Content Security Policy explained | how to protect against Cross Site Scripting (XSS)
HTML-код
- Опубликовано: 11 сен 2024
- 🔥More exclusive content: productioncode...
Twitter: / _jgoebel
Blog: productioncode...
Website: jangoebel.com
In this video, we cover what Content Security Policy (CSP) is, why you need and how it protects against Cross Site Scripting. We look at Content Security Policy directives, what they do and how you can leverage them for your application. The main goal of Content Security Policy is to protect against Cross Site Scripting attacks. It does so by limiting the origins and urls from which certain assets (e.g. fonts, images, scripts) can be loaded. Content Security Policy can help to mitigate against stored or reflected XSS attack vectors.
What do you think about this video?
Let me know in the comments below.
Loved it. Thank you.
Thanks man.
i needed a good rule for a modern website. not only why, but some kind of common what.
Thanks, man!
5:48 default-src default of switch statement wow. Explained in just a single statement 👍👍👍
you're most welcome
Oh my god I was looking all over the web what the meaning behind meta tags and CSP was until I found this video. It's crystal clear to me now. Thank you so much sir.
Thank you! You’re a fantastic teacher.
I'm glad you liked it
Dude.... Thank's a ton for that objective video.
Glad it was helpful!
Thank you. I first read the article but I was a bit confused because I never heard of XSS before so I came here an after the first 3 mins it was crystal clear to me. :D
thx Noel, I'm glad I could help!
Thanks for explanation. I've searched resources, that can explain me in simple way what is CSP and what it for. After this video I have superficial understanding that is enough for my purposes
straight to the point, thanks
you're welcome Hekar
Wonderful explanation
Glad it was helpful!
Think it would’ve been helpful if you did actually demo a few examples with setting the various directives. Hard to make sense of how each works by just reading the MDN pages that you showed.
Very good!
Thanks!
Nicely Explained >>
Glad it was helpful!
Man you look like young Elon Musk lol. Congratz on the content btw!
The best as always
thx Ahmed 👍
great explanation, many thanks!
Glad you enjoyed it!
Very nice video!!!
Thank you for the great explanation.
You are welcome!
very nicely explained. thanks. i liked it.
Thanks for liking
Great explanation!
Thanks!
Thanks bro !
Handy overview, now to building a CSP 😳
nice 👍
Thank you for such great video!
thx
Nice explanation!
tks for sharing
Glad you liked it!
thank you for the video! super clear!
thx
Very well explained.... thanks
thx Sanket 👍
What do you think about unsafe-inline in style? i have an app with firebase + react... managed to use nonces but in client side rendering, so styles are broken
thank you buddy ! :)
You're most welcome!
Well explained 🎉 Are you from Denmark?
no, I'm from Germany
thanks 4 the clear explanation
Glad it was helpful!
Thank you for the video!!
My pleasure!
Great video
Glad you enjoyed it
I can't figure out how to implement this in practice!! I'm trying to put a google maps on a statistical html page, but it keeps giving a csp warning or the map doesn't load.
Great video, do you have a video with some in-depth code examples?
on my wordpress website -chrome on my phone says not secure, safari on laptop also says not secure but my SSL certificate is good i checked. also chrome on my laptop doesn't say not secure. I went to inspect >console on website and this error was there but I don't know what it means or where the error is located. The Source Location is blank - "Content Security Policy of your site blocks the use of 'eval' in JavaScript`
The Content Security Policy (CSP) prevents the evaluation of arbitrary strings as JavaScript to make it more difficult for an attacker to inject unathorized code on your site.
To solve this issue, avoid using eval(), new Function(), setTimeout([string], ...) and setInterval([string], ...) for evaluating strings.
If you absolutely must: you can enable string evaluation by adding unsafe-eval as an allowed source in a script-src directive.
⚠ Allowing string evaluation comes at the risk of inline script injection.
1 directive
Source location Directive Status
script-src blocked
Thanks man !!
you're welcome
Great :)
Thanks!
So if im understanding this correctly, this just prevents loading scripts, from sources not allowed by the CSP. But an attacker could still use an inline script tag to run any javascript they could fit everything they need within the comment box (assuming stored and in a comment input)?
CSPs block all inline scripts by default, though if you have specific inline scripts you want to allow you can identify them with hashes or nonces to whitelist with the CSP.
alert("Thank you, very clear explanation")
haha nice 👍
fixing one missing content security policy header is it impacts the entire website?
So I've read that putting the CSP in html meta tags isn't super effective and frame ancestors can't be used. What are your thoughts on this?
Hi Johnny, here is a really nice answer for your question: webmasters.stackexchange.com/questions/104857/when-should-i-not-to-use-page-meta-security-headers
Not literally like this. You have to replace and with your own directive and value you would like to use. Also make sure to separate these two placeholders with a space. So an example would be
Hey, Is there a secure way in storing/using JWT with CORS to prevent XSS? Hosted Client and Server Separately so can't do httponly. Just wondering if you have any material I could look at.
Hi Chad,
if you store a JWT inside of a cookie then your api-gateway needs a strict CORS policy and ideally HttpOnly and Secure cookies to prevent CSRF. However, CORS and cookies do not sufficiently protect you against XSS. Because with XSS some malicious code is running in browser. So in case the JWT is stored in a cookie - even if it is HttpOnly - the attacker can still make authenticated requests. The only "advantage" over using local storage here is that the attacker would need to run the full attack over the browser. This is still bad and the attacker can do pretty much anything he wants to do but at least the attacker does not get access to the actual token. So while the attacker could still do everything via the browser, it would be slightly harder.
To protect against XSS, a Content Security Policy is very useful as well as sanitizing user input when it is sent to the server. I think I don't really have a dedicated video that yet.
but what if some hacker sniffs the traffic and manipulates the request and response headers ? , is that possible if used https ?
Hi Yuvraj, https is TLS over HTTP and all headers that can be encrypted, are encrypted (hostname / IP headers are not encrypted because otherwise routing of the package would be impossible: stackoverflow.com/a/187679/2328833)
I used csp script-src to self..and in console it showing many script error...how can i make it accept all my script ?
Hi Saurav, while you could allow any script this would defeat the purpose of having a CSP in the first place. So I figure the only way would be to explicitly add the sources where you want to load scripts from. If you specify self, then this means that you only allow scripts to come from the origin where the webpage was originally loaded from
@@jgoebel how can i make it accept the scripts that i have written on some script tags inside some pages?
Can anyone explain: "Browsers that don't support CSP still work with servers that implement it" ?
no because the browser enforces the CSP. But pretty much every modern browser supports CSP these days
Thanks
Can we set CSP in AWS?
CSP is independent of any cloud service
Rebekah Prairie
I guess I have seen cross site scripting policies added in web.config files 🤔
could be. Some servers allow you to just pass a config file and then the server will generate the headers for you
Write down the code mentioned in the video, and then try to edit the comment, RUclips will delete it!
probably because RUclips thinks that you are trying to do a stored cross site scripting (XSS) attack 😁
Hall Anthony Brown Ruth Miller Frank
doesnt really explain anything, all youre saying is "if you have this header youre protected" - great.
Is it Elon Mask?
dd
alert(document.cookie)
nice try 😁