Defeating Cross-site Scripting with Content Security Policy

Content Security Policy (CSP) is a W3C standard that limits what a browser may do, which helps prevent many common attacks, including Cross-site Scripting. This course will teach you all relevant CSP features and which browsers they work in.
Course info
Rating
(11)
Level
Intermediate
Updated
May 11, 2017
Duration
2h 22m
Table of contents
Getting Started
21m 43s
Description
Course info
Rating
(11)
Level
Intermediate
Updated
May 11, 2017
Duration
2h 22m
Description

Cross-site scripting (XSS) is one of the major threats against web applications, with successful attacks every day. In this course, Defeating Cross-site Scripting with Content Security Policy, you'll learn how to put an end to this and other threats against your applications. First, you'll learn about the W3C standard Content Security Policy (CSP), which versions exist and features they bring. Next, you'll develop an understanding of how CSP restricts what content the browser is allowed to load and execute. Finally, you'll explore exactly how to use this approach to secure your sites. When you're finished with this course, you'll be ready to apply CSP to your web applications, and protect them from XSS and other attacks.

About the author
About the author

Christian Wenz is an author, consultant and trainer focusing on web technologies. He wrote or co-wrote over 100 books, is a fixture at international developer conferences since 2001, is a Microsoft Most Valuable Professional (MVP) for ASP.NET, an ASPInsiders member, and main author of the Zend PHP 5.5 certification.

More from the author
PHP Web Application Security
Intermediate
5h 18m
1 Sep 2016
What's New in PHP 7
Intermediate
1h 45m
3 Dec 2015
Building a Site with AngularJS and PHP
Intermediate
2h 50m
17 Jul 2015
Transcript
Transcript

Hi everyone, my name is Christian Wenz and welcome to my course Defeating Cross-site Scripting with Content Security Policy. I am an independent developer and architect, and support many companies in everything web, including web performance, and web application security.

Almost twenty years ago, I first encountered Cross-site Scripting. Back then I thought it was a good thing (for me), because it helped me circumvent a security restriction in an application I had to work with. Now of course I know better. Yet Cross-site scripting seems hard to beat, the attack is as widespread as ever. Until now!

In this course, we are going to fight Cross-site Scripting and some other attacks with Content Security Policy – a World Wide Web Consortium standard supported by most browsers that limits what a browser can do. Among other things, we can restrict which JavaScript code may be loaded and executed, making Cross-site Scripting virtually impossible!

Some of the major topics that we will cover include:

  • Setting up a Content Security Policy, learning about the available options
  • Which versions of Content Security Policy exist, and what features they offer
  • Understanding Content Security Policy browser support, and how to maintain backwards compatibility with older versions
  • Testing and maintaining a policy
By the end of this course, you’ll know how to get the most out of Content Security Policy, and how to implement this standard for your web applications. No prior knowledge is required, but it would be helpful if you have worked with any server technology such as ASP.NET or PHP.

I hope you’ll join me on this journey with the Defeating Cross-site Scripting with Content Security Policy course, at Pluralsight