CSP Tester 2.0 released

Posted on 09 May 2016 in misc • Tagged with csp, csp-tester, release

Today I'm announcing the release of CSP Tester 2.0. This brings with it a few new features as well as bug fixes. The main focus of this release was Content Security Policy Level 2 support.

In addition to CSP2 support, the following changes have been made:

  • Simple mode form …

Continue reading

CSP violation report aggregation using Nginx only

Posted on 24 April 2016 in misc • Tagged with csp, nginx

There is a powerful feature of Content Security Policy called Reporting. Web application owner can specify special URI via report-uri directive to which the user agent will send reports about policy violation. In testing environment it helps to find missed resource inclusions so with enforced policy your web application will …

Continue reading

X-Frame-Options or CSP frame-ancestors?

Posted on 02 April 2016 in misc • Tagged with csp, ui-redressing, clickjacking

If you don't know about ClickJacking (UI Redressing) attack you can read the relevant article on OWASP website.

There are two main ways to prevent ClickJacking: frame breaking script and X-Frame-Options header (see RFC 7034). While first one is technologically flawed solution the second one is good enough in the …

Continue reading

OWASP Russia MeetUp #4 tomorrow!

Posted on 16 March 2016 in misc • Tagged with owasp

The first OWASP Russia MeetUp in 2016 will take place in Yandex office (Moscow) tomorrow, the 17th of March. The event will focus on mobile security. Hurry up and register! We have a few amount of invitations.

Continue reading

Highlight your CSP policy

Posted on 19 February 2016 in misc • Tagged with csp

It is common scenario when you need to show Content Security Policy example to the developers. If you use Highlight.js (syntax highlighter written in JavaScript) then from the next release it will be also possible to highlight CSP policy syntax. Like this one:

    default-src 'self';
    style-src 'self' css …

Continue reading