CSP

Migrating from HTTP to HTTPS? Ease the pain with CSP and HSTS!

The Chrome Security Team have just announced that they're removing the yellow warning triangle from pages with mixed content. From now on, these pages will show with the...

Free Post

CSP

Hardening the CSP on report-uri.io

It's pretty easy to get a basic CSP setup and issued on your site, but tightening up the policy can be tricky. To benefit from protection against XSS...

Free Post

CSP

Safari doesn't like CSP

I've recently hit a few bumps with Safari whilst implementing an improved CSP on report-uri.io [https://report-uri.io]. This blog post is to outline the issues I&...

How widely used are security based HTTP response headers?

Free Post

HSTS

How widely used are security based HTTP response headers?

With my recent interest in security based HTTP headers like CSP and HPKP following the launch of my new service report-uri.io [https://report-uri.io], I found myself wondering just...

Free Post

CSP

Major update for report-uri.io

Over the weekend I finalised a major update for https://report-uri.io, my new CSP and HPKP violation reporting service. Designed to make setting up and using your CSP even...

Combat ad-injectors with CSP and report-uri.io

Free Post

CSP

Combat ad-injectors with CSP and report-uri.io

A lot of people dislike adverts on websites but I'm pretty sure that everyone hates adverts that are a result of malware, ad-injectors or malicious browser extensions. Ad-injectors...

Free Post

CSP

CSP and HPKP violation reporting with report-uri.io

After writing about both CSP and HPKP, I covered the report-uri directive that allowed a browser to send reports back to the host if their security policy was breached. Whilst...

Free Post

HSTS

Hardening your HTTP response headers

Following the recent announcement of my new service, https://securityheaders.io, I thought I'd cover some more of the security based HTTP response headers out there and look at how to harden your existing HTTP response headers. Introduction HTTP Response headers are...

Free Post

HSTS

Introducing SecurityHeaders.io

After looking around for a quick and easy way to analyse the HTTP response headers of websites, I regularly found myself looking in Chrome Dev Tools. This isn't...

Free Post

CSP

Content Security Policy - An Introduction

Content Security Policy is delivered via a HTTP response header, much like HSTS [https://scotthelme.co.uk/hsts-the-missing-link-in-tls/], and defines approved sources of content that the browser may load. It can be an effective countermeasure to Cross Site Scripting (XSS) attacks and is also...

A collection of 50 posts

Migrating from HTTP to HTTPS? Ease the pain with CSP and HSTS!

Hardening the CSP on report-uri.io

Safari doesn't like CSP

How widely used are security based HTTP response headers?

Major update for report-uri.io

Combat ad-injectors with CSP and report-uri.io

CSP and HPKP violation reporting with report-uri.io

Hardening your HTTP response headers

Introducing SecurityHeaders.io

Content Security Policy - An Introduction

Upcoming Events

Cheat Sheets

Projects