Author image


143 posts
Researcher, blogger and international speaker. I'm the creator of and, free tools to help improve online security.

CSP Nonce support in Nginx

Content Security Policy is an incredibly powerful security feature but in some circumstances it can be a little difficult to deploy. Removing inline scripts or styles often comes up as one of the hurdles. Here's how I introduced CSP nonce support in Nginx to counter the problem. Content Security Policy…

Continue Reading

Tough Cookies

Cookies are tiny pieces of data attached to requests that your browser sends. Their most important use is for authentication so that a web server can know if you are logged in or not. Unfortunately there are a few problems with cookies that needed addressing. Let's toughen up our cookies!…

Continue Reading

Enforcing the use of SRI

Subresource Integrity is an awesome security feature that allows us to ensure that assets served by a CDN haven't been tampered with. Now, thanks to a new directive in CSP, we can ensure that SRI is used across our site. SRI In short, SRI allows us to embed the hash…

Continue Reading

Year in Review | 2016

2016 has been a pretty amazing year for me in many ways, so much so, I wanted to look back on just how much I've achieved in such a short space of time. Sometimes I'm so focused on looking forwards at the next target that I forget to look behind…

Continue Reading

Doing the ChaCha with Nginx

ChaCha20-Poly1305 is the combination of a new cipher, ChaCha20, and a new MAC, Poly1305, to give us a new AEAD cipher suite. AEADs will be the only option that will be available going forwards in TLSv1.3 so alongside AES-GCM, ChaCha20-Poly1305 will be our only other choice. There are also…

Continue Reading