Igor S. Morozov

Talk: Benefits and challenges of introducing a strict Content Security Policy

A lifelong software engineer who turned a passion into career.

Benefits and challenges of introducing a strict Content Security Policy

Content Security Policy is kind of getting hot right now. I myself felt like it was a niche technology, just an extra layer of security against XSS. Security experts think otherwise, and they’re now asking for CSP during audits. So, let’s take a look at that from the developer’s standpoint

Content Security Policy is a web standard and browser mechanism that improves our security against multiple attacks, specifically XSS and data injection. It’s pretty widespread: it has made its way into Ruby’s major tools such as Rails, Hanami, Roda, and Bullet. Basically, if a gem adds script tags to the page – it’ll probably have to deal with CSP one way or another.

However, introducing an extra level of security brings its own challenges and limitations. How do we decide on the level of security we want? How do we limit the impact on developers? How do we safely roll out the changes? HOW do we work with static pages? Lots of general questions and a lot of more specific ones.

We’ll talk about the principles and specifics of introducing CSP into existing systems. We’ll tap into community wisdom and share ways to overcome tech- nical challenges that people had to grind through, making our own experience as pain-free as possible.

Bio

A lifelong software engineer who turned a passion into career.

Started Ruby career as an early dry-rb/rom-rb user, loving functional program- ming. Grew to understand and respect Rails, started enjoying software archi- tecture, OOP, processes, and all the other things

Used to write about Ruby, now more focused on sharing the knowledge via talks. Also on sailing, skiing, and cycling.