A couple of months ago I did a video titled Understanding CSRF, the video tutorial edition which was a pretty raw run through of the mechanics and defences of cross site request forgery. It's content I often show in my workshops and I recorded the video pretty much as I present it in those sessions.
Today I thought I'd do one on content security policies or as we otherwise know it, CSP. This is a response header that tells the browser a number of things about what it can and can't do once it loads up a website and it's a really neat additional defence against risks such as cross site scripting. When you watch the video, you'll see how I demonstrate the value proposition of CSP by loading up a, well, let's just say "entertaining" video into a bank's website. This week I had a couple of people suggest that this was both beyond the developer's control and not representative of an actual security risk:
@nillisti @troyhunt Why "vulnerable"? Modifying the DOM on the client seems beyond control.
— Sven Aelterman (@svenaelterman) May 11, 2016
@troyhunt @svenaelterman @nillisti modifying a page in the client side is not a vulnerability. I can make my account look like £100000000
— javixeneize (@Todomotornet) May 11, 2016
I totally get what these guys are saying too - I mean how can you stop it and why would it be a risk when you're simply modifying something that's already loaded on your own machine?! Watch the video and see how I explain the concepts:
I hope that resonates, obviously it's a fun part of the workshop but it's also quite impactful when people then go off and actually build their own CSP and see it in action. Let me leave you with a bunch of useful resources on CSP:
- Introduction to Browser Security Headers (Pluralsight Course) - This goes into a heap of depth about security headers in general; HSTS, HPKP and of course CSP.
- Report URI - This is Scott Helme's service I showed in the video. Use this, it's awesome!
- securityheaders.io - Also Scott's, use it to test the current state of any site's security headers.
- CSP-Fiddler-Extension - This is the tool I use to help generate the CSP in Fiddler.
- Can I use CSP - The resource which fully explains compatibility.
Finally, I blogged yesterday about my next public workshop which will be in London next month and there's still a few spots left there. I also mentioned being available for private workshops in the US when I'm there in July. Between all that and the resources above, you're running out of excuses not to have a CSP on your site!