Learn how to secure your website from cross-site scripting attacks by enabling a Content Security Policy. Code examples from this video: github.com/sha...
Why you set header to response rather than request? Also, instead of setting headers for all responses can we set seperately for each individual response?
nice video... gained lot of knowledge . surely going to share your video ...hmmmm one thing i want to ask is if a site has implemented csp and script src is set to self ,,, along with that 3rd party sites are mentioned for executing their scripts , also used 'unsafe inline ' in the script-src tag. so how in this case an attacker or hacker can bypass csp... by taking advantage of unsafe inline
there seems to be some kind of audio-problem like from minute 3:48. I tried listenging on different devices, with and without headphones, but no difference. maybe you could make an updated version with better audio?
+Vikram Jadhav Thanks! I used a vanilla JS app thrown together for demonstrating CSP. Not a great solution for building large apps, IMO but is simple and straight forward for small apps. I have some JS app architecture videos planned for the future.
Hi Kyle, great video, congratulations ! I get this error with Wordpress installation but not with a local installation. Do you know where I can find this setting ? Regards, ZP.
Hi Kyle, this is new to me, I did not know about the content security policy. I have a question though, won't this block certain browser extensions? I imagine that could annoy some users.
+Ante Šepić I'm not too knowledgeable about writing browser extensions but I believe they can define their own CSP: developer.chrome.com/extensions/contentSecurityPolicy So if the extension action is getting blocked by a CSP, that extension probably shouldn't be doing that action. Also a user can choose to disable the CSP in their browser too if desired. It's really a protection mechanism for the users in case a website they are visiting has been hijacked. The website developer defines a CSP to inform the user about the things they can trust. So why you could easily disable CSP in your browser, you wouldn't necessarily want to.
Hi dude, i've only just heard about this CSP thing i'm trying to add it to my site but i'm having some troubles. I have some scripts from Copyright house, DMCA, and comodo ssl certificate, but as soon as i add the csp line it stops showing them. I understand that i cannot use inline js with this enabled but then how do i refernce the scripts if this is so, would a function() call not be blocked in the html file or browser... Please help, I have posted this on StackOverflow aswell.