Content Security Policy 101

Martin Valen

Lightning talk - in English

There are many HTTP-headers related to security that could and should be sent on all payloads from your web app. Most of these are quite simple to set up and could really be a part of your boiler plate code, as the hour of work you need to set them up is well worth it for the potential security savings. But the most potent header is also the header the least sites use: Content Security Policy.

That so few sites use it is understandable. It can seem difficult to set up and when you see the CSPs sent by major sites, this might seem like a herculean task. Hopefully, this talk will make it easier for you to understand the potential with CSP and give you the stepping stones needed to set it up yourself.

I'll give an introduction to the Content Security Policy-header and the features within it, as well as showing how you can customise it for your web app.