Add a default-src CSP Header in Express to Enforce an Allowlist and Mitigate XSS

Share this video with your friends

Send Tweet

In this lesson, we'll learn how to disable all external content srcs other than the specific types of external resources we need. For the types of external resources we need, we'll limit those resources to only nonce-matching resources. This will effectively mitigate all forms of XSS, using the principle of least power to only enable needed capabilities, and drastically reducing the surface area of possible attacks on our website.

Nat
Nat
~ 5 years ago

Hi! Thanks for the great course! The question is why not just take care of preventing code injection with validation/sanitization of user input for XSS?

Mike Sherov
Mike Sherov(instructor)
~ 5 years ago

Hi Nat! You should definitely do both validation/sanitization AND use CSP. In earlier lessons, I explain that you should always use a "defense in depth" approach to security. That is, if there are two ways to protect, do both in case one of the fails. In this case, input sanitization should always be done but it's important to recognize that it's also error prone and difficult to always do it successfully. With CSP, you get an extra layer of protection :-)

For example, see this article that describes an XSS vuln that was found in Gmail's AMP implementation but wasn't exploitable because of gmails CSP policy: https://mypc.guru/google-developers-fixed-gmail-dynamic-messaging-xss-vulnerability/

Nat
Nat
~ 5 years ago

Thanks, Mike! You've been very helpful