Learn to CSP Like a Pro

with Scott Helme

Learn the inner workings of Content Security Policy with theory and practical sessions to deploy your own fully functional CSP. We'll cover tools and methods to effectively deploy, test and monitor CSP on an ongoing basis and address common challenges that organisations face during deployment.

Contact us if you'd like to attend this course! Future dates will be announced here.

Want us to come to you? This training is also available on-site.


Why This Course is for You

  • Learn about the latest and greatest CSP features
  • Find out what risks and threats you can mitigate with CSP
  • Deploy dynamic CSP for flexible protection
  • Make the most of CSP reporting

Course Outline

  1. Introduction
    1. The need for Content Security Policy
    2. Boosting security with response headers
    3. Requirements for deploying Content Security Policy
  2. What does CSP solve
    1. Content injection attacks
    2. Cross-Site Scripting (XSS)
    3. Practical session
      1. Live XSS demos
      2. Perform attacks against test environments
  3. Getting started with CSP
    1. Whitelisting sources
    2. Javascript restrictions
      1. Unsafe-inline
      2. Unsafe-eval
      3. 3rd party
    3. Style restrictions
      1. Unsafe-inline
      2. 3rd party
    4. Additional content types
    5. Practical session:
      1. Deploy a basic CSP
  4. Maturing your CSP
    1. Keywords
    2. Host declarations
    3. Data URIs
    4. Hashes
    5. Nonces
    6. Practical session:
      1. Expand on basic CSP
  5. CSP reporting
    1. The report-uri directive
    2. JSON reports
    3. Reducing noise
    4. Practical session
      1. Deploy reporting
      2. Inspect payloads
  6. Advanced CSP features
    1. Mixed content prevention
    2. Framing restrictions
    3. Clickjacking defenses
    4. Form action controls
    5. Fine tuning
    6. Practical session
      1. Develop CSP with advanced features

Meet the Trainer

Scott Helme is a security researcher, consultant and international speaker. He can often be found talking about web security and performance online and helping organisations better deploy both.

Founder of report-uri.io, a free CSP report collection service, and securityheaders.io, a free security analyser, Scott has a tendency to always be involved in building something new and exciting. As a result, he is currently working on his latest adventure!

Level: Intermediate

Duration: 1 day

Extras: Lunch and refreshments included

What You Need to Know

Target audience

This course is aimed at developers, system administrators and security staff who want to ensure robust measures are in place to protect their users.


  • Basic understanding of HTML and HTTP
  • Your own laptop - Mac/Linux users can use terminal to access the virtual server and Windows users will need to download Putty or can use their own preferred SSH program.

We will provide you with your own virtual server and sample web application to work on throughout the course.