Content Security Policies are another tool we should have in our security toolbelt to help protect users of our sites. In this session I’ll cover what they are, why they’re needed, how they work and the limitations on what they can & cannot do to protect users.

I’ll demo attacks a CSP will block, break things, show what the different CSP directives & options will do and introduce some of the tools available to help with implementing a CSP on your sites!


Comments are closed.

Sean Wallis at 17:10 on 9 Jun 2017

Awesome talk! Clear, entertaining and really useful. Thanks Matt

Tim Stamp at 20:48 on 10 Jun 2017

A difficult topic to cover all aspects of, and even more difficult to demo effectively - but you did a great job!
Also ? the "I Break Stuff" stickers ?

Chris Sherry at 11:41 on 11 Jun 2017

Having attempted to implement a CSR myself and broken lots of stuff, this talk was invaluable.

I had completely missed that you can add report only headers! And also nonces will help me avoid using 'unsafe-inline'.

Matt took what was potentially a very dry subject and through his speaking style and pacing made a very interesting and at times fun talk. Probably my favourite talk of the conference.

A really interesting and useful talk. A good introduction to content security policies.
I've seen Matt speak before and he is a calm, confident and informative speaker. I like his style.

Neil Nand at 22:59 on 15 Jun 2017

Great talk on this, I hadn't even heard about this topic before. The only I thing I'd say is it would be good to give a very quick overview of how these are implemented at the start, having not heard of them before I took me a while to realise they were sent in the HTTP headers which made earlier parts of the talk harder to grasp.