JSFoo 2017

JSFoo is a conference about JavaScript and everything related.


Content Security Policy to the Rescue

Submitted by Dheeraj Joshi (@djadmin) on Thursday, 15 June 2017

Section: Full Talk Technical level: Intermediate Status: Waitlisted


Developing Web Application with security in mind is very much important in today’s world with the increase in online attacks and frauds. And when we talk about front-end security, Cross-site scripting (XSS) is the first vulnerability that comes to everyone’s mind.

In this talk, I’ll speak about mitigating XSS attacks with Content Security Policy. It also covers tales of XSS vulnerabilities, what makes them vulnerable and how they could have been prevented using CSP. This is followed by a live demonstration of a vulnerable web application.

We will be exploring Why CSP is cool and how to use it effectively in the real world applications to prevent other sets of attacks, e.g., clickjacking, etc.


XSS is very much a solved problem only if it is done right taking care of the escaping gotchas and some browser quirks. CSP is a defence-in-depth mechanism which can help in mitigating XSS vulnerabilities.

I’ll demonstrate an intentionally vulnerable web application and how applying Content Security Policy to it can fix those vulnerabilities. I’ll also talk about some success stories where companies successfully deployed CSP. Along with that, We’ll discuss some common bypasses available for content security policy which should be interesting and must know for the audience along with the best practices.

In addition to that, this talk also covers how CSP can be used to prevent other set of issues like
1) Clickjacking
2) HTTPS Migration
3) Secure Form Submission

Speaker bio

Dheeraj is a Front-end Artisan and the InfoSec guy at Wingify. He is quite adept at writing JavaScript, an open source lover, and web security enthusiast. When he is not writing code, he spends time finding and reporting security vulnerabilities in web applications.




Preview video



  •   Sandhya Ramesh (@sandhyaramesh) 2 years ago

    Hello! Thank you for submitting to JSFoo. In order to evaluate your proposal, please submit your slide deck and a two minute self recorded preview video explaining your talk. Thank you!

    •   Dheeraj Joshi (@djadmin) Proposer 2 years ago

      Done! Please let me know if you need more information.

Login with Twitter or Google to leave a comment