Content Security Policy explained | how to protect against Cross Site Scripting (XSS)

Рет қаралды 43,755

Күн бұрын

🔥More exclusive content: productioncode...
Twitter: / _jgoebel
Blog: productioncode...
Website: jangoebel.com
In this video, we cover what Content Security Policy (CSP) is, why you need and how it protects against Cross Site Scripting. We look at Content Security Policy directives, what they do and how you can leverage them for your application. The main goal of Content Security Policy is to protect against Cross Site Scripting attacks. It does so by limiting the origins and urls from which certain assets (e.g. fonts, images, scripts) can be loaded. Content Security Policy can help to mitigate against stored or reflected XSS attack vectors.

Пікірлер: 100

@jgoebel 3 жыл бұрын

What do you think about this video? Let me know in the comments below.

@rhitmanandhar525 3 жыл бұрын

Loved it. Thank you.

@lksjfadlk 2 жыл бұрын

Thanks man.

@isagive 2 ай бұрын

i needed a good rule for a modern website. not only why, but some kind of common what.

@wajeehsaleh6121 Ай бұрын

Thanks, man!

@truepakistani9604 2 жыл бұрын

5:48 default-src default of switch statement wow. Explained in just a single statement 👍👍👍

@jgoebel 2 жыл бұрын

you're most welcome

@Barrosy Жыл бұрын

Oh my god I was looking all over the web what the meaning behind meta tags and CSP was until I found this video. It's crystal clear to me now. Thank you so much sir.

@ash_tray_6 Жыл бұрын

Thank you! You’re a fantastic teacher.

@jgoebel Жыл бұрын

I'm glad you liked it

@TrumpsOfDesign Жыл бұрын

Thanks for explanation. I've searched resources, that can explain me in simple way what is CSP and what it for. After this video I have superficial understanding that is enough for my purposes

@noelcovarrubias7490 3 жыл бұрын

Thank you. I first read the article but I was a bit confused because I never heard of XSS before so I came here an after the first 3 mins it was crystal clear to me. :D

@jgoebel 3 жыл бұрын

thx Noel, I'm glad I could help!

@stomperhk9107 2 жыл бұрын

Dude.... Thank's a ton for that objective video.

@jgoebel 2 жыл бұрын

Glad it was helpful!

@hekarboi3656 2 жыл бұрын

straight to the point, thanks

@jgoebel 2 жыл бұрын

you're welcome Hekar

@ecommercetechbuild1354 2 ай бұрын

Wonderful explanation

@jgoebel Ай бұрын

Glad it was helpful!

@grahamschuckman3483 2 жыл бұрын

Think it would’ve been helpful if you did actually demo a few examples with setting the various directives. Hard to make sense of how each works by just reading the MDN pages that you showed.

@superdop1976 11 ай бұрын

Thank you for the great explanation.

@jgoebel 11 ай бұрын

You are welcome!

@emily_tm 8 ай бұрын

great explanation, many thanks!

@jgoebel 8 ай бұрын

Glad you enjoyed it!

@israelkayaba6002 Ай бұрын

Thanks bro !

@dublinnnn 8 ай бұрын

Nicely Explained >>

@jgoebel 8 ай бұрын

Glad it was helpful!

@MHamidAshraf 7 ай бұрын

very nicely explained. thanks. i liked it.

@jgoebel 7 ай бұрын

Thanks for liking

@petrtcoi9398 Жыл бұрын

Great explanation!

@jgoebel Жыл бұрын

Thanks!

@Rabano94 Жыл бұрын

thank you for the video! super clear!

@jgoebel Жыл бұрын

thx

@ahmedelgaidi 3 жыл бұрын

The best as always

@jgoebel 3 жыл бұрын

thx Ahmed 👍

@yasminbrandao3359 2 жыл бұрын

Nice explanation! tks for sharing

@jgoebel 2 жыл бұрын

Glad you liked it!

@justtruth5157 Жыл бұрын

Very nice video!!!

@sanketmaske74 3 жыл бұрын

Very well explained.... thanks

@jgoebel 3 жыл бұрын

thx Sanket 👍

@ازاي-ث7خ Жыл бұрын

Thank you for such great video!

@jgoebel Жыл бұрын

thx

@ToadyEN 2 жыл бұрын

Handy overview, now to building a CSP 😳

@jgoebel 2 жыл бұрын

nice 👍

@1bigslug 2 жыл бұрын

Thank you for the video!!

@jgoebel 2 жыл бұрын

My pleasure!

@najaericsson71 5 ай бұрын

Very good!

@jgoebel 4 ай бұрын

Thanks!

@ukaszkiepas57 3 ай бұрын

thank you buddy ! :)

@jgoebel Ай бұрын

You're most welcome!

@exd0254 2 жыл бұрын

thanks 4 the clear explanation

@jgoebel 2 жыл бұрын

Glad it was helpful!

@otiagosantoscode Жыл бұрын

I can't figure out how to implement this in practice!! I'm trying to put a google maps on a statistical html page, but it keeps giving a csp warning or the map doesn't load.

@ricardonacif5426 9 ай бұрын

Man you look like young Elon Musk lol. Congratz on the content btw!

@ABDULKARIMHOMAIDI 6 ай бұрын

Thanks man !!

@jgoebel 3 ай бұрын

you're welcome

@FlanzetaGaming Ай бұрын

What do you think about unsafe-inline in style? i have an app with firebase + react... managed to use nonces but in client side rendering, so styles are broken

@codemadesimple1043 11 ай бұрын

Well explained 🎉 Are you from Denmark?

@jgoebel 11 ай бұрын

no, I'm from Germany

@1haker Жыл бұрын

Great video

@jgoebel Жыл бұрын

Glad you enjoyed it

@IHHI22 2 ай бұрын

on my wordpress website -chrome on my phone says not secure, safari on laptop also says not secure but my SSL certificate is good i checked. also chrome on my laptop doesn't say not secure. I went to inspect >console on website and this error was there but I don't know what it means or where the error is located. The Source Location is blank - "Content Security Policy of your site blocks the use of 'eval' in JavaScript` The Content Security Policy (CSP) prevents the evaluation of arbitrary strings as JavaScript to make it more difficult for an attacker to inject unathorized code on your site. To solve this issue, avoid using eval(), new Function(), setTimeout([string], ...) and setInterval([string], ...) for evaluating strings. If you absolutely must: you can enable string evaluation by adding unsafe-eval as an allowed source in a script-src directive. ⚠ Allowing string evaluation comes at the risk of inline script injection. 1 directive Source location Directive Status script-src blocked

@mindcontroller7136 2 жыл бұрын

alert("Thank you, very clear explanation")

@jgoebel Жыл бұрын

haha nice 👍

@nemisis282 2 ай бұрын

So if im understanding this correctly, this just prevents loading scripts, from sources not allowed by the CSP. But an attacker could still use an inline script tag to run any javascript they could fit everything they need within the comment box (assuming stored and in a comment input)?

@jacksontarlin6841 15 күн бұрын

CSPs block all inline scripts by default, though if you have specific inline scripts you want to allow you can identify them with hashes or nonces to whitelist with the CSP.

@none0n 2 жыл бұрын

Great video, do you have a video with some in-depth code examples?

@siyamrubaiyeat5852 2 жыл бұрын

fixing one missing content security policy header is it impacts the entire website?

@markomilardic 10 ай бұрын

Great :)

@jgoebel 10 ай бұрын

Thanks!

@chadbosch1110 3 жыл бұрын

Hey, Is there a secure way in storing/using JWT with CORS to prevent XSS? Hosted Client and Server Separately so can't do httponly. Just wondering if you have any material I could look at.

@jgoebel 3 жыл бұрын

Hi Chad, if you store a JWT inside of a cookie then your api-gateway needs a strict CORS policy and ideally HttpOnly and Secure cookies to prevent CSRF. However, CORS and cookies do not sufficiently protect you against XSS. Because with XSS some malicious code is running in browser. So in case the JWT is stored in a cookie - even if it is HttpOnly - the attacker can still make authenticated requests. The only "advantage" over using local storage here is that the attacker would need to run the full attack over the browser. This is still bad and the attacker can do pretty much anything he wants to do but at least the attacker does not get access to the actual token. So while the attacker could still do everything via the browser, it would be slightly harder. To protect against XSS, a Content Security Policy is very useful as well as sanitizing user input when it is sent to the server. I think I don't really have a dedicated video that yet.

@ashwinkumar4168 2 жыл бұрын

@Barrosy Жыл бұрын

Not literally like this. You have to replace and with your own directive and value you would like to use. Also make sure to separate these two placeholders with a space. So an example would be

@johnnyforget1494 3 жыл бұрын

So I've read that putting the CSP in html meta tags isn't super effective and frame ancestors can't be used. What are your thoughts on this?

@jgoebel 3 жыл бұрын

Hi Johnny, here is a really nice answer for your question: webmasters.stackexchange.com/questions/104857/when-should-i-not-to-use-page-meta-security-headers

@yuvrajagarkar8942 2 жыл бұрын

but what if some hacker sniffs the traffic and manipulates the request and response headers ? , is that possible if used https ?

@jgoebel 2 жыл бұрын

Hi Yuvraj, https is TLS over HTTP and all headers that can be encrypted, are encrypted (hostname / IP headers are not encrypted because otherwise routing of the package would be impossible: stackoverflow.com/a/187679/2328833)

@neeerajtk Жыл бұрын

Can we set CSP in AWS?

@jgoebel 11 ай бұрын

CSP is independent of any cloud service

@sauravkarmakar1811 3 жыл бұрын

I used csp script-src to self..and in console it showing many script error...how can i make it accept all my script ?

@jgoebel 3 жыл бұрын

Hi Saurav, while you could allow any script this would defeat the purpose of having a CSP in the first place. So I figure the only way would be to explicitly add the sources where you want to load scripts from. If you specify self, then this means that you only allow scripts to come from the origin where the webpage was originally loaded from

@sauravkarmakar1811 3 жыл бұрын

@@jgoebel how can i make it accept the scripts that i have written on some script tags inside some pages?