Tag: CSP

Total 35 Posts

Launching Report URI JS

The most common way to set a Content Security Policy on your site is to deliver it as a HTTP response header, but that's not always possible. On hosted platforms like GitHub Pages, Ghost Pro or WordPress it's not always easy or even possible to set a HTTP response header.…

Continue Reading

Malware hunting with CSP

I recently had some great fun using CSP in a way that I've been really excited to talk about. We are starting to utilise the full power of CSP reports to find a way to hunt down malware infected endpoints on a corporate network! Building on previous work I have…

Continue Reading

Adding security headers to Prism JS

I recently came across the Prism JS syntax highlighting library whilst looking at a few options to spruce up my blog. I was very disappointed, though not at all surprised, that they didn't have support for my favourite security headers, so I added it. Prism JS The Prism JS library…

Continue Reading

CSP Nonce support in Nginx

Content Security Policy is an incredibly powerful security feature but in some circumstances it can be a little difficult to deploy. Removing inline scripts or styles often comes up as one of the hurdles. Here's how I introduced CSP nonce support in Nginx to counter the problem. Content Security Policy…

Continue Reading

Enforcing the use of SRI

Subresource Integrity is an awesome security feature that allows us to ensure that assets served by a CDN haven't been tampered with. Now, thanks to a new directive in CSP, we can ensure that SRI is used across our site. SRI In short, SRI allows us to embed the hash…

Continue Reading