Gatsby: Webinar suggestion: CSRF and security best practices for dynamic gatsby web apps

Thanks @younggrandpa - I'm going to pass your suggestion over to the webinar team.

What sort of topics would you like to see covered? This might be info that we could cover in Gatsby's documentation too.

For existing resources I can point you towards a couple of posts that might be useful:

• Umbrella issue for Gatsby CSP
• Security for modern web frameworks blog post

This is a great idea! I'd love to hear any specific questions or workflows you'd like to see covered — this could make a great webinar or livestream!

What sort of topics would you like to see covered? This might be info that we could cover in Gatsby's documentation too.

Thanks Mick @m-allanson. I guess the outcome of the webinar would be briefing developers who have worked only on non-static websites hosted by servers. I'm new to JAMSTACK myself. I have done a bit of research already but I'm still wrapping my head around the security side of things. I often see in different discussion threads questions like:

• How not to hard code API keys (esp for runtime sessions/react hydrate methodology)
• How to implement form nonces for logged-in and not-logged in users

The above are kinda the basics. CSP implementation is another but implementing is very tricky. The example below, as a disclaimer, may make me sound pedantic.

From Gatsby Plugin CSP:

sha256 for every inline script and style is generated automatically during the build process and appended to its directive (script-src or style-src).

This is fine I guess, but how do I get nonces implemented based on Troy Hunt's blog:

Using Nonces. When I show the hash approach in my workshops, I often have people ask "but does this mean I need to recalculate the hash every single time I change the script?" Yes, it does, and I know that can get painful. It's not just the convenience factor either because there are occasions where a script block may actually be dynamic, for example on the Hack Yourself First site.

....I see far worse on a near daily basis and arguably, there are multiple different circumstances in which you may genuinely need a script block that contains dynamic content that's potentially malicious. But that means you can't return a hash because you simply don't know what the script block will contain. Yes, you could build the whole thing up dynamically, calculate the hash then return that in the CSP and render the script block to the page but not only is that getting super messy, it doesn't help with the maintainability problem....

...All of this brings us to the next feature mentioned in the original error and that's nonces. In case the term is unfamiliar, a nonce is a pseudo-random "number used once".

All of this brings us to the next feature mentioned in the original error and that's nonces. -- Troy Hunt

Note also: latest CSP version is not compatible with Safari browsers.

Hiya!

This issue has gone quiet. Spooky quiet. 👻

We get a lot of issues, so we currently close issues after 30 days of inactivity. It’s been at least 20 days since the last update here.

If we missed this issue or if you want to keep it open, please reply here. You can also add the label "not stale" to keep this issue open!

As a friendly reminder: the best way to see this issue, or any other, fixed is to open a Pull Request. Check out gatsby.dev/contributefor more information about opening PRs, triaging issues, and contributing!

Thanks for being a part of the Gatsby community! 💪💜

Hey again!

It’s been 30 days since anything happened on this issue, so our friendly neighborhood robot (that’s me!) is going to close it.

Please keep in mind that I’m only a robot, so if I’ve closed this issue in error, I’m HUMAN_EMOTION_SORRY. Please feel free to reopen this issue or create a new one if you need anything else.

As a friendly reminder: the best way to see this issue, or any other, fixed is to open a Pull Request. Check out gatsby.dev/contribute for more information about opening PRs, triaging issues, and contributing!

Thanks again for being part of the Gatsby community!