Web Security Training

Navigating the web security landscape

Navigating the web security landscape

digest – Article

The websec digest #1

Blog The websec digest gives you a strictly filtered overview of noteworthy incidents, interesting technologies and upcoming events. The most important event of this issue is the Yahoo! hack, which turns out to be a consequence of gross negligence. Read More ›

trainingsessions – Resources

Building Secure EmberJS Applications

Blog I gave a talk on Building Secure EmberJS applications at The Ember Show recently. These are the slides I used for that presentation. Once the video has been made available, I will link to it as well. Read More ›

blogposts – Article

Building your First CSP Policy from Scratch

Blog The best way to fully understand what CSP is all about is to get your feet wet. Maybe you've already had your first CSP experience. Chances are likely that you had a bad time, that you where overwhelmed by errors in the browser console, and that you gave up on CSP altogether. However, in this second post in the CSP series, I'll show you that there is light at the end of the tunnel. As I go through the CSP policy for this site, we'll talk about whitelisting resources, about a common mistake that leads to CSP bypassing attacks, and about when to use unsafe-inline. Read More ›

blogposts – Article

A Step-by-Step Guide towards Deploying CSP

Blog If you've been reading this blog, you have already heard about Content Security Policy (CSP), a really powerful and important browser security policy, introduced a few years ago. However, if you have taken a stab at implementing a CSP policy for your application, you may have noticed that there are many hurdles to overcome, you may have sworn profusely, and you may even have kicked CSP out the door altogether. I totally get it, CSP is a really complex beast, and retrofitting CSP to an existing web application can be extremely painful. However, I'm asking you to give CSP another chance, and keep reading to discover how to deploy CSP step by step, and which tools you can use to ease the process. Read More ›

blogposts – Article

Don't become a Web Security Dinosaur!

Blog If you're in for a blast from the past, take a look at the screenshot of Yahoo! below. That's an image from back in 1999, when almost everybody used Yahoo! to search the Web. Compared to today, web applications back then looked pretty boring. Modern web applications are prettier and snappier, using technologies such as multimedia elements and capture APIs, various powerful JavaScript APIs and numerous new communication mechanisms, such as WebSockets or WebRTC. But have you also upgraded the security of your applications? Did you know that the web security landscape has changed drastically in the past 4 years? Keep reading to see if you risk becoming a web security dinosaur, and what you can do to prevent this from happening. Read More ›