Content Security Policy to the Rescue

Dheeraj Joshi (15.Feb.2018 at 16:00, 1 hr )
Talk at PHP UK Conference 2018 (English - US)

Rating: 5 of 5

Developing web applications with security in mind is very much important in today's world with the increase in online attacks and fraud. Content Security Policy is a defense-in-depth mechanism which can help in mitigating Cross-Site Scripting vulnerabilities. In this talk, we'll see a live demo of an intentionally vulnerable web application and how Content Security Policy can prevent attacks. I’ll also talk about some success stories where companies successfully deployed CSP. We’ll discuss some common bypasses available for CSP and how CSP can be used to prevent other sets of issues like clickjacking, HTTPS migration, secure form submissions.
Level: All

Who are you?

Claim talk

Talk claims have been moved to the new Joind.in site.

Please login to the new site to claim your talk

Want to comment on this talk? Log in or create a new account or comment anonymously

Write a comment

 
Please note: you are not logged in and will be posting anonymously!
= seven minus three

Comments

Rating: 4 of 5

16.Feb.2018 at 11:30 by Matt Dawkins (36 comments) via Web2 LIVE

Any talk about security is going to be terrifying, and rightly so. It was really interesting seeing how easily you can compromise a vulnerable site, especially the one at the end with the hidden bitcoin iframe! Loads of useful info on CSP, although it could perhaps have benefitted from some practical demonstrations of how to implement it on an existing site using a popular framework. I'll definitely be looking into CSP further!

Rating: 5 of 5

16.Feb.2018 at 13:20 by Morten Bergset (36 comments) via Web2 LIVE

I loved your talk. I can use this at work, thanks!

Rating: 3 of 5

17.Feb.2018 at 09:33 by Anonymous

The content was good, Dheeraj is clearly very knowledgeable about csps.

The demos fell a bit short and could have been better prepared - it was difficult to work out what was being shown and why

The mention of bug bounties and ways to motivate people to better security with the cryptojacking problem was a good idea to put in

The flow and pacing of the talk could use a little work, it felt like it jumped to parts where knowledge about csps and xss was assumed rather than explaining why the things were important to know about

© Joind.in 2018