#115 Scott Helme, Fighting Cross-Site Scripting with Content Security Policy and Subresource Integrity

Summary
Security researcher Scott Helme tells me how Content Security Policy and SubResource Integrity are used to fight cross-site scripting.

Details
Who he is, what he does. What cross site scripting is; well known examples; how it works; crypto mining with cross site scripting (XSS). Input validation, output encoding, more frameworks are handling validation. Content Security Policy (CSP), what it is, how it works; trusting CDNs; how to use CSP on a site, CSP Wizard, browser support; future changes. Subresource Integrity, what it is, how it works; trusting third party scripts; what happens if script fails validation. NoScript, browser extensions, DNS filters and VPNs. Scott's upcoming events; training.

Links
Scott's blog

Scott's CSP Wizard

Download mp3 of podcast

2 thoughts on “#115 Scott Helme, Fighting Cross-Site Scripting with Content Security Policy and Subresource Integrity

  1. Great show. CSP and SRI are two things I see under-utilized but are so easy to implement. Somehow I missed that CSP can require SRI and I will be adding that to our development standards right away.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.