Scott Helme

Increasing entropy in our CSP nonces

I've talked many times about CSP and CSP nonces, the easy way to control JavaScript on your page, but someone recently pointed out an area we could improve. Report URI...

PCI DSS 4.0; It's time to get serious on Magecart

Free Post

CSP

PCI DSS 4.0; It's time to get serious on Magecart

The latest version of PCI DSS just dropped and it's really awesome to see that one of the most notorious threats that we face online when it comes to payment...

Free Post

Pwned Passwords

Re-bloom! Pwned Passwords v8

After the recent release of the Pwned Passwords v8 dataset, it was time to update my Bloom Filter implementation of Pwned Passwords! Bloom FiltersIf you aren't familiar with what a...

Free Post

Security Headers

Can you get pwned with CSS?

I recently started to consider changing the grading criteria on Security Headers which isn't something that happens very often. I wanted to make a change that would result in more...

Free Post

Community

Projects I Support

As we roll further into 2022, I wanted to outline the projects and other activities in the community that I support in the hope that it might inspire you to...

If it looks like a duck, swims like a duck, and QWACs like a duck, then it's probably an EV Certificate

Free Post

EV

If it looks like a duck, swims like a duck, and QWACs like a duck, then it's probably an EV Certificate

For a little while now I've been following a new type of certificate that you may soon be hearing a lot more about. They're called a "Qualified Website Authentication Certificate"...

Free Post

Log4j

Responding to the Log4j 2 vulnerability (CVE-2021-44228)

This blog post isn't going to be a deep dive into the vulnerability itself, but instead how Report URI reacted as an organisation and the things we've improved, even though...

Free Post

Crawler Report

Top 1 Million Analysis - November 2021

Wow! It's been quite a while since I've had time to do my regular analysis of security in the Top 1 Million site, but it's happening again! As it's been...

Frequency analysis on hundreds of billions of reports at Report URI: Top-K

Free Post

Probabilistic Data Structures

Frequency analysis on hundreds of billions of reports at Report URI: Top-K

After looking at how a Bloom Filter works and moving on to understand a Count-Min Sketch, we were left with the final problem of identifying the most frequent reports we...

Free Post

Report URI

Report URI is now using CSP nonces in an enforced policy

Hurrah! Sometimes it takes a little while for projects to make it through your backlog and into production, but the nonce-based policy for CSP on Report URI can now be...

Scott Helme

Hi, I'm Scott Helme, a Security Researcher, Entrepreneur and International Speaker. I'm the creator of Report URI and Security Headers and I deliver world renowned training on Hacking and Encryption.

Increasing entropy in our CSP nonces

PCI DSS 4.0; It's time to get serious on Magecart

Re-bloom! Pwned Passwords v8

Can you get pwned with CSS?

Projects I Support

If it looks like a duck, swims like a duck, and QWACs like a duck, then it's probably an EV Certificate

Responding to the Log4j 2 vulnerability (CVE-2021-44228)

Top 1 Million Analysis - November 2021

Frequency analysis on hundreds of billions of reports at Report URI: Top-K

Report URI is now using CSP nonces in an enforced policy

Upcoming Events

Cheat Sheets

Projects

Upcoming Events

Cheat Sheets

Projects

Follow