Get highly relevant, immediately applicable cyber security training in Seattle - Mar. 23-28.


To attend this webcast, login to your SANS Account or create your Account.

Blocking XSS attacks with Content Security Policy

  • Monday, June 22nd, 2015 at 3:00 PM EDT (19:00:00 UTC)
  • Greg Leonard
This webcast has been archived. You can view the webcast presentation and download the slides by logging into your SANS Portal Account or creating an Account. Click the Register Now button after you have logged in to view the Webcast.

You can now attend the webcast using your mobile device!


Cross-Site Scripting (XSS), a form of injection attack where malicious scripts are injected into a web site's content, is a long-standing problem for application development teams. With modern web sites becoming more reliant upon third party sources for delivering content, the risk of XSS attacks remains high, and the number of attack vectors continues to grow. To combat these attacks, the Web Application Security working group of the World Wide Web Consortium (W3C) has introduced the Content Security Policy (CSP) header. This header, when added to the response of a web page, provides directives for a web browser on how to manage web content, and which sources are allowed to provide that content. This presentation will discuss Content Security Policy and what protections it can provide, along with a demonstration of how applying the CSP header to a web site can provide strong XSS protection.

Speaker Bio

Gregory Leonard

Gregory Leonard has over 16 years of experience in software development, with an emphasis on writing large-scale enterprise applications. Greg's responsibilities have included application architecture and security, performing infrastructure design and implementation, security analysis, code reviews, and evaluating performance diagnostics. Greg is currently focusing on overseeing the integration of secure development practices for his company.

Need Help? Visit our FAQ page or email

Not able to attend a SANS webcast? All Webcasts are archived so you may view and listen at a time convenient to your schedule. View our webcast archive and access webcast recordings/PDF slides.