Collaborate Disseminate
I have a website that includes CSP rules:
.use(
helmet.contentSecurityPolicy({
directives: {
defaultSrc: ["’self’"],
scriptSrc: [
"’self’",
"cdnjs.cloudflare.com"
],
},
})
)
… Continue reading Overcoming Cookie Theft Barrier in XSS Attack despite CSP Implementation
I am using Content Security Policy (CSP) rules in my code to defend against XSS attacks. Here are the CSP rules I have implemented using Helmet:
.use(
helmet.contentSecurityPolicy({
directives: {
defaultSrc: ["’self’"],
scriptSrc… Continue reading Bypassing CSP and implementing XSS attack
I’ve setup Content Security Policy (CSP) on a web app. For the time being it’s set to report only so that I can assess it first in production and then turn it on if things get clear. But so far they’re not. I’m getting some odd reports of … Continue reading Content security policy (CSP) reports that seem unrelated to the web app
I have a Content-Security-Policy-Report-Only: header of:
default-src ‘report-sample’ ‘self’ *.googleapis.com; object-src ‘none’; report-uri https://example.com/csp_logger;
but violations are being reported to my csp_logger endpoint, speci… Continue reading Why is a domain specified in a CSP default-src being reported as a script-src-elem violation?
During my implementation of a proof of concept for a CSP, I noticed that the hash value for the external library (jquery in this example) isn’t the same between Firefox and Chrome and I can’t figure out why.
The web pages I’m using for thi… Continue reading CSP : Different hash for the same external library (Firefox vs Chrome)
I have a web app that is built using Vite for the react front-end part and uses .net API backend. The backend also configures a static file service for the prebuild frontend files but otherwise implements the API that the front-end is heav… Continue reading Content security policy for script-src directive
If I have a web app that is vulnerable to XSS in the url (reflected XSS), does CSP protect against this type of XSS?
Ex: when I run www.example.com/<script>alert(1);</script> in the browser, this will trigger a popup message.
My project has a csp policy
Content-Security-Policy script-src ‘self’ ‘unsafe-inline’ https://*.mycompanycdn.com; report-uri mycompany.in/reportcsp
In the violation logs I found
with blocked-uri https://static.mycompanycdn.com/myscript…. Continue reading CSP blocking whitelist domains in web application
I can successfully iframe a page on origin B from origin A (no x-frame-deny, content security policy, etc). A page on origin B (page X) redirects to a page on origin C (page Y) with a server side redirect (status 301). Origin C doesn’t all… Continue reading Is it possible to track cross origin redirection?
Whenever the topic comes up, almost every source recommends to never store authentication tokens in a place where they can be accessed by client-side Javascript. The recommendation is almost always to store them in an http-only cookie to p… Continue reading Is storing authentication tokens in local storage with a strong CSP safe?