Wednesday, January 25 • 2:00pm - 2:50pm
CSP: The Good, the Bad and the Ugly

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

W3C Web Application Security workgroup worked really hard to establish new standards to improve security of web applications: CORS, SRI, HSTS, HPKP just few of them and most complicated in that family is Content Security Policy (CSP) which became so complex, so web application developers, DevOps teams could easily lost on where to start and what to do if they need to integrate CSP.

In this presentation I’ll help you to figure out where to start, what to do and which issues you might will be facing with if you want to add CSP to your web application.

Attendees will learn about key differences between CSP level 1, 2 and 3, what is secure CSP and how to build one. We’ll also talk about creating production ready, backward compatible policy.

I’ll also present how Alexa top million websites adopts CSP and show interesting patterns I discovered among their policies, typical mistakes and strategies to fix them.

At the final part I’ll talk about tools and frameworks we have and also about tools and frameworks we need to build to efficiently deploy CSP.


Wednesday January 25, 2017 2:00pm - 2:50pm PST
Terrace Lounge