Table of contents
Generating a Content Security Policy for a website or web application should not be hard.
Video Walkthrough of the RapidSec CSP Generator:
How To: Generate a SHA based Strict Content Security Policy, like the pros!
Time needed: 12 minutes.
How To Generate a SHA based Strict Content Security Policy, like the pros!
- Understand the CSP Challenge
00:00 Understand the balance of Building CSP correctly without breaking things
- Learn the concept of a SHA based Content Security Policy
00:32 See a live SHA CSP implementation
- Notice regression risks
01:13 Broken marketing scripts with existing CSP setup - you will see Refused to load the script because it violates the following Content Security Policy directive.
- Setup a RapidSec Account
01:34 You can sign in with Google, User-pass, or SSO if your ORG is already live.
- Create a RapidSec Project
01:52 Name your project after the site - it's the most scalable approach.
- Connect your Project to Reporting Policy
02:39 Set the generated content security policy in Report-Only mode
- Run the Initial CSP to create violations
02:59 Seed your project with initial data
- Add CSP packages to simplify your workflow
03:40 Approve your first CSP packages and build the first CSP version
- Configure custom Content Security Policy directives
04:41 After setting the package CSP, allow custom directive rules
- Eliminating 'unsafe-inline' with SHA hashes
05:12 This is an important technique when setting the CSP script-src. It's especially useful for sites with a limited amount of inline scripts (up to 20 or so).
- Set the style-src and content directives
06:24 These are less important - so you can create more permissive rules.
- Deploying the full Report-Only CSP, and moving to Enforce Mode!
- Conclusion and Wrap up!
11:02 See? Building a Content-Security-Policy for your site can be easy!
How to get started with CSP
Getting started with Content-Security-Policy has never been easier! Just use the RapidSec CSP generator, that will combine multiple techniques to avoid bypasses AND run proper monitoring in case an attack does slip through.
Looking for an enterprise-grade CSP solution? Book a RapidSec demo today.
If you think I can improve this video, please let me know @Shai_Alon.