JSFoo 2017

JSFoo is a conference about JavaScript and everything related.

Dheeraj Joshi


Content Security Policy to the Rescue

Submitted Jun 15, 2017

Developing Web Application with security in mind is very much important in today’s world with the increase in online attacks and frauds. And when we talk about front-end security, Cross-site scripting (XSS) is the first vulnerability that comes to everyone’s mind.

In this talk, I’ll speak about mitigating XSS attacks with Content Security Policy. It also covers tales of XSS vulnerabilities, what makes them vulnerable and how they could have been prevented using CSP. This is followed by a live demonstration of a vulnerable web application.

We will be exploring Why CSP is cool and how to use it effectively in the real world applications to prevent other sets of attacks, e.g., clickjacking, etc.


XSS is very much a solved problem only if it is done right taking care of the escaping gotchas and some browser quirks. CSP is a defence-in-depth mechanism which can help in mitigating XSS vulnerabilities.

I’ll demonstrate an intentionally vulnerable web application and how applying Content Security Policy to it can fix those vulnerabilities. I’ll also talk about some success stories where companies successfully deployed CSP. Along with that, We’ll discuss some common bypasses available for content security policy which should be interesting and must know for the audience along with the best practices.

In addition to that, this talk also covers how CSP can be used to prevent other set of issues like

  1. Clickjacking
  2. HTTPS Migration
  3. Secure Form Submission

Speaker bio

Dheeraj is a Front-end Artisan and the InfoSec guy at Wingify. He is quite adept at writing JavaScript, an open source lover, and web security enthusiast. When he is not writing code, he spends time finding and reporting security vulnerabilities in web applications.




{{ gettext('Login to leave a comment') }}

{{ gettext('Post a comment…') }}
{{ gettext('New comment') }}
{{ formTitle }}

{{ errorMsg }}

{{ gettext('No comments posted yet') }}

Hosted by

JSFoo is a forum for discussing UI engineering; fullstack development; web applications engineering, performance, security and design; accessibility; and latest developments in #JavaScript. Follow JSFoo on Twitter more