Content Security Policies: Let's Break Stuff • Matt Brunt • GOTO 2018
Вставка
- Опубліковано 31 лип 2024
- This presentation was recorded at GOTO Copenhagen 2018. #gotocon #gotocph
gotocph.com
Matt Brunt - Dungeon Master, Code Tinkerer & Cybersecurity Pro
ABSTRACT
Content Security Policies are another tool we should have in our security toolbelt to help protect users of our sites. In this session you'll learn what they are, why they're needed, how they work and the limitations on what they can & cannot do to protect users.
You'll see a demo of attacks a CSP will block, you'll see a site broken by a CSP, show what the different CSP directives & options will do and be introduced to some of the tools available [...]
Download slides and read the full abstract here:
gotocph.com/2018/sessions/575
RECOMMENDED BOOKS
Aaron Parecki • OAuth 2.0 Simplified • amzn.to/2A3IMOf
Aaron Parecki • OAuth 2.0 Servers • amzn.to/3ecHEsz
Aaron Parecki • The Little Book of OAuth 2.0 RFCs • amzn.to/3i7qnlC
Erdal Ozkaya • Cybersecurity: The Beginner's Guide • amzn.to/2T6OIj3
Richer & Sanso • OAuth 2 in Action • amzn.to/3hXiAH6
Wilson & Hingnikar • Demystifying OAuth 2.0, OpenID Connect, and SAML 2.0 • amzn.to/2U8iLY2
/ gotocph
/ gotoconference
/ goto-
gotocon.com
#security #cybersecurity #ContentSecurityPolicies #CSP
Looking for a unique learning experience?
Attend the next GOTO Conference near you! Get your ticket at gotocon.com
SUBSCRIBE TO OUR CHANNEL - new videos posted almost daily.
ua-cam.com/users/GotoConf... - Наука та технологія
This was fun, thanks. Great presentation skills
Amazing talk! Very useful
Great piece, very informative
the best presentation i ever seen
Thank you so much
Very informative!
Great talk!
>> XSS is considered by many people to be a joke.
Ends up moving to top 3 in 2021 😳
how safe is the nonce attribute? couldn't the hacker just look what nonce is used on the site and add that to the script?
Yes, but the nonce in the CSP is re-generated by the server with every request. The nonce you copied will be instantly out of date. The browser will detect the difference between the new nonce in the CSP and your old nonce in the script tag.