Presented at
AppSec USA 2016,
Oct. 13, 2016, 9:15 a.m.
(10 minutes).
There have been many attempts to make the Web a more secure place, or at least make it harder to attack web applications. One of them is CSP, Content Security Policy. In my talk, I will cover history of CSP, how it evolves from its original version, and what features will be available in the near future.
One of the challenges in deploying CSP is to understand what versions and directives are supported by different web browsers. In this presentation, I will share current CSP compatibility matrix for major web browsers to provide better understanding of CSP support. I will also demonstrate a framework that I developed to make it easy for anyone to run the same CSP feature set of tests to inspect the results as well as to add new feature check.
In the last part of the presentation, I will show the usage of CSP by Alexa top web sites and how good their CSP policies are. I will also explain common CSP mistakes and strategies to fix them. Last but not least, I will demonstrate various tools, frameworks and libraries which would be useful to improve CSP policies.
Presenters:
-
Ilya Nesterov
- Engineering manager - Shape Security
Ilya Nesterov is currently an engineering manager at Shape Security. Prior to Shape, Ilya worked at F5 Networks, and earned his master's degree from Tomsk Polytechnic University. His interests include, but are not limited to, modern Web Application security threats and countermeasures, botnets, malware infrastructure, exploits and honeypot development. Ilya also works as an independent security researcher and is a speaker on security topics.
Links:
Similar Presentations: