Blocking XSS attacks with Content Security Policy
- Monday, June 22nd, 2015 at 3:00 PM EDT (19:00:00 UTC)
- Greg Leonard
You can now attend the webcast using your mobile device!
Cross-Site Scripting (XSS), a form of injection attack where malicious scripts are injected into a web site's content, is a long-standing problem for application development teams. With modern web sites becoming more reliant upon third party sources for delivering content, the risk of XSS attacks remains high, and the number of attack vectors continues to grow. To combat these attacks, the Web Application Security working group of the World Wide Web Consortium (W3C) has introduced the Content Security Policy (CSP) header. This header, when added to the response of a web page, provides directives for a web browser on how to manage web content, and which sources are allowed to provide that content. This presentation will discuss Content Security Policy and what protections it can provide, along with a demonstration of how applying the CSP header to a web site can provide strong XSS protection.
Gregory Leonard has over 16 years of experience in software development, with an emphasis on writing large-scale enterprise applications. Greg's responsibilities have included application architecture and security, performing infrastructure design and implementation, security analysis, code reviews, and evaluating performance diagnostics. Greg is currently focusing on overseeing the integration of secure development practices for his company.