Free Post HSTS Migrating from HTTP to HTTPS? Ease the pain with CSP and HSTS! The Chrome Security Team have just announced that they're removing the yellow warning triangle from pages with mixed content. From now on, these pages will show with the...
Free Post HTTP/2 HTTP/2 is here! After more than 15 years of living with HTTP/1.1 we can finally start to enjoy the benefits of HTTP/2! As an early adopter I've taken a look at some of the key improvements in HTTP/2 and how we...
Free Post CSP Hardening the CSP on report-uri.io It's pretty easy to get a basic CSP setup and issued on your site, but tightening up the policy can be tricky. To benefit from protection against XSS...
Free Post SRI Subresource Integrity: Securing CDN loaded assets Most sites on the Internet these days load some kind of content from a CDN, usually JS and CSS. Whilst this comes with great performance boosts and savings on bandwidth, we're trusting that CDN to load content into our pages, content that...
Free Post CSP Safari doesn't like CSP I've recently hit a few bumps with Safari whilst implementing an improved CSP on report-uri.io [https://report-uri.io]. This blog post is to outline the issues I&...
Free Post HPKP Guidance on setting up HPKP Having recently released my HPKP toolset [https://scotthelme.co.uk/hpkp-toolset/], I thought I'd give some guidance on the various ways you can setup HPKP and the benefits...
Free Post HPKP The HPKP toolset! HPKP is an incredibly powerful response header that allows you to whitelist the fingerprints of specific cryptographic identities. This offers you protection against a rogue Certificate Authority issuing a certificate...
Free Post report-uri.io The first 3 months of report-uri.io 3 months ago I launched report-uri.io [https://report-uri.io], my CSP and HPKP violation reporting service. Since then the service has seen steady growth and I've been...
Free Post HSTS How widely used are security based HTTP response headers? With my recent interest in security based HTTP headers like CSP and HPKP following the launch of my new service report-uri.io [https://report-uri.io], I found myself wondering just...
Free Post HPKP Demonstrating HPKP validation failures I have a couple of subdomains on scotthelme.co.uk to show how good a TLS config can be and how bad a TLS config can be and still not...
