I don't think its necessary to know about CSP or CORS. You can build a perfectly secure website without any knowledge of these things; most websites I've worked on don't use these security hardening features.
One thing potentially worth mentioning is HSTS which can prevent downgrade attacks.
CORS is pretty important. one instance, we developed a web API, and a client both worked well in local but when moved to stagging env the app was not working reason CORS.
With the modern web, it really became a staple to consume resources from different origins, and understanding why the same-origin policy was introduced makes more sense
Yes, HSTS is useful to understand, I will add it in one of the following articles, but for CSP and CORS it is useful to understand them to increase your knowledge of web security and this knowledge what makes the differences between web developers.
The fact that CSP is not widely use is a signal that developers - especially frontend devs - should be more educated on security topics.
Without a good Content Security Policy how confident are you that your customers are safe against XSS? For instance, how do you ensure that one of your users doesn't have a browser extension that logs their credentials as they type to a malicious server?
CSP may not be the only option to counter these attacks, but one has to be aware of the risks that can originate from the client-side of our applications and websites.
In practice, it isn't easy to implement CSP when libraries come into play. It is nice to add for hardening, but it isn't necessary, and should not be considered a primary form of defence against XSS.
Nothing about security is easy and the fact that one method is not easy to implement doesn't make it less valuable.
Also, you can always set the CSP as report-only if you're (correctly) worried about potentially breaking stuff. Implementing a good policy slowly over months is better than never doing it at all.
But anyway, if other methods are preferable in your view it's more constructive to explicitly say which ones, so people reading the comments can actually get value out of the discussion.
I consider CSP to be an advanced topic because it is a additional defence against XSS. I do not consider it a "must know". What I consider essential knowledge is how to reason about trusted and untrusted inputs, making sure to sanitize if your framework or library doesn't already do it.
Also, you can always set the CSP as report-only
Again, I don't consider this a "must know". I mean, its cool and all but I don't consider auditing something everyone should know about. I'd much rather have people know about ways you can actually completely shoot yourself in the foot than know about CSP.
Surely, although for me they really are different methods solving different but equally serious problems. But this is now more a personal opinion about what is and what is not a must know, so less valuable/interesting.
Thanks for keeping up the thread and replying with an informed opinion and a link to a reputable site.
I really appreciate it 👍👍👍
Some comments have been hidden by the post's author - find out more
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
I don't think its necessary to know about CSP or CORS. You can build a perfectly secure website without any knowledge of these things; most websites I've worked on don't use these security hardening features.
One thing potentially worth mentioning is HSTS which can prevent downgrade attacks.
CORS is pretty important. one instance, we developed a web API, and a client both worked well in local but when moved to stagging env the app was not working reason CORS.
With the modern web, it really became a staple to consume resources from different origins, and understanding why the same-origin policy was introduced makes more sense
Yes, HSTS is useful to understand, I will add it in one of the following articles, but for CSP and CORS it is useful to understand them to increase your knowledge of web security and this knowledge what makes the differences between web developers.
I disagree.
The fact that CSP is not widely use is a signal that developers - especially frontend devs - should be more educated on security topics.
Without a good Content Security Policy how confident are you that your customers are safe against XSS? For instance, how do you ensure that one of your users doesn't have a browser extension that logs their credentials as they type to a malicious server?
I suggest this article or this other (don't miss the video) from Troy Hunt.
CSP may not be the only option to counter these attacks, but one has to be aware of the risks that can originate from the client-side of our applications and websites.
I agree with you 👌
In practice, it isn't easy to implement CSP when libraries come into play. It is nice to add for hardening, but it isn't necessary, and should not be considered a primary form of defence against XSS.
Nothing about security is easy and the fact that one method is not easy to implement doesn't make it less valuable.
Also, you can always set the CSP as report-only if you're (correctly) worried about potentially breaking stuff. Implementing a good policy slowly over months is better than never doing it at all.
But anyway, if other methods are preferable in your view it's more constructive to explicitly say which ones, so people reading the comments can actually get value out of the discussion.
Cheers!
I consider CSP to be an advanced topic because it is a additional defence against XSS. I do not consider it a "must know". What I consider essential knowledge is how to reason about trusted and untrusted inputs, making sure to sanitize if your framework or library doesn't already do it.
Again, I don't consider this a "must know". I mean, its cool and all but I don't consider auditing something everyone should know about. I'd much rather have people know about ways you can actually completely shoot yourself in the foot than know about CSP.
Surely, although for me they really are different methods solving different but equally serious problems. But this is now more a personal opinion about what is and what is not a must know, so less valuable/interesting.
Thanks for keeping up the thread and replying with an informed opinion and a link to a reputable site.
I really appreciate it 👍👍👍