Wednesday
Room 1
15:00 - 16:00
(UTC+01)
Talk (60 min)
Demystifying CSP for modern applications
Content Security Policy, or CSP in short, has been around for more than a decade. We're all familiar with CSP in one way or another. Maybe you suffered implementing it, or were scolded for not having it by a pentest report, or you spent hours figuring out whether 'unsafe-inline' is actually unsafe or not. In a nutshell, CSP is messy and complicated. But it doesn't have to be.
This session will be instrumental in helping you unravel the mysteries behind CSP. Concretely, you will learn why most CSP policies are highly ineffective and likely insecure. You will learn how to configure CSP the right way and how to build a backwards compatible policy. You will also learn about three ways of deploying CSP in single page applications. At the end of this session, you will know how to deal with CSP and you will have actionable guidelines to leverage CSP for security.
Philippe De Ryck
Philippe De Ryck specializes in making web security accessible to developers and architects, leveraging his Ph.D. from KU Leuven to inform his comprehensive understanding of security challenges. As the founder of Pragmatic Web Security, he provides practical security training and consulting services to organizations worldwide.
His online course platform offers a self-paced approach to learning about security. Philippe also actively helps shape OAuth 2.0 best practices as the co-author of the best practices for browser-based apps specification.
Philippe is recognized as a Google Developer Expert, acknowledging his contributions to web application and API security. He also organizes SecAppDev, an annual week-long application security course in Belgium.