Content Security Policy explained | how to protect against Cross Site Scripting (XSS)

Подписаться 11 тыс.

Просмотров 40 тыс.

50% 1

🔥More exclusive content: productioncoder.com/you-decid...
Twitter: / _jgoebel
Blog: productioncoder.com
Website: jangoebel.com
In this video, we cover what Content Security Policy (CSP) is, why you need and how it protects against Cross Site Scripting. We look at Content Security Policy directives, what they do and how you can leverage them for your application. The main goal of Content Security Policy is to protect against Cross Site Scripting attacks. It does so by limiting the origins and urls from which certain assets (e.g. fonts, images, scripts) can be loaded. Content Security Policy can help to mitigate against stored or reflected XSS attack vectors.

Опубликовано:

14 мар 2021

Ссылка:

Скачать:

Готовим ссылку...

Добавить в:

Мой плейлист

Посмотреть позже

Комментарии : 85

@jgoebel 3 года назад

What do you think about this video? Let me know in the comments below.

@rhitmanandhar525 2 года назад

Loved it. Thank you.

@lksjfadlk 2 года назад

Thanks man.

@truepakistani9604 2 года назад

5:48 default-src default of switch statement wow. Explained in just a single statement 👍👍👍

@jgoebel 2 года назад

you're most welcome

@Barrosy Год назад

Oh my god I was looking all over the web what the meaning behind meta tags and CSP was until I found this video. It's crystal clear to me now. Thank you so much sir.

@ash_tray_6 11 месяцев назад

Thank you! You’re a fantastic teacher.

@jgoebel 10 месяцев назад

I'm glad you liked it

@justtruth5157 Год назад

Very nice video!!!

@TrumpsOfDesign Год назад

Thanks for explanation. I've searched resources, that can explain me in simple way what is CSP and what it for. After this video I have superficial understanding that is enough for my purposes

@noelcovarrubias7490 2 года назад

Thank you. I first read the article but I was a bit confused because I never heard of XSS before so I came here an after the first 3 mins it was crystal clear to me. :D

@jgoebel 2 года назад

thx Noel, I'm glad I could help!

@ahmedelgaidi 2 года назад

The best as always

@jgoebel 2 года назад

thx Ahmed 👍

@hekarboi3656 Год назад

straight to the point, thanks

@jgoebel Год назад

you're welcome Hekar

@stomperhk9107 2 года назад

Dude.... Thank's a ton for that objective video.

@jgoebel 2 года назад

Glad it was helpful!

@user-yi8ej9qj2p Год назад

Thank you for such great video!

@jgoebel Год назад

thx

@Rabano94 Год назад

thank you for the video! super clear!

@jgoebel Год назад

thx

@1bigslug 2 года назад

Thank you for the video!!

@jgoebel 2 года назад

My pleasure!

@ukaszkiepas57 14 дней назад

thank you buddy ! :)

@emily_tm 6 месяцев назад

great explanation, many thanks!

@jgoebel 5 месяцев назад

Glad you enjoyed it!

@najaericsson71 2 месяца назад

Very good!

@jgoebel Месяц назад

Thanks!

@superdop1976 8 месяцев назад

Thank you for the great explanation.

@jgoebel 8 месяцев назад

You are welcome!

@yasminbrandao3359 2 года назад

Nice explanation! tks for sharing

@jgoebel 2 года назад

Glad you liked it!

@petrtcoi9398 Год назад

Great explanation!

@jgoebel Год назад

Thanks!

@sanketmaske74 3 года назад

Very well explained.... thanks

@jgoebel 3 года назад

thx Sanket 👍

@ABDULKARIMHOMAIDI 3 месяца назад

Thanks man !!

@jgoebel Месяц назад

you're welcome

@1haker Год назад

Great video

@jgoebel Год назад

Glad you enjoyed it

@verynaughtyg 5 месяцев назад

very nicely explained. thanks. i liked it.

@jgoebel 5 месяцев назад

Thanks for liking

@x1ns44n3 5 месяцев назад

Nicely Explained >>

@jgoebel 5 месяцев назад

Glad it was helpful!

@exd0254 Год назад

thanks 4 the clear explanation

@jgoebel Год назад

Glad it was helpful!

@markomilardic 8 месяцев назад

Great :)

@jgoebel 7 месяцев назад

Thanks!

@otiagosantoscode Год назад

I can't figure out how to implement this in practice!! I'm trying to put a google maps on a statistical html page, but it keeps giving a csp warning or the map doesn't load.

@siyamrubaiyeat5852 2 года назад

fixing one missing content security policy header is it impacts the entire website?

@nemisis282 2 дня назад

So if im understanding this correctly, this just prevents loading scripts, from sources not allowed by the CSP. But an attacker could still use an inline script tag to run any javascript they could fit everything they need within the comment box (assuming stored and in a comment input)?

@none0n 2 года назад

Great video, do you have a video with some in-depth code examples?

@grahamschuckman3483 Год назад

Think it would’ve been helpful if you did actually demo a few examples with setting the various directives. Hard to make sense of how each works by just reading the MDN pages that you showed.

@ToadyEN 2 года назад

Handy overview, now to building a CSP 😳

@jgoebel 2 года назад

nice 👍

@chadbosch1110 3 года назад

Hey, Is there a secure way in storing/using JWT with CORS to prevent XSS? Hosted Client and Server Separately so can't do httponly. Just wondering if you have any material I could look at.

@jgoebel 3 года назад

Hi Chad, if you store a JWT inside of a cookie then your api-gateway needs a strict CORS policy and ideally HttpOnly and Secure cookies to prevent CSRF. However, CORS and cookies do not sufficiently protect you against XSS. Because with XSS some malicious code is running in browser. So in case the JWT is stored in a cookie - even if it is HttpOnly - the attacker can still make authenticated requests. The only "advantage" over using local storage here is that the attacker would need to run the full attack over the browser. This is still bad and the attacker can do pretty much anything he wants to do but at least the attacker does not get access to the actual token. So while the attacker could still do everything via the browser, it would be slightly harder. To protect against XSS, a Content Security Policy is very useful as well as sanitizing user input when it is sent to the server. I think I don't really have a dedicated video that yet.

@johnnyforget1494 2 года назад

So I've read that putting the CSP in html meta tags isn't super effective and frame ancestors can't be used. What are your thoughts on this?

@jgoebel 2 года назад

Hi Johnny, here is a really nice answer for your question: webmasters.stackexchange.com/questions/104857/when-should-i-not-to-use-page-meta-security-headers

@ricardonacif5426 6 месяцев назад

Man you look like young Elon Musk lol. Congratz on the content btw!

@ashwinkumar4168 2 года назад

@Barrosy Год назад

Not literally like this. You have to replace and with your own directive and value you would like to use. Also make sure to separate these two placeholders with a space. So an example would be

@yuvrajagarkar8942 2 года назад

but what if some hacker sniffs the traffic and manipulates the request and response headers ? , is that possible if used https ?

@jgoebel 2 года назад

Hi Yuvraj, https is TLS over HTTP and all headers that can be encrypted, are encrypted (hostname / IP headers are not encrypted because otherwise routing of the package would be impossible: stackoverflow.com/a/187679/2328833)

@codemadesimple1043 8 месяцев назад

Well explained 🎉 Are you from Denmark?

@jgoebel 8 месяцев назад

no, I'm from Germany

@mindcontroller7136 Год назад

alert("Thank you, very clear explanation")

@jgoebel Год назад

haha nice 👍

@sauravkarmakar1811 3 года назад

I used csp script-src to self..and in console it showing many script error...how can i make it accept all my script ?

@jgoebel 3 года назад

Hi Saurav, while you could allow any script this would defeat the purpose of having a CSP in the first place. So I figure the only way would be to explicitly add the sources where you want to load scripts from. If you specify self, then this means that you only allow scripts to come from the origin where the webpage was originally loaded from

@sauravkarmakar1811 3 года назад

@@jgoebel how can i make it accept the scripts that i have written on some script tags inside some pages?