Bringing Content Security Policy to Drupal
Content Security Policy is a new layer in web security to protect your site and your users from cross site scripting (XSS) vulnerabilities. Additional strategies are also available to expand it's capabilities to detect and mitigate threats like malicious browser extensions, content injection from proxies, and unauthorized http requests. Leveraging Drupal 8’s libraries system, the Content-Security-Policy module is being built to make this tool easily available to every Drupal site.
This session will cover the options available when creating a Content Security Policy and which risks they each address; some of the inventive ways people are using CSP to mitigate additional risks beyond XSS; the roadblocks current modules, frontend libraries, and third-party services present to adding effective rules to your site; how to make your own modules and themes ready to enable an effective policy; the options currently available for adding a policy to your Drupal site; and the roadmap and progress for the Content-Security-Policy Drupal module.