Content Security Policy (CSP) is a W3C standard that limits what a browser may do, which helps prevent many common attacks, including Cross-site Scripting. This course will teach you all relevant CSP features and which browsers they work in.
Cross-site scripting (XSS) is one of the major threats against web applications, with successful attacks every day. In this course, Defeating Cross-site Scripting with Content Security Policy, you'll learn how to put an end to this and other threats against your applications. First, you'll learn about the W3C standard Content Security Policy (CSP), which versions exist and features they bring. Next, you'll develop an understanding of how CSP restricts what content the browser is allowed to load and execute. Finally, you'll explore exactly how to use this approach to secure your sites. When you're finished with this course, you'll be ready to apply CSP to your web applications, and protect them from XSS and other attacks.
Christian Wenz is an author, consultant and trainer focusing on web technologies. He wrote or co-wrote over 100 books, is a fixture at international developer conferences since 2001, is a Microsoft Most Valuable Professional (MVP) for ASP.NET, an ASPInsiders member, and main author of the Zend PHP 5.5 certification.
Getting Started Hi and welcome to Defeating Cross-site Scripting with Content Security Policy. My name is Christian Wenz, and I'm an independent consultant and software architect. In this course, we will talk a little bit about cross-site scripting and much, much more about Content Security Policy. That's a standard from the World Wide Web Consortium, W3C. These are the people behind XML, HTML, CSS, and many more standards. And Content Security Policy, or CSP in short, allows among other things a web browser to prevent content from being loaded or executed. One of the positive effects of that approach is that, well, cross-site scripting might eventually be defeated by Content Security Policy, and that's why I'm so excited about this. During this course, we will have a look at all versions of Content Security Policy. We'll have a look at all relevant features of Content Security Policy. And, of course, we will have a look at browser support for Content Security Policy. So in the end, you will be able to leverage Content Security Policy for your web applications, and you will also learn what you need to do to get your apps ready for Content Security Policy. So follow along, and in the end, you should also be able to defeat cross-site scripting with Content Security Policy.
Implementing CSP for Everyone: Version 1 Hi and welcome to Implementing Content Security Policy for Everyone: Version 1. My name is Christian Wenz, and as the title suggests, I will show you during this module how you can use all of the features from Content Security Policy version 1. If you recall from the previous module, what CSP 1 is, namely a version of Content Security Policy where the last update of the standard was in 2012 and which is now only a W3C Working Note, this might sound a bit weird. But the important aspect is that, indeed, Content Security Policy version 1 has the most important features of Content Security Policy and has quite a wide browser support, which we will dive in later in this module. So we'll have a look at what CSP is capable of doing. And in forthcoming modules, we will have a look at more advanced features that came in subsequent versions of Content Security Policy. So now let's get ready and create some Content Security Policies.
Leveraging Advanced Content Security Policy Features: Version 2 Hi and welcome to Leveraging Advanced Content Security Policy Features: Version 2. I'm Christian Wenz, and in this module, we will up our game. After learning all about Content Security Policy version 1 in the previous module, this time we will have a look at what's new and what has changed in Content Security Policy level 2. Many of those changes and new features are really, really useful, and I'll show you how you can max out all of them. However, it's a new version, so not all browsers play along and support that version. So we'll have a look at which browsers do and what you can do with those that don't. Let's get started.
Getting Applications Ready for Content Security Policy Hi and welcome to Getting Applications Ready for Content Security Policy. I'm Christian Wenz, the same person who told you all about Content Security Policy versions 1 and 2. And now we will go one step further and discuss how we can get our applications ready for Content Security Policy usage. We will start by looking at a real-world policy and see how complex that is. And a complex policy, of course, means that we cannot just look at it and then say, Well, that one's okay. No, we have to validate it. We have to test it. And we will talk techniques and tools and services that can help us with that. This also includes monitoring if there is any policy violation for our web application. Well, and finally, we develop a strategy how to set up a policy especially if we have to support older browsers as well, or if we cannot refactor our applications so that there might be issues with older browsers, or if we need features of more recent Content Security Policy versions yet still need to support older browsers. All this is coming up in this module.
Looking Forward: Upcoming Features in CSP 3 Hi and welcome to Looking Forward: Upcoming Features in CSP 3. I'm still Christian Wenz, and in this final module, we will take a look in the future. We'll have a look at Content Security Policy level 3 and see what that's all about. As I'm recording this, Content Security Policy level 3 has not been finalized yet. So for me, it's now early April 2017. The W3C has released a working draft. You've seen that before in the first module. That is dated September 2016, so a few months back. And, actually, there is a more updated version, an editor's draft, which is hosted at GitHub. So, yes, you can do PULL requests, and that one is from late March 2017. So the editor in charge, currently that's Mike West from Google, is accepting feedback, changing a few things, and from time to time, the W3C draft will be updated accordingly. So there is no standard for W3C recommendation yet. So everything we are discussing in this module might change in the future. So take everything with a grain of salt, yet it shows in which direction Content Security Policy will go. Since the standard is not done yet, browsers do not support those features yet, but I expect once the standard moves forward, browsers will move forward quite quickly as well. So let's get started, and let's have a look at what's new and what will change in Content Security Policy version 3.