- Популярные видео
- Авто
- Видео-блоги
- ДТП, аварии
- Для маленьких
- Еда, напитки
- Животные
- Закон и право
- Знаменитости
- Игры
- Искусство
- Комедии
- Красота, мода
- Кулинария, рецепты
- Люди
- Мото
- Музыка
- Мультфильмы
- Наука, технологии
- Новости
- Образование
- Политика
- Праздники
- Приколы
- Природа
- Происшествия
- Путешествия
- Развлечения
- Ржач
- Семья
- Сериалы
- Спорт
- Стиль жизни
- ТВ передачи
- Танцы
- Технологии
- Товары
- Ужасы
- Фильмы
- Шоу-бизнес
- Юмор
CSP Explained — The Header That Stops XSS Attacks
Your code has an XSS vulnerability. An attacker injects a script tag. But nothing happens. The browser refuses to run it. Why? Because of one HTTP header.
Content Security Policy tells the browser exactly what your page is allowed to load — scripts, styles, images, connections, everything. If it's not on the allowlist, it doesn't run. In this video, we break down what CSP is, walk through every key directive, explain source values like 'self' and nonces, watch CSP block XSS attacks in real time, cover report-only mode for safe deployment, and expose three misconfigurations that make CSP completely useless.
This isn't theory. These are real patterns from production systems.
Timestamps:
0:00 Introduction — Your Page, Your Rules
0:54 What Is CSP? The Response Header That Controls Everything
2:03 CSP Directives — script-src, style-src, img-src, connect-src, default-src
2:56 Source Values — 'self', 'none', nonces, unsafe-inline
3:54 CSP In Action — Blocking XSS Attacks Live
5:02 Report-Only Mode — Deploy Safely, Monitor, Then Enforce
6:02 Dangerous Misconfigurations — unsafe-inline, Wildcards, Missing default-src
7:23 Summary — What We Covered & What's Next
What you'll learn:
- CSP is a response header that tells the browser what resources your page can load
- Key directives: script-src, style-src, img-src, connect-src, default-src
- Safe sources: 'self', 'none', specific domains, nonces, hashes
- Why 'unsafe-inline' and 'unsafe-eval' defeat CSP's XSS protection
- How CSP blocks both external script injection and inline XSS
- Report-only mode: monitor violations before enforcing in production
- The 3-step deployment: report-only → monitor & fix → enforce
- Why wildcard sources and missing default-src create real attack vectors
- Nonces: the right way to allow inline scripts without unsafe-inline
Previous video: CORS & Same-Origin Policy
Next video: Clickjacking & X-Frame-Options
#WebSecurity #CSP #ContentSecurityPolicy #CyberSecurity
Видео CSP Explained — The Header That Stops XSS Attacks канала GyanByte
Content Security Policy tells the browser exactly what your page is allowed to load — scripts, styles, images, connections, everything. If it's not on the allowlist, it doesn't run. In this video, we break down what CSP is, walk through every key directive, explain source values like 'self' and nonces, watch CSP block XSS attacks in real time, cover report-only mode for safe deployment, and expose three misconfigurations that make CSP completely useless.
This isn't theory. These are real patterns from production systems.
Timestamps:
0:00 Introduction — Your Page, Your Rules
0:54 What Is CSP? The Response Header That Controls Everything
2:03 CSP Directives — script-src, style-src, img-src, connect-src, default-src
2:56 Source Values — 'self', 'none', nonces, unsafe-inline
3:54 CSP In Action — Blocking XSS Attacks Live
5:02 Report-Only Mode — Deploy Safely, Monitor, Then Enforce
6:02 Dangerous Misconfigurations — unsafe-inline, Wildcards, Missing default-src
7:23 Summary — What We Covered & What's Next
What you'll learn:
- CSP is a response header that tells the browser what resources your page can load
- Key directives: script-src, style-src, img-src, connect-src, default-src
- Safe sources: 'self', 'none', specific domains, nonces, hashes
- Why 'unsafe-inline' and 'unsafe-eval' defeat CSP's XSS protection
- How CSP blocks both external script injection and inline XSS
- Report-only mode: monitor violations before enforcing in production
- The 3-step deployment: report-only → monitor & fix → enforce
- Why wildcard sources and missing default-src create real attack vectors
- Nonces: the right way to allow inline scripts without unsafe-inline
Previous video: CORS & Same-Origin Policy
Next video: Clickjacking & X-Frame-Options
#WebSecurity #CSP #ContentSecurityPolicy #CyberSecurity
Видео CSP Explained — The Header That Stops XSS Attacks канала GyanByte
CSP content security policy CSP explained CSP header Content-Security-Policy script-src style-src img-src connect-src default-src CSP directives CSP violation CSP report XSS prevention XSS protection cross site scripting prevention browser security web security web application security cybersecurity appsec secure coding security for developers OWASP CSP wildcard CSP tutorial web security basics web security tutorial HTTP security headers
Комментарии отсутствуют
Информация о видео
21 апреля 2026 г. 22:27:33
00:08:30
Другие видео канала
How Stripe Processes Millions of Payments Without Losing One
Prompt Leaking: Your AI Hands Over Its Own Source Code | LLM Security
CSRF Explained — How Hackers Use YOUR Browser Against You
Boost Your App Performance with AWS Elastic Load Balancing
Your AI Agent Is Leaking Your Secrets - Here's How
How to Design Uber | System Design Interview (Step-by-Step)
Log4Shell: The Worst Vulnerability in a Decade — System Design Lessons
Training Data Poisoning - How Attackers Corrupt AI Before It Ships
I Tried to Jailbreak My Own Chatbot. It Took 11 Minutes.
AI-Assisted Social Engineering - How Attackers Use AI to Hack Humans
Broken Access Control — IDOR, Privilege Escalation & RBAC Explained (OWASP #1)
Circuit Breaker Pattern — System Design Interview
XSS Explained — How Hackers Inject Code Into Your Website (Cross Site Scripting)
The LastPass Hack Explained — From Plex Server to $45M in Stolen Crypto
CORS Explained — The Browser's Most Important Security Rule
Security Misconfiguration — The Easiest Hack (No Exploits Needed)
AI Liability: The Legal Disaster Nobody's Prepared For
How Netflix Serves 700 Million Users — System Design Deep Dive
SSRF Explained — Your Server Is the Attacker's Proxy
Clickjacking Explained — The Invisible Button Attack
