The Final Frontier: Security APIs in Modern Browsers - Christian Wenz - NDC Oslo 2024

Content Security Policy (CSP) is a critical browser security feature that helps prevent XSS attacks by controlling which resources can be loaded and executed

Same-origin policy restricts JavaScript code to only access resources from the same origin (protocol, domain, port)

Modern browsers provide several security headers to enhance protection:

• Strict-Transport-Security (HSTS) to enforce HTTPS
• Content-Security-Policy to control resource loading
• Same-Site cookies to prevent CSRF attacks
• Referrer-Policy to control URL leakage
• X-Frame-Options to prevent clickjacking

Cookie security best practices:

• Use Secure flag for HTTPS-only
• Use HttpOnly flag to prevent JavaScript access
• Implement Same-Site attribute
• Consider cookie prefixes for additional security

Cross-Site Scripting (XSS) remains a major threat:

• Sanitize user input
• Avoid innerHTML when possible
• Use CSP to restrict script execution
• Implement proper encoding
• Consider using the Trusted Types API

Don’t store authentication tokens in localStorage - use cookies with proper security flags instead

Use subresource integrity (SRI) when loading resources from CDNs to prevent malicious code injection

Implement proper CSRF protection:

• Use anti-CSRF tokens
• Leverage Same-Site cookies
• Validate request origins

For legacy applications, use CSP in report-only mode first to identify potential issues before enforcement

Defense in depth is key - implement multiple security controls rather than relying on a single protection mechanism