Loading presentation...

Present Remotely

Send the link below via email or IM

Copy

Present to your audience

Start remote presentation

  • Invited audience members will follow you as you navigate and present
  • People invited to a presentation do not need a Prezi account
  • This link expires 10 minutes after you close the presentation
  • A maximum of 30 users can follow your presentation
  • Learn more about this feature in our knowledge base article

Do you really want to delete this prezi?

Neither you, nor the coeditors you shared it with will be able to recover it again.

DeleteCancel

Make your likes visible on Facebook?

Connect your Facebook account to Prezi and let your likes appear on your timeline.
You can change this under Settings & Account at any time.

No, thanks

Content Security Policy

No description
by

Paweł Krawczyk

on 7 June 2015

Comments (0)

Please log in to add your comment.

Report abuse

Transcript of Content Security Policy

Content Security Policy
& friends

Subresource Integrity (SRI)
http://www.w3.org/TR/SRI/
Content Security Policy (CSP)
http://www.w3.org/TR/CSP11/
Cross-Origin Resource Sharing (CORS)
http://www.w3.org/TR/cors/
CSP and malware
CSP and MITM
Mixed Content
http://www.w3.org/TR/mixed-content/
Upgrade Insecure Requests
http://www.w3.org/TR/upgrade-insecure-requests/
Developing CSP
in the
real life
Strict Transport Security
RFC 6797
Public Key Pins
RFC 7469
Same-origin policy
RFC 6454
Summary
Do use CSP, STS, PKP etc
Start with report-only mode
Develop CSP in steps
Use combined report-uri & console alerts
CSP fits well into agile & devops
Use as many CSP headers as needed
Avoid 'unsafe-' origins
Use sha256- origins instead
CSP standards are developing fast!
email: pawel.krawczyk@hush.com
Twitter: @kravietz2
Referrer Policy
https://w3c.github.io/webappsec/specs/referrer-policy/
Entry Point Regulation
https://w3c.github.io/webappsec/specs/epr/
https://github.com/w3c/webappsec
'none'
'self'
data:
img.fb.net
*.example.com
example.com
https://img.fb.net
https:
'unsafe-inline'
'unsafe-eval'
'sha256-XXX'
'nonce'
Sources
OWASP Russia 2015
Paweł Krawczyk
http://webcookies.org/http-headers/
https://code.google.com/p/mustache-security/
JavaScript Frameworks CSP Support
Full transcript