Last year we shared some details on GitHub’s CSP journey. A journey was a good way to describe it, as our usage of Content Security Policy (CSP) significantly changed from…
Overview
This article discusses GitHub's evolution in implementing Content Security Policy (CSP) and the subsequent measures taken to defend against post-CSP exploitation. It highlights the collaboration with Cure53 to identify vulnerabilities and the various mitigations developed to enhance security against content injection attacks.
What You'll Learn
How to implement stricter img-src policies to prevent content exfiltration
Why per-form CSRF tokens enhance security against CSRF attacks
How to utilize same-site cookies to mitigate CSRF vulnerabilities
When to employ dangling markup protections in web applications
Key Questions Answered
What vulnerabilities did Cure53 identify in GitHub's CSP?
How does GitHub mitigate dangling markup attacks?
What is the purpose of same-site cookies in GitHub's security strategy?
What changes were made to the img-src policy at GitHub?
Technologies & Tools
Some links below are affiliate links. We may earn a commission if you make a purchase.
Key Actionable Insights
1Implement stricter img-src policies to limit potential data exfiltration through images.By narrowing the sources allowed in the img-src directive of CSP, organizations can significantly reduce the risk of sensitive data being sent to malicious sites.
2Adopt per-form CSRF tokens to enhance security against CSRF attacks.This approach ensures that even if one token is compromised, it cannot be used across different forms, thus minimizing the risk of privilege escalation.
3Utilize same-site cookies to protect against CSRF vulnerabilities.Setting the SameSite attribute on cookies helps prevent them from being sent in cross-origin requests, adding an additional layer of security.
4Regularly assess and update CSP policies to address new vulnerabilities.As new attack vectors are discovered, maintaining an up-to-date CSP is crucial for protecting web applications from exploitation.