Chapter 22. Secure Application Configuration
One component of successfully delivering a secure web application to your customers is to ensure the web application you are delivering is configured in a way that makes use of built-in browser security mechanisms.
Web applications today are built on a multitude of languages, frameworks, and technologies. However, because the sole method of delivery for a web application is still the browser, learning how to make use of the browser’s built-in security mechanisms is essential to good security posture.
In this chapter, we will evaluate and discuss several security technologies implemented by the web browser. You will also learn how to configure them correctly to maximize the security of your web application.
Content Security Policy
Content Security Policy (CSP) is one of the browser’s primary security mechanisms for protecting against the most common forms of cyberattacks involving a browser client. If implemented correctly, it is capable of preventing XSS, data injection, phishing, framing, and redirect attacks.
In order to provide a clean developer experience without breaking the internet, CSP was designed to be implemented with a significant amount of configuration options. Because of this, a strong CSP policy differs drastically from a weak CSP policy. It is, in fact, possible to run a fully functioning website without any CSP policy whatsoever, leading to the browser implementing no mitigations against common attacks.
Let’s take ...
Get Web Application Security, 2nd Edition now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
