XSS Protection with Content Security Policy

If unexpected inline JavaScript was added to a WYSIWYG field on your site, would you know?  If one of your JavaScript dependencies were altered to harvest sensitive form data, could you prevent it?

Content Security Policy is a new layer in web security to protect your site and your users from security and privacy risks such as cross site scripting (XSS), content injection, and data exfiltration.  The Content-Security-Policy module is able to leverage Drupal 8’s libraries system to make this tool more easily available to every Drupal site.

This session will cover:

  • The most prominent risks and the Content Security Policy options available to address them.
  • The current state of the Content Security Policy spec, and current browser support.
  • The legacy headers that Content Security Policy replaces.
  • How to safely implement and monitor the effectiveness of a policy.
  • The roadblocks current modules, frontend libraries, and third-party services present.
  • Further hardening techniques for complex sites.
  • Additional browser features for improving security and monitoring end-user issues on your site.

Useful for site builders and developers, attendees should walk away from this session with the core knowledge required to implement and monitor a Content Security Policy for their website.

Presenters