• Introduction
• Content-Security-Policy (CSP) as an Anti-pattern
• Interceptors and Servlet Filters as an Anti-pattern
• Four Problems with the Interceptor Approach
• Problem 1 - Encoding for specific context not satisfactory for all URI paths
• Problem 2 - Interceptor approach can lead to broken rendering caused by improper or double encoding
• Problem 3 - Interceptors not effective against DOM-based XSS
• Problem 4 - Interceptors not effective where data from responses originates outside your application
• Summary