Total 22 Posts

Bypassing HSTS or HPKP in Chrome is a badidea

I saw some research published at BlackHat EU recently that detailed various ways to bypass both HSTS and HPKP in a variety of mainstream browsers. It was a novel technique and seems like a viable attack vector to bypass them, which is a big problem because both HSTS and HPKP…

Continue Reading

Adding security headers to Prism JS

I recently came across the Prism JS syntax highlighting library whilst looking at a few options to spruce up my blog. I was very disappointed, though not at all surprised, that they didn't have support for my favourite security headers, so I added it. Prism JS The Prism JS library…

Continue Reading

Death by copy/paste

I was writing up an article about using security features for bad things and I stumbled across something interesting. I found what turned out to be sites having used copy/paste configurations that could potentially brick their entire site for months. HSTS and preloading For those of you unfamiliar with…

Continue Reading

Testing the HSTS preload process

My registrar had an offer on domains so I figured I'd grab one and test out the HSTS preload process as it currently stands. I want to track how easy it is to preload and how long it takes for full browser coverage in vendor preload lists.   What's preloading? HSTS,…

Continue Reading