DrupalCon Seattle 2019: Is your site really safe from XSS?

If a content editor copying some text onto a page of your site inadvertently pasted some inline JavaScript, would you know?  If one of your JavaScript dependencies were altered to start sending sensitive form data to a third-party site, could you prevent it?

Content Security Policy is a new layer in web security to protect your site and your users from security and privacy risks such as cross site scripting (XSS), content injection, and data exfiltration.  The Content-Security-Policy module is able to leverage Drupal 8’s libraries system to make this tool more easily available to every Drupal site.

This session will cover:

The most prominent risks and the Content Security Policy options available to address them.
The current state of the Content Security Policy spec, and current browser support.
How to safely implement and monitor the effectiveness of a policy.
The roadblocks current modules, frontend libraries, and third-party services present.
The roadmap for the Content Security Policy Drupal module.


Useful for site builders and developers, attendees should walk away from this session with the core knowledge required to implement and monitor a Content Security Policy for their website.

Session Slides:
https://gapple.github.io/presentation-csp-dc-seattle/#/title

Drupal is a registered trademark of Dries Buytaert.