Defeating Cross-site Scripting with Content Security Policy

Content Security Policy (CSP) is a W3C standard that limits what a browser may do, which helps prevent many common attacks, including Cross-site Scripting. This course will teach you all relevant CSP features and which browsers they work in.
Course info
Rating
(18)
Level
Intermediate
Updated
May 11, 2017
Duration
2h 22m
Table of contents
Course Overview
Getting Started
Implementing CSP for Everyone: Version 1
Leveraging Advanced Content Security Policy Features: Version 2
Getting Applications Ready for Content Security Policy
Looking Forward: Upcoming Features in CSP 3
Description
Course info
Rating
(18)
Level
Intermediate
Updated
May 11, 2017
Duration
2h 22m
Description

Cross-site scripting (XSS) is one of the major threats against web applications, with successful attacks every day. In this course, Defeating Cross-site Scripting with Content Security Policy, you'll learn how to put an end to this and other threats against your applications. First, you'll learn about the W3C standard Content Security Policy (CSP), which versions exist and features they bring. Next, you'll develop an understanding of how CSP restricts what content the browser is allowed to load and execute. Finally, you'll explore exactly how to use this approach to secure your sites. When you're finished with this course, you'll be ready to apply CSP to your web applications, and protect them from XSS and other attacks.

About the author
About the author

Christian Wenz is an author, consultant and trainer focusing on web technologies. He wrote or co-wrote over 100 books, is a fixture at international developer conferences since 2001, is a Microsoft Most Valuable Professional (MVP) for ASP.NET, an ASPInsiders member, and main author of the Zend PHP 5.5 certification.

More from the author
Building a Site with Angular and PHP
Intermediate
3h 51m
20 Dec 2017
PHP Web Application Security
Intermediate
5h 18m
1 Sep 2016
What's New in PHP 7
Intermediate
1h 45m
3 Dec 2015
More courses by Christian Wenz
Section Introduction Transcripts
Section Introduction Transcripts

Course Overview
Hi everyone! My name is Christian Wenz, and welcome to my course, Defeating Cross-site Scripting with Content Security Policy. I'm an independent developer and architect and support many companies in everything web including web performance and web application security. Almost 20 years ago, I first encountered cross-site scripting. Back then I thought it was a good thing for me because it helped me circumvent a security restriction in an application I had to work with. Now, of course, I know better. Yet cross-site scripting seems hard to beat. The attack as widespread as ever until now because in this course, we're going to fight cross-site scripting and some other attacks with Content Security Policy, a World Wide Web Consortium standard supported by most browsers that limits what a browser can do. Among other things, we can restrict which JavaScript code may be loaded and executed making cross-site scripting virtually impossible. Some of the major topics that we will cover include setting up a Content Security Policy learning about all the available options, which versions of Content Security Policy exist and what features they offer, understanding Content Security Policy browser support and how to maintain backwards compatibility with older versions, and testing and maintaining a policy. By the end of this course, you will know how to get the most out of Content Security Policy and how to implement this standard for your web applications. No prior knowledge is required, but it would be helpful if you have worked with any server technology such as ASP. NET or PHP. I hope you'll join me on this journey with the Defeating Cross-site Scripting with Content Security Policy course at Pluralsight.

Getting Started
Hi and welcome to Defeating Cross-site Scripting with Content Security Policy. My name is Christian Wenz, and I'm an independent consultant and software architect. In this course, we will talk a little bit about cross-site scripting and much, much more about Content Security Policy. That's a standard from the World Wide Web Consortium, W3C. These are the people behind XML, HTML, CSS, and many more standards. And Content Security Policy, or CSP in short, allows among other things a web browser to prevent content from being loaded or executed. One of the positive effects of that approach is that, well, cross-site scripting might eventually be defeated by Content Security Policy, and that's why I'm so excited about this. During this course, we will have a look at all versions of Content Security Policy. We'll have a look at all relevant features of Content Security Policy. And, of course, we will have a look at browser support for Content Security Policy. So in the end, you will be able to leverage Content Security Policy for your web applications, and you will also learn what you need to do to get your apps ready for Content Security Policy. So follow along, and in the end, you should also be able to defeat cross-site scripting with Content Security Policy.

Implementing CSP for Everyone: Version 1
Hi and welcome to Implementing Content Security Policy for Everyone: Version 1. My name is Christian Wenz, and as the title suggests, I will show you during this module how you can use all of the features from Content Security Policy version 1. If you recall from the previous module, what CSP 1 is, namely a version of Content Security Policy where the last update of the standard was in 2012 and which is now only a W3C Working Note, this might sound a bit weird. But the important aspect is that, indeed, Content Security Policy version 1 has the most important features of Content Security Policy and has quite a wide browser support, which we will dive in later in this module. So we'll have a look at what CSP is capable of doing. And in forthcoming modules, we will have a look at more advanced features that came in subsequent versions of Content Security Policy. So now let's get ready and create some Content Security Policies.

Leveraging Advanced Content Security Policy Features: Version 2
Hi and welcome to Leveraging Advanced Content Security Policy Features: Version 2. I'm Christian Wenz, and in this module, we will up our game. After learning all about Content Security Policy version 1 in the previous module, this time we will have a look at what's new and what has changed in Content Security Policy level 2. Many of those changes and new features are really, really useful, and I'll show you how you can max out all of them. However, it's a new version, so not all browsers play along and support that version. So we'll have a look at which browsers do and what you can do with those that don't. Let's get started.

Getting Applications Ready for Content Security Policy
Hi and welcome to Getting Applications Ready for Content Security Policy. I'm Christian Wenz, the same person who told you all about Content Security Policy versions 1 and 2. And now we will go one step further and discuss how we can get our applications ready for Content Security Policy usage. We will start by looking at a real-world policy and see how complex that is. And a complex policy, of course, means that we cannot just look at it and then say, Well, that one's okay. No, we have to validate it. We have to test it. And we will talk techniques and tools and services that can help us with that. This also includes monitoring if there is any policy violation for our web application. Well, and finally, we develop a strategy how to set up a policy especially if we have to support older browsers as well, or if we cannot refactor our applications so that there might be issues with older browsers, or if we need features of more recent Content Security Policy versions yet still need to support older browsers. All this is coming up in this module.

Looking Forward: Upcoming Features in CSP 3
Hi and welcome to Looking Forward: Upcoming Features in CSP 3. I'm still Christian Wenz, and in this final module, we will take a look in the future. We'll have a look at Content Security Policy level 3 and see what that's all about. As I'm recording this, Content Security Policy level 3 has not been finalized yet. So for me, it's now early April 2017. The W3C has released a working draft. You've seen that before in the first module. That is dated September 2016, so a few months back. And, actually, there is a more updated version, an editor's draft, which is hosted at GitHub. So, yes, you can do PULL requests, and that one is from late March 2017. So the editor in charge, currently that's Mike West from Google, is accepting feedback, changing a few things, and from time to time, the W3C draft will be updated accordingly. So there is no standard for W3C recommendation yet. So everything we are discussing in this module might change in the future. So take everything with a grain of salt, yet it shows in which direction Content Security Policy will go. Since the standard is not done yet, browsers do not support those features yet, but I expect once the standard moves forward, browsers will move forward quite quickly as well. So let's get started, and let's have a look at what's new and what will change in Content Security Policy version 3.