Understanding CSP, the video tutorial edition

A couple of months ago I did a video titled Understanding CSRF, the video tutorial edition which was a pretty raw run through of the mechanics and defences of cross site request forgery. It's content I often show in my workshops and I recorded the video pretty much as I present it in those sessions.

Today I thought I'd do one on content security policies or as we otherwise know it, CSP. This is a response header that tells the browser a number of things about what it can and can't do once it loads up a website and it's a really neat additional defence against risks such as cross site scripting. When you watch the video, you'll see how I demonstrate the value proposition of CSP by loading up a, well, let's just say "entertaining" video into a bank's website. This week I had a couple of people suggest that this was both beyond the developer's control and not representative of an actual security risk:

I totally get what these guys are saying too - I mean how can you stop it and why would it be a risk when you're simply modifying something that's already loaded on your own machine?! Watch the video and see how I explain the concepts:

I hope that resonates, obviously it's a fun part of the workshop but it's also quite impactful when people then go off and actually build their own CSP and see it in action. Let me leave you with a bunch of useful resources on CSP:

Finally, I blogged yesterday about my next public workshop which will be in London next month and there's still a few spots left there. I also mentioned being available for private workshops in the US when I'm there in July. Between all that and the resources above, you're running out of excuses not to have a CSP on your site!

Security CSP
Tweet Post Update Email RSS

Hi, I'm Troy Hunt, I write this blog, create courses for Pluralsight and am a Microsoft Regional Director and MVP who travels the world speaking at events and training technology professionals