This course teaches how to prevent XSS vulnerabilities by deploying a strict Content Security Policy (CSP) with nonces and strict-dynamic. The learning outcomes include understanding the basics of CSP, implementing nonces, and deploying strict CSP on websites. The course covers topics such as domain whitelists, object source base URI, HTML injection, inline scripts, and the application of strict CSP to websites like pinterest.com and instapaper.com. The teaching method involves a lecture format with practical examples and insights on potential attacks even after deploying a strict CSP. This course is intended for web developers, security professionals, and anyone interested in enhancing web security measures.
No More XSS - Deploying CSP with Nonces and Strict-Dynamic
Security BSides San Francisco via YouTube
Overview
Syllabus
Introduction
Agenda
Crosssite scripting
Templates and autoescape
No crosssite scripting
Content security policy
Domain whitelist
Object source base URI
HTML injection
Inline scripts
CSP nonces
What can go wrong
Hashes
Whitelisting
Strictdynamic
JavaScript templates
Deploying CSP
Easier to deploy
Code changes
Nonces
Change templates
Report only mode
CSP policy
Resources
Questions
Report URL
Taught by
Security BSides San Francisco
