Benefits and challenges of introducing a strict Content Security Policy
Content Security Policy is kind of getting hot right now. I myself felt like it was a niche technology, just an extra layer of security against XSS. Security experts think otherwise, and they’re now asking for CSP during audits. So, let’s take a look at that from the developer’s standpoint
Content Security Policy is a web standard and browser mechanism that improves our security against multiple attacks, specifically XSS and data injection. It’s pretty widespread: it has made its way into Ruby’s major tools such as Rails, Hanami, Roda, and Bullet. Basically, if a gem adds script tags to the page – it’ll probably have to deal with CSP one way or another.
However, introducing an extra level of security brings its own challenges and limitations. How do we decide on the level of security we want? How do we limit the impact on developers? How do we safely roll out the changes? HOW do we work with static pages? Lots of general questions and a lot of more specific ones.
We’ll talk about the principles and specifics of introducing CSP into existing systems. We’ll tap into community wisdom and share ways to overcome technical challenges that people had to grind through, making our own experience as pain-free as possible.