inline scripts you want to allow you can identify them with hashes or nonces to whitelist with the CSP.
Great explanation!
Thanks!
Very nice video!!!
Wonderful explanation
Glad it was helpful!
Nicely Explained >>
Glad it was helpful!
Thank you for the great explanation.
You are welcome!
What do you think about unsafe-inline in style? i have an app with firebase + react... managed to use nonces but in client side rendering, so styles are broken
great explanation, many thanks!
Glad you enjoyed it!
on my wordpress website -chrome on my phone says not secure, safari on laptop also says not secure but my SSL certificate is good i checked. also chrome on my laptop doesn't say not secure. I went to inspect >console on website and this error was there but I don't know what it means or where the error is located. The Source Location is blank - "Content Security Policy of your site blocks the use of 'eval' in JavaScript`
The Content Security Policy (CSP) prevents the evaluation of arbitrary strings as JavaScript to make it more difficult for an attacker to inject unathorized code on your site.
To solve this issue, avoid using eval(), new Function(), setTimeout([string], ...) and setInterval([string], ...) for evaluating strings.
If you absolutely must: you can enable string evaluation by adding unsafe-eval as an allowed source in a script-src directive.
⚠ Allowing string evaluation comes at the risk of inline script injection.
1 directive
Source location Directive Status
script-src blocked
thank you for the video! super clear!
thx
Nice explanation!
tks for sharing
Glad you liked it!
Thank you for such great video!
thx
very nicely explained. thanks. i liked it.
Thanks for liking
alert("Thank you, very clear explanation")
haha nice 👍
Thanks bro !
Handy overview, now to building a CSP 😳
nice 👍
Well explained 🎉 Are you from Denmark?
no, I'm from Germany
Not literally like this. You have to replace and with your own directive and value you would like to use. Also make sure to separate these two placeholders with a space. So an example would be
Great video
Glad you enjoyed it
Very good!
Thanks!
thanks 4 the clear explanation
Glad it was helpful!
alert('Hello World') only hello world
thank you buddy ! :)
You're most welcome!
Very well explained.... thanks
thx Sanket 👍
Thank you for the video!!
My pleasure!
Great video, do you have a video with some in-depth code examples?
Man you look like young Elon Musk lol. Congratz on the content btw!
Thanks man !!
you're welcome
Hey, Is there a secure way in storing/using JWT with CORS to prevent XSS? Hosted Client and Server Separately so can't do httponly. Just wondering if you have any material I could look at.
Hi Chad,
if you store a JWT inside of a cookie then your api-gateway needs a strict CORS policy and ideally HttpOnly and Secure cookies to prevent CSRF. However, CORS and cookies do not sufficiently protect you against XSS. Because with XSS some malicious code is running in browser. So in case the JWT is stored in a cookie - even if it is HttpOnly - the attacker can still make authenticated requests. The only "advantage" over using local storage here is that the attacker would need to run the full attack over the browser. This is still bad and the attacker can do pretty much anything he wants to do but at least the attacker does not get access to the actual token. So while the attacker could still do everything via the browser, it would be slightly harder.
To protect against XSS, a Content Security Policy is very useful as well as sanitizing user input when it is sent to the server. I think I don't really have a dedicated video that yet.
So I've read that putting the CSP in html meta tags isn't super effective and frame ancestors can't be used. What are your thoughts on this?
Hi Johnny, here is a really nice answer for your question: webmasters.stackexchange.com/questions/104857/when-should-i-not-to-use-page-meta-security-headers
but what if some hacker sniffs the traffic and manipulates the request and response headers ? , is that possible if used https ?
Hi Yuvraj, https is TLS over HTTP and all headers that can be encrypted, are encrypted (hostname / IP headers are not encrypted because otherwise routing of the package would be impossible: stackoverflow.com/a/187679/2328833)
Can we set CSP in AWS?
CSP is independent of any cloud service
I used csp script-src to self..and in console it showing many script error...how can i make it accept all my script ?
Hi Saurav, while you could allow any script this would defeat the purpose of having a CSP in the first place. So I figure the only way would be to explicitly add the sources where you want to load scripts from. If you specify self, then this means that you only allow scripts to come from the origin where the webpage was originally loaded from
@@jgoebel how can i make it accept the scripts that i have written on some script tags inside some pages?
Great :)
Thanks!
Can anyone explain: "Browsers that don't support CSP still work with servers that implement it" ?
no because the browser enforces the CSP. But pretty much every modern browser supports CSP these days
Thanks
I guess I have seen cross site scripting policies added in web.config files 🤔
could be. Some servers allow you to just pass a config file and then the server will generate the headers for you
Rebekah Prairie
alert('test')
Write down the code mentioned in the video, and then try to edit the comment, TH-cam will delete it!
probably because TH-cam thinks that you are trying to do a stored cross site scripting (XSS) attack 😁
Is it Elon Mask?
doesnt really explain anything, all youre saying is "if you have this header youre protected" - great.
dd
alert(document.cookie)
nice try 😁