The W3C Web Application Security workgroup worked hard to establish new standards to improve web application security, such as CORS, SRI, HSTS, and HPKP. The most complicated standard is Content Security Policy (CSP), which is so complex that web application developers and DevOps teams can easily get lost when attempting to integrate it.
Ilya Nesterov helps you figure out where to start, how to do it, and which issues you might face when you want to add CSP to your web application. You’ll learn the key differences between CSP levels 1, 2 and 3, what secure CSP means, and how to build it. Ilya also discusses how to create production-ready, backward-compatible policy.
Ilya explores how the Alexa top 1 million websites have adopted CSP and show interesting patterns discovered among their policies, as well as typical mistakes and strategies to fix them. Ilya concludes with an examination of available tools and frameworks and a glimpse at the tools and frameworks we need to build to efficiently deploy CSP.
Ilya Nesterov is an engineering manager at Shape Security. Ilya also works as an independent security researcher and is a speaker on security topics. Previously, he worked at F5 Networks. His interests include modern web application security threats and countermeasures, botnets, malware infrastructure, exploits, and honeypot development. Ilya holds a master’s degree from Tomsk Polytechnic University.
©2017, O'Reilly Media, Inc. • (800) 889-8969 or (707) 827-7019 • Monday-Friday 7:30am-5pm PT • All trademarks and registered trademarks appearing on oreilly.com are the property of their respective owners. • firstname.lastname@example.org