CSP

I’m a big proponent of the content security policy paradigm (CSP) supported by modern browsers. In fact I’m so keen on them I even wrote a Pluralsight course: Introduction to Browser Security Headers. (Sidenote: I’m enormously happy with how well this course has been received, seems there’s an appetite for securing our things after all!) Now if you’re not sure what all the fuss is about, have a quick read of my launch blog post for the course. This gives a pretty good overview of why CSP (among other headers) is awesome. Writing all this content about how the headers work should mean I know what I’m doing...

I’ve been doing this fantastic demo about browser security headers in a lot of my recent talks and workshops. It’s always a lot of fun and it’s very interactive – you can try this out for yourself right now – and it works like this: So cross site scripting (XSS) is still a big thing. Yes it’s been around for ages and yes we should be on top of it by now, but here we are. Anyway, I was at the AppSecEU conference in the Netherlands a few months ago and a local guy called Breno de Winter did a fantastic talk in which he illustrated the prevalence of XSS by showing...