Content Security Policy

Подписаться 28 тыс.

Просмотров 62 тыс.

50% 1

Learn how to secure your website from cross-site scripting attacks by enabling a Content Security Policy.
Code examples from this video: github.com/sha...

Наука

Опубликовано:

4 окт 2024

Ссылка:

Скачать:

Готовим ссылку...

Добавить в:

Мой плейлист

Посмотреть позже

Комментарии : 68

@arihantjain8347 2 года назад

Very nice, crisp and to the point. Very helpful, Thanks!

@colindante5164 2 года назад

Its 2021 and this content never gets old. Thankyou for posting this. ))

@이승민-t1o 3 года назад

Your explanations are so good! Thank you! I learned a lot 😃

@santiagoramirez874 2 года назад

Excelent, just what i needed, allow javascript only from two external sources

@rajani123yt 3 года назад

Concepts are explained nicely with examples

@basedonprinciple 3 года назад

Super helpful and exactly what I was looking for to understand CSP

@codedynamics1 3 года назад

Been searching for this Kyle. Very important subject. I understand it a bit better now, thank you !

@klu.official 9 лет назад

These videos are really helpful. Thanks for uploading and please keep up the good work.

@kylerobinsonyoung 9 лет назад

+Pavin Disatapundhu Thanks! :D

@jiayinglim657 9 лет назад

thanks for the sharing. I look forward to learning more.

@YaseenMohammedofficial 4 года назад

This is good for basic learners... Thanks

@grahamschuckman3483 2 года назад

Fantastic tutorial, wish I could give a double thumbs-up!

@felipemedina7738 2 года назад

excelent explanation !! thank you so much

@ari_james_dio9090 3 года назад

i'm a simple man, i hear "bears" i like

@VictoriaOtunsha 2 года назад

Thanks for the breakdown

@MagedMegz95 3 года назад

Amazing tutorial. Very well explained as well. Thanks very much.

@alimertcakar1894 4 года назад

Short and helpful. Thanks.

@ChongHwi 4 года назад

Thanks for the video, quick understanding

@huanshao2165 4 года назад

great explanation, thanks!

@diru424 4 года назад

Pure gold... thanks for the content

@eelapata 4 года назад

Very nice and well explained..

@longtran12345678 9 лет назад

Thanks for this guide.

@cliffmathew 4 года назад

Great content. You deserve more likes than the 427 that is registered here.

@jakubsukowski1040 3 года назад

How do you use require in frontend javascript? I'd love to know!

@Savageboi506 7 лет назад

Dude you cannot sanitize on entering the DB and rendering, because something like would become <h1> in the DB, then &lt;h1&gt; on render

@kylerobinsonyoung 7 лет назад

Thanks for the correction. You're right, you don't want to sanitize HTML twice.

@yuriimahotskyi6487 4 года назад

Very cool explanation :D

@otiagosantoscode Год назад

I didn't understand how do I fix this on a site that only uses html, css and js files (frontend only)...

@sudarshanv9797 3 года назад

Why you set header to response rather than request? Also, instead of setting headers for all responses can we set seperately for each individual response?

@wolfdroid8286 5 лет назад

nice video... gained lot of knowledge . surely going to share your video ...hmmmm one thing i want to ask is if a site has implemented csp and script src is set to self ,,, along with that 3rd party sites are mentioned for executing their scripts , also used 'unsafe inline ' in the script-src tag. so how in this case an attacker or hacker can bypass csp... by taking advantage of unsafe inline

@miketyson5929 9 лет назад

Not relevant to topic, but which program do you use to record these awesome videos ?

@ACPixel 8 лет назад

I think it's called screen flow

@domaincontroller 3 года назад

npm, sanitize-html 04:05 lodash 04:52 CSP 05:25 send an http header to the browser to tell to enable this CSP 07:40 CSS

@smoothbeak 8 лет назад

"Get your bearings" - 0:25

@kylerobinsonyoung 8 лет назад

+Daniel Jeffery ˁ˚ᴥ˚ˀ

@smoothbeak 8 лет назад

+Kyle Robinson Young I'm on to you.

@etc.-Musik 4 года назад

there seems to be some kind of audio-problem like from minute 3:48. I tried listenging on different devices, with and without headphones, but no difference. maybe you could make an updated version with better audio?

@swojchwat 4 года назад

3:50 you mic has been hacked :) Cool stuf though.

@MrMMohsen 3 года назад

Thanks for assuring me that I'm not the one who got hacked :P

@mattviverette 8 лет назад

Something funny happening with audio at 3:48

@kylerobinsonyoung 8 лет назад

Sorry about that! I'm not sure what happened there.

@vikramjadhav4180 9 лет назад

Wow! Nice tutorial which JavaScript Framework you are currently using? Could you give us a series for creating any application from scratch? Thanks!

@kylerobinsonyoung 9 лет назад

+Vikram Jadhav Thanks! I used a vanilla JS app thrown together for demonstrating CSP. Not a great solution for building large apps, IMO but is simple and straight forward for small apps. I have some JS app architecture videos planned for the future.

@adit255 8 лет назад

Great Tutorial .. ! :-)

@kylerobinsonyoung 8 лет назад

+Aaditya Purani Thanks!

@chuckyyes 3 года назад

it's that easy to install security?

@mohammadanas3320 3 года назад

Thanks man

@zepimousse4275 6 лет назад

Hi Kyle, great video, congratulations ! I get this error with Wordpress installation but not with a local installation. Do you know where I can find this setting ? Regards, ZP.

@Nupur8590 5 лет назад

Hey great work.. I would be glad if you could one preventing XSS using Express middleware 'Helmet'..

@OriginalEXE 9 лет назад

Hi Kyle, this is new to me, I did not know about the content security policy. I have a question though, won't this block certain browser extensions? I imagine that could annoy some users.

@kylerobinsonyoung 9 лет назад

+Ante Šepić I'm not too knowledgeable about writing browser extensions but I believe they can define their own CSP: developer.chrome.com/extensions/contentSecurityPolicy So if the extension action is getting blocked by a CSP, that extension probably shouldn't be doing that action. Also a user can choose to disable the CSP in their browser too if desired. It's really a protection mechanism for the users in case a website they are visiting has been hijacked. The website developer defines a CSP to inform the user about the things they can trust. So why you could easily disable CSP in your browser, you wouldn't necessarily want to.

@OriginalEXE 9 лет назад

+Kyle Robinson Young Thanks, that makes sense.

@antonyjoslin007 7 лет назад

Hi Kyle, Instead of this if the text box is given validation for only alpha-numerals i.e; no special characters. Does it cause any attacks?

@knotsable 3 года назад

sound is screwed up ...

@ohmatokita5990 3 года назад

what's the end music's name? that's amaing!

@solominh2012 7 лет назад

Google Chrome extension error bring me here. :D

@ikazak 4 года назад

nice! Thanks!

@longingheart77 5 лет назад

Thanks mate

@RSTao77432 6 лет назад

Hi dude, i've only just heard about this CSP thing i'm trying to add it to my site but i'm having some troubles. I have some scripts from Copyright house, DMCA, and comodo ssl certificate, but as soon as i add the csp line it stops showing them. I understand that i cannot use inline js with this enabled but then how do i refernce the scripts if this is so, would a function() call not be blocked in the html file or browser... Please help, I have posted this on StackOverflow aswell.

@RSTao77432 6 лет назад

Even after i've added the links and files to the trusted lists with spaces