HTTP Public Key Pinning is a very powerful standard that allows a host to instruct a browser to only accept certain public keys when communicating with it for a given period of time. Whilst HPKP can offer a lot of protection, it can also cause a lot of harm too.…
Tag: report-uri.io
Total 27 Posts
After the two year birthday of report-uri.io I wanted to take a look at where the service is and just how much work it's doing on a day to day basis. Here are all of the details I have to share, open for public viewing. Publishing the data Given…
With a constantly increasing traffic load to contend with, report-uri.io needs some support. Fortunately for us some help came from Imperva Incapsula who are now protecting report-uri.io with a free account on their DDoS mitigation and WAF platform. It's not just about security and availability though, there are…
With the October 2017 deadline approaching for compliance with Chrome's Certificate Transparency policy, sites can use the new Expect-CT header to determine if they're ready. It's easy to deploy and has a "report-only" mode so there's no risk involved. Here are the details. Certificate Transparency CT has been…
Up until now we've had to rely on GET parameters to identify whether CSP reports were enforced or sent as part of a report-only policy. This added friction for the host and on report-uri.io I've seen a lot of problems caused by this. Things are set to change. Sending…
