Content Security Policy (CSP) Update

Life is boring #

Another day after school, with tons of homework I have to complete. Like any sane person, I decided to add another feature to my website. Homework is for losers man (Please do your homework and don’t be like me.)

Tutorial time #

During the tutorial in school today, I just learnt about Cross-site-scripting (XSS) and Cross-Site Request Forgery (CSRF). That’s right, I learnt how to make the website do weird stuff and execute weird code if someone presses on an unsuspecting link. Watch out for the different links I put out there. Anyways, one of the methods to defend against that is to use Content Security Policies.

We add some stuff to the headers and call it a day right? Well not exactly, how do I know what headers to add and what does each of the header do? After my beautiful google-fu, I implemented some basic CSP and realized that there are CSP Scanners out there which can scan my website to see what headers I have and give it a rating on how secure it is. Welp just like anyone, I decided to give it a go!

Let’s get scanning #

So I found CSPScanner by rapidsec and cspvalidator.org and keyed in my address.

What gives? I have already implemented some CSP. How can they say that I have no protection? (Remember kids, always use protection) It turned out that the website somehow cannot scan for the CSP on my webpage. Welp, there is not much I can’t do about that. Time to go and try the other one.

Only A+ I ever got #

Welp this one can receive my CSP but it cannot seem to give me a proper grade… At that moment, I felt like a diplomat. Why not try a power move and copy-paste the CSP from 1 website into another one which can grade how secure it is. OMG, why am I so smort. Its time!

After a few hours of adjusting my CSP and a lot of copying and pasting I finally manage to get it to A+. Oh yea if I can’t get an A+ in school, I can at least get an A+ in CSP :D. #proud