Manual content security policies are just a pain to manage, which means developers may avoid critical CSP processes, leading to increased security risk.Īutomated content security policies help manage CSPs to better protect the client-side attack surface and remove the risk associated with manual CSP oversight. CSPs are great at providing violation reporting and policy optimization and help uncover vulnerable scripts that lead to JavaScript injection attacks, cross-site scripting (XSS), and skimming attacks, like Magecart. The problems with CSPs have nothing to do with their value. Unfortunately, the CSP-audit-avoidance problem expands an already significant client-side attack surface. In a recent example, researchers discovered that malicious packages had been downloaded 27,000 times by unsuspecting developers. Ongoing issues still surface with package managers containing obfuscated and malicious JavaScript used to harvest sensitive information from websites and web applications. Few development or security teams take the time to maintain a detailed record of all the scripts used in web application assembly, including their functions, their sources, and whether they've been updated or patched to address any known security issues.Įven when teams do identify all third-party script sources, that's no guarantee that the scripts are safe. Today, client-side web applications contain thousands of scripts, assembled from multiple open-source libraries or other third- and fourth-party repositories.
#Link protector website script code
The CSP-audit-avoidance problem (aka avoiding manual code reviews or death by a thousand scripts) is fairly common. The CSP also can't conflict with any existing widgets or plugins (or the decision must be made to not deploy the CSP or deactivate those plugins, which can cause problems in other areas, such as customer engagement, marketing, and sales).Īnd then, when a CSP fails, there is the dreaded audit to determine the why and where. Then the team needs to make sure it provides the appropriate level of protection. First, the CSP has to work for the specific web application. There are few developers or AppSec professionals who claim to enjoy deploying CSPs.
0 kommentar(er)
