Building a Better Web
June 19–20, 2017: Training
June 20–22, 2017: Tutorials & Conference
San Jose, CA

CSP: The good, the bad, and the ugly

Ilya Nesterov (Shape Security)
9:50am–10:30am Wednesday, June 21, 2017
Modern Web Essentials
Location: 212 A/B
Secondary topics:  Security
Average rating: **...
(2.75, 4 ratings)

Who is this presentation for?

  • Web application developers, DevOps engineers, and security engineers

Prerequisite knowledge

  • A basic understanding of the browser security model, SOP, and different attacks on web applications (XSS, CSRF, etc.)

What you'll learn

  • Understand the key differences between CSP levels 1,2, and 3, the definition of strict CSP and how to build one, and typical mistakes in CSP that could leave your application unprotected
  • Explore available tools, frameworks, and useful resources


The W3C Web Application Security workgroup worked hard to establish new standards to improve web application security, such as CORS, SRI, HSTS, and HPKP. The most complicated standard is Content Security Policy (CSP), which is so complex that web application developers and DevOps teams can easily get lost when attempting to integrate it.

Ilya Nesterov helps you figure out where to start, how to do it, and which issues you might face when you want to add CSP to your web application. You’ll learn the key differences between CSP levels 1, 2 and 3, what secure CSP means, and how to build it. Ilya also discusses how to create production-ready, backward-compatible policy.

Ilya explores how the Alexa top 1 million websites have adopted CSP and show interesting patterns discovered among their policies, as well as typical mistakes and strategies to fix them. Ilya concludes with an examination of available tools and frameworks and a glimpse at the tools and frameworks we need to build to efficiently deploy CSP.

Photo of Ilya Nesterov

Ilya Nesterov

Shape Security

Ilya Nesterov is an engineering manager at Shape Security. Ilya also works as an independent security researcher and is a speaker on security topics. Previously, he worked at F5 Networks. His interests include modern web application security threats and countermeasures, botnets, malware infrastructure, exploits, and honeypot development. Ilya holds a master’s degree from Tomsk Polytechnic University.