Datadog on Web Security Standards

May 19, 2022

Andrew Krug

Andrew Krug

Ayaz Badouraly

Ayaz Badouraly

Jean-Baptiste Aviat

Jean-Baptiste Aviat

Category

Modern web applications are incredibly complex. Frameworks, javascript, and dependency management have made understanding and maintaining a baseline security standard maximum difficulty. With attack vectors like those listed in the OWASP Top 10 it can be incredibly difficult to know where to start and what the metrics for success are. Every web browser today supports a variety of “secure headers”. These headers can be served as part of each response from the web server stack and can prevent a variety of common attacks. Perhaps the most impactful among these is content security policy headers or CSP.

Content Security Policy (CSP) is a W3C standard that helps defend web applications against cross-site scripting (XSS), clickjacking, and other code injection attacks by blocking web browsers from loading potentially dangerous resources (i.e., malicious script injections) when they do not comply with your policy. CSP reporting provides critical visibility into CSP violations, allowing you to build effective policies and ensure that they are configured correctly.

In this Datadog on session, Andrew Krug, Lead Security Evangelist, will chat with Jean-Baptiste Aviat, Staff Engineer, and Ayaz Badouraly, Site Reliability Engineer. They will explore how Datadog engineers collect CSP reports and use them to detect and analyze violations. They'll also walk through how Datadog’s built-in security rules can automatically notify about noteworthy trends in CSP violations, which may be triggered by problematic deployments or misconfigurations.