Choose how you attend: SANS Network Security 2020 offers 35+ courses in Las Vegas OR Live Online!


To attend this webcast, login to your SANS Account or create your Account.

This webcast has been archived. To view the webcast login into your SANS Portal Account or create an account by clicking the "Get Registered" button on the right. Once you register, you can download the presentation slides below.

Blocking XSS attacks with Content Security Policy

  • Monday, June 22, 2015 at 3:00 PM EDT (2015-06-22 19:00:00 UTC)
  • Gregory Leonard

You can now attend the webcast using your mobile device!



Cross-Site Scripting (XSS), a form of injection attack where malicious scripts are injected into a web site's content, is a long-standing problem for application development teams. With modern web sites becoming more reliant upon third party sources for delivering content, the risk of XSS attacks remains high, and the number of attack vectors continues to grow. To combat these attacks, the Web Application Security working group of the World Wide Web Consortium (W3C) has introduced the Content Security Policy (CSP) header. This header, when added to the response of a web page, provides directives for a web browser on how to manage web content, and which sources are allowed to provide that content. This presentation will discuss Content Security Policy and what protections it can provide, along with a demonstration of how applying the CSP header to a web site can provide strong XSS protection.

Speaker Bio

Gregory Leonard

Gregory Leonard has over 16 years of experience in software development, with an emphasis on writing large-scale enterprise applications. Greg's responsibilities have included application architecture and security, performing infrastructure design and implementation, security analysis, code reviews, and evaluating performance diagnostics. Greg is currently focusing on overseeing the integration of secure development practices for his company.

Need Help? Visit our FAQ page or email

Not able to attend a SANS webcast? All Webcasts are archived so you may view and listen at a time convenient to your schedule. View our webcast archive and access webcast recordings/PDF slides.