Free Post Report URI Increasing entropy in our CSP nonces I've talked many times about CSP and CSP nonces, the easy way to control JavaScript on your page, but someone recently pointed out an area we could improve. Report URI...
Free Post CSP PCI DSS 4.0; It's time to get serious on Magecart The latest version of PCI DSS just dropped and it's really awesome to see that one of the most notorious threats that we face online when it comes to payment...
Free Post Pwned Passwords Re-bloom! Pwned Passwords v8 After the recent release of the Pwned Passwords v8 dataset, it was time to update my Bloom Filter implementation of Pwned Passwords! Bloom FiltersIf you aren't familiar with what a...
Free Post Security Headers Can you get pwned with CSS? I recently started to consider changing the grading criteria on Security Headers which isn't something that happens very often. I wanted to make a change that would result in more...
Free Post Community Projects I Support As we roll further into 2022, I wanted to outline the projects and other activities in the community that I support in the hope that it might inspire you to...
Free Post EV If it looks like a duck, swims like a duck, and QWACs like a duck, then it's probably an EV Certificate For a little while now I've been following a new type of certificate that you may soon be hearing a lot more about. They're called a "Qualified Website Authentication Certificate"...
Free Post Log4j Responding to the Log4j 2 vulnerability (CVE-2021-44228) This blog post isn't going to be a deep dive into the vulnerability itself, but instead how Report URI reacted as an organisation and the things we've improved, even though...
Free Post Crawler Report Top 1 Million Analysis - November 2021 Wow! It's been quite a while since I've had time to do my regular analysis of security in the Top 1 Million site, but it's happening again! As it's been...
Free Post Probabilistic Data Structures Frequency analysis on hundreds of billions of reports at Report URI: Top-K After looking at how a Bloom Filter works and moving on to understand a Count-Min Sketch, we were left with the final problem of identifying the most frequent reports we...
Free Post Report URI Report URI is now using CSP nonces in an enforced policy Hurrah! Sometimes it takes a little while for projects to make it through your backlog and into production, but the nonce-based policy for CSP on Report URI can now be...
Follow