Oh my god I was looking all over the web what the meaning behind meta tags and CSP was until I found this video. It's crystal clear to me now. Thank you so much sir.
Thanks for explanation. I've searched resources, that can explain me in simple way what is CSP and what it for. After this video I have superficial understanding that is enough for my purposes
Thank you. I first read the article but I was a bit confused because I never heard of XSS before so I came here an after the first 3 mins it was crystal clear to me. :D
Think it would’ve been helpful if you did actually demo a few examples with setting the various directives. Hard to make sense of how each works by just reading the MDN pages that you showed.
I can't figure out how to implement this in practice!! I'm trying to put a google maps on a statistical html page, but it keeps giving a csp warning or the map doesn't load.
What do you think about unsafe-inline in style? i have an app with firebase + react... managed to use nonces but in client side rendering, so styles are broken
So if im understanding this correctly, this just prevents loading scripts, from sources not allowed by the CSP. But an attacker could still use an inline script tag to run any javascript they could fit everything they need within the comment box (assuming stored and in a comment input)?
CSPs block all inline scripts by default, though if you have specific inline scripts you want to allow you can identify them with hashes or nonces to whitelist with the CSP.
on my wordpress website -chrome on my phone says not secure, safari on laptop also says not secure but my SSL certificate is good i checked. also chrome on my laptop doesn't say not secure. I went to inspect >console on website and this error was there but I don't know what it means or where the error is located. The Source Location is blank - "Content Security Policy of your site blocks the use of 'eval' in JavaScript` The Content Security Policy (CSP) prevents the evaluation of arbitrary strings as JavaScript to make it more difficult for an attacker to inject unathorized code on your site. To solve this issue, avoid using eval(), new Function(), setTimeout([string], ...) and setInterval([string], ...) for evaluating strings. If you absolutely must: you can enable string evaluation by adding unsafe-eval as an allowed source in a script-src directive. ⚠ Allowing string evaluation comes at the risk of inline script injection. 1 directive Source location Directive Status script-src blocked
Hi Saurav, while you could allow any script this would defeat the purpose of having a CSP in the first place. So I figure the only way would be to explicitly add the sources where you want to load scripts from. If you specify self, then this means that you only allow scripts to come from the origin where the webpage was originally loaded from
Hi Yuvraj, https is TLS over HTTP and all headers that can be encrypted, are encrypted (hostname / IP headers are not encrypted because otherwise routing of the package would be impossible: stackoverflow.com/a/187679/2328833)
Not literally like this. You have to replace and with your own directive and value you would like to use. Also make sure to separate these two placeholders with a space. So an example would be
Hi Johnny, here is a really nice answer for your question: webmasters.stackexchange.com/questions/104857/when-should-i-not-to-use-page-meta-security-headers
Hey, Is there a secure way in storing/using JWT with CORS to prevent XSS? Hosted Client and Server Separately so can't do httponly. Just wondering if you have any material I could look at.
Hi Chad, if you store a JWT inside of a cookie then your api-gateway needs a strict CORS policy and ideally HttpOnly and Secure cookies to prevent CSRF. However, CORS and cookies do not sufficiently protect you against XSS. Because with XSS some malicious code is running in browser. So in case the JWT is stored in a cookie - even if it is HttpOnly - the attacker can still make authenticated requests. The only "advantage" over using local storage here is that the attacker would need to run the full attack over the browser. This is still bad and the attacker can do pretty much anything he wants to do but at least the attacker does not get access to the actual token. So while the attacker could still do everything via the browser, it would be slightly harder. To protect against XSS, a Content Security Policy is very useful as well as sanitizing user input when it is sent to the server. I think I don't really have a dedicated video that yet.
What do you think about this video?
Let me know in the comments below.
Loved it. Thank you.
Thanks man.
i needed a good rule for a modern website. not only why, but some kind of common what.
Thanks, man!
5:48 default-src default of switch statement wow. Explained in just a single statement 👍👍👍
you're most welcome
Oh my god I was looking all over the web what the meaning behind meta tags and CSP was until I found this video. It's crystal clear to me now. Thank you so much sir.
Thank you! You’re a fantastic teacher.
I'm glad you liked it
straight to the point, thanks
you're welcome Hekar
Dude.... Thank's a ton for that objective video.
Glad it was helpful!
Great explanation. Thanks
Glad you liked it!
Thanks for explanation. I've searched resources, that can explain me in simple way what is CSP and what it for. After this video I have superficial understanding that is enough for my purposes
Thank you. I first read the article but I was a bit confused because I never heard of XSS before so I came here an after the first 3 mins it was crystal clear to me. :D
thx Noel, I'm glad I could help!
Thank you for the great explanation.
You are welcome!
great explanation, many thanks!
Glad you enjoyed it!
Great explanation!
Thanks!
thank you for the video! super clear!
thx
Wonderful explanation
Glad it was helpful!
very nicely explained. thanks. i liked it.
Thanks for liking
Thanks bro !
Nice explanation!
tks for sharing
Glad you liked it!
Thank you for such great video!
thx
Very well explained.... thanks
thx Sanket 👍
fixing one missing content security policy header is it impacts the entire website?
Thanks man !!
you're welcome
Thank you for the video!!
My pleasure!
thanks 4 the clear explanation
Glad it was helpful!
Very nice video!!!
The best as always
thx Ahmed 👍
Very good!
Thanks!
thank you
You're welcome
thank you buddy ! :)
You're most welcome!
Great video
Glad you enjoyed it
Nicely Explained >>
Glad it was helpful!
Think it would’ve been helpful if you did actually demo a few examples with setting the various directives. Hard to make sense of how each works by just reading the MDN pages that you showed.
Well explained 🎉 Are you from Denmark?
no, I'm from Germany
I can't figure out how to implement this in practice!! I'm trying to put a google maps on a statistical html page, but it keeps giving a csp warning or the map doesn't load.
Handy overview, now to building a CSP 😳
nice 👍
What do you think about unsafe-inline in style? i have an app with firebase + react... managed to use nonces but in client side rendering, so styles are broken
Great video, do you have a video with some in-depth code examples?
So if im understanding this correctly, this just prevents loading scripts, from sources not allowed by the CSP. But an attacker could still use an inline script tag to run any javascript they could fit everything they need within the comment box (assuming stored and in a comment input)?
CSPs block all inline scripts by default, though if you have specific inline scripts you want to allow you can identify them with hashes or nonces to whitelist with the CSP.
Man you look like young Elon Musk lol. Congratz on the content btw!
Great :)
Thanks!
Can we set CSP in AWS?
CSP is independent of any cloud service
on my wordpress website -chrome on my phone says not secure, safari on laptop also says not secure but my SSL certificate is good i checked. also chrome on my laptop doesn't say not secure. I went to inspect >console on website and this error was there but I don't know what it means or where the error is located. The Source Location is blank - "Content Security Policy of your site blocks the use of 'eval' in JavaScript`
The Content Security Policy (CSP) prevents the evaluation of arbitrary strings as JavaScript to make it more difficult for an attacker to inject unathorized code on your site.
To solve this issue, avoid using eval(), new Function(), setTimeout([string], ...) and setInterval([string], ...) for evaluating strings.
If you absolutely must: you can enable string evaluation by adding unsafe-eval as an allowed source in a script-src directive.
⚠ Allowing string evaluation comes at the risk of inline script injection.
1 directive
Source location Directive Status
script-src blocked
I used csp script-src to self..and in console it showing many script error...how can i make it accept all my script ?
Hi Saurav, while you could allow any script this would defeat the purpose of having a CSP in the first place. So I figure the only way would be to explicitly add the sources where you want to load scripts from. If you specify self, then this means that you only allow scripts to come from the origin where the webpage was originally loaded from
@@jgoebel how can i make it accept the scripts that i have written on some script tags inside some pages?
but what if some hacker sniffs the traffic and manipulates the request and response headers ? , is that possible if used https ?
Hi Yuvraj, https is TLS over HTTP and all headers that can be encrypted, are encrypted (hostname / IP headers are not encrypted because otherwise routing of the package would be impossible: stackoverflow.com/a/187679/2328833)
Not literally like this. You have to replace and with your own directive and value you would like to use. Also make sure to separate these two placeholders with a space. So an example would be
So I've read that putting the CSP in html meta tags isn't super effective and frame ancestors can't be used. What are your thoughts on this?
Hi Johnny, here is a really nice answer for your question: webmasters.stackexchange.com/questions/104857/when-should-i-not-to-use-page-meta-security-headers
Can anyone explain: "Browsers that don't support CSP still work with servers that implement it" ?
no because the browser enforces the CSP. But pretty much every modern browser supports CSP these days
Thanks
alert("Thank you, very clear explanation")
haha nice 👍
Hey, Is there a secure way in storing/using JWT with CORS to prevent XSS? Hosted Client and Server Separately so can't do httponly. Just wondering if you have any material I could look at.
Hi Chad,
if you store a JWT inside of a cookie then your api-gateway needs a strict CORS policy and ideally HttpOnly and Secure cookies to prevent CSRF. However, CORS and cookies do not sufficiently protect you against XSS. Because with XSS some malicious code is running in browser. So in case the JWT is stored in a cookie - even if it is HttpOnly - the attacker can still make authenticated requests. The only "advantage" over using local storage here is that the attacker would need to run the full attack over the browser. This is still bad and the attacker can do pretty much anything he wants to do but at least the attacker does not get access to the actual token. So while the attacker could still do everything via the browser, it would be slightly harder.
To protect against XSS, a Content Security Policy is very useful as well as sanitizing user input when it is sent to the server. I think I don't really have a dedicated video that yet.
alert('Hello World') only hello world
I guess I have seen cross site scripting policies added in web.config files 🤔
could be. Some servers allow you to just pass a config file and then the server will generate the headers for you
Rebekah Prairie
Write down the code mentioned in the video, and then try to edit the comment, RUclips will delete it!
probably because RUclips thinks that you are trying to do a stored cross site scripting (XSS) attack 😁
alert('test')
doesnt really explain anything, all youre saying is "if you have this header youre protected" - great.
Is it Elon Mask?
dd
alert(document.cookie)
nice try 😁