The Core
Why We Are Here => Web Development => Topic started by: bill on January 28, 2016, 01:25:48 AM
-
I need to get this implemented on my sites: Content Security Policy (CSP)
Looks like a great way to thwart cross-site scripting attcks.
This guy has a scanner https://securityheaders.io/ that grades your headers just like SSL Labs does for certs. He also has a CSP policy builder https://report-uri.io/home/generate/ but there are a lot of options in there that I'd need to look into.
Anyone here use a CSP?
-
Sorry, but no.
Interesting though. I am not a server admin, but still... I don't know about any of that stuff.
It appears I'm not alone. Most sites I checked get an F on that scanner.
Google gets an E
Even security-related sites fared poorly
OWASP - D
Norton - B (no CSP)
Kaspersky - D
Trend Micro - F
-
I was actually surprised at how few sites had implemented a CSP. It looks easy enough to do for simple sites. Some of the rules could get complicated if your site is pulling in content from a lot of different sources.
-
I need to put this on my list.
Most of this (all the headers the scanner checks for) look reasonable enough on a simple site.
-
https://www.hsbc.co.uk/1/2/ F
Meanwhile, partially related:
http://www.telegraph.co.uk/finance/personalfinance/bank-accounts/12129786/HSBC-online-banking-fails-again-after-succumbing-to-cyber-attack.html (http://www.telegraph.co.uk/finance/personalfinance/bank-accounts/12129786/HSBC-online-banking-fails-again-after-succumbing-to-cyber-attack.html)
The website was hit by a denial of service attack, caused by a deliberate overload of traffic to the online system by cyber attackers.
-
A CSP certainly wouldn't hamper a DoS or DDoS in any way. Those are an entirely different animal to deal with. The problem with a DoS is usually that the media picks up on it and unnecessarily freaks everyone out...but that's usually the purpose of such an attack.