Podcasts about Content Security Policy

Scott and Wes are joined by security expert, Alex Sexton of Stripe to cover all things: client security, XSS, attack vectors, and CSP (content security policy). Show Notes 00:00 Welcome to Syntax! 00:31 Brought to you by Sentry.io. 00:57 Who is Alex Sexton? 04:44 Stripe dashboard is a work of art. 05:08 Tell us about the design system. React Aria 08:59 Who develops the iOS app? 09:50 Stripe's CSP (content security policy). 12:50 What even is a content security policy? Content Security Policy explanation 13:57 Douglas Crockford of Yahoo on security. Douglas on GitHub 15:13 Security philosophy. 16:59 What about inline styles and inline JavaScript? 19:41 How do we safely set inline styles from JS? 20:20 Setting up with meta tags. 22:52 What are common situations that require security exceptions? 26:24 Potential damage with inline style tags. 32:45 Looping vulnerabilities. 36:32 What about JavaScript injection? 37:09 Myspace Samy Worm. Myspace Samy Worm Wiki Sentry.io Security Policy Reporting 42:02 Does a CSP stop code from running in the console? 43:28 What are some general security best practices? 46:35 Strategies for rolling out a CSP. 51:49 Final tip, Strict Dynamic. Strict Dynamic 56:36 Where does the CSP live within Stripe? Original Black Friday story 59:35 One last story. 01:01:20 Sick Picks + Shameless Plugs Sick Picks + Shameless Plugs Alex: Wes Bos' Instagram Hit us up on Socials! Syntax: X Instagram Tiktok LinkedIn Threads Wes: X Instagram Tiktok LinkedIn Threads Scott:X Instagram Tiktok LinkedIn Threads Randy: X Instagram YouTube Threads

Mit der Content Security Policy können Websites effektiv vor Sicherheitslücken geschützt werden. Was es dabei zu beachten gibt, erfahrt Ihr in der heutigen Folge des Security-Adventskalenders.

Today we are talking about HTTP Headers with our hosts. For show notes visit: www.talkingDrupal.com/401 Topics What are HTTP Headers Why are they important Exploring headers Types of headers What can you discover from headers Modifying headers Tools to validate Resources Content Security Policy (CSP) Dries' Header Evaluation Tool Mozilla Header Documentation Good overview of CSP Nic's Header Blog Post Hosts Nic Laflin - www.nLighteneddevelopment.com @nicxvan John Picozzi - www.epam.com @johnpicozzi Stephen Cross - stephencross.com @stephencross Martin Anderson-Clutz - @mandclu MOTW Correspondent Martin Anderson-Clutz - @mandclu Content-Security-Policy Adds a Content-Security-Policy header which allows your Drupal site to inform browsers of trusted sources for JavaScript, CSS, and other external resources.

2023-03-30 Weekly News - Episode 189Watch the video version on YouTube at https://youtube.com/live/TgmP20awQ1A?feature=share Hosts:  Eric Peterson - Senior Developer at Ortus Solutions Brad Wood - Senior Developer at Ortus Solutions Thanks to our Sponsor - Ortus SolutionsThe makers of ColdBox, CommandBox, ForgeBox, TestBox and all your favorite box-es out there. A few ways  to say thanks back to Ortus Solutions: Like and subscribe to our videos on YouTube.  Help ORTUS reach for the Stars - Star and Fork our ReposStar all of your Github Box Dependencies from CommandBox with https://www.forgebox.io/view/commandbox-github  Subscribe to our Podcast on your Podcast Apps and leave us a review Sign up for a free or paid account on CFCasts, which is releasing new content every week BOXLife store: https://www.ortussolutions.com/about-us/shop Buy Ortus's Books 102 ColdBox HMVC Quick Tips and Tricks on GumRoad (http://gum.co/coldbox-tips) Learn Modern ColdFusion (CFML) in 100+ Minutes - Free online https://modern-cfml.ortusbooks.com/ or buy an EBook or Paper copy https://www.ortussolutions.com/learn/books/coldfusion-in-100-minutes  Join us for the 10th Into the Box - In person ONLY!!!  Patreon Support ( amiable ) - UPDATED GOALSWe have 41 patreons: Goal 1 - 26% -  This goal would help us to fully fund the hosting of ForgeBox.io (www.forgebox.io), the ColdFusion software directory.Goal 2 - 13% - This goal would fund the development of CommandBox CLI, so it can remain FREE and Open Source forever.Goal 3 - 6% - This goal would help us to fully fund the Modernize or Die podcasts.https://www.patreon.com/ortussolutions. News and AnnouncementsICYMI: Critical Security Update for ColdFusion APSB23-25From Adobehttps://community.adobe.com/t5/coldfusion-discussions/released-coldfusion-2021-and-2018-march-2023-security-updates/td-p/13649873From FoundeoAdobe has just published a security bulletin APSB23-25, and has released security updates for ColdFusion 2018 and 2021.We recommend installing these update as soon as possible, because one of the vulnerabilities has been actively exploited by attackers already. https://helpx.adobe.com/security/products/coldfusion/apsb23-25.htmlhttps://helpx.adobe.com/coldfusion/kb/coldfusion-2018-update-16.htmlhttps://helpx.adobe.com/coldfusion/kb/coldfusion-2021-update-6.htmlHackMyCF has been updated to warn you if the hotfix is missing.It is important to note that if you are on ColdFusion 11, or 2016 that it is possible that your servers could be vulnerable to at least one of these issue as well. However, because these versions reached end of life they are no longer receiving security patches from Adobe.One thing you can do to mitigate one of these issues is to block requests containing a variable named _cfclient. Some of the filters in FuseGuard may help prevent some attack vectors when configured to. But the best solution is to upgrade to CF2018 or 2021 and apply the patch released today.--Foundeo Inc.ICYMI - State of the CF Union 2023 ReleasedHelp us find out the state of the CF Union – what versions of CFML Engine do people use, what frameworks, tools etc.https://teratech.com/state-of-the-cf-union-2023-survey New Releases and UpdatesICYMI - New CommandBox Goodies print.tree() - https://twitter.com/bdw429s/status/1639392842656235520 print.columns() and printColumns - https://twitter.com/bdw429s/status/1639395391148810242 clipboard - https://twitter.com/bdw429s/status/163946183001074483 OpenAI-powered ChatGPT has arrived for Ortus DocumentationWe are pleased to announce a fun little project that our Patreon supports have been testing in private for a week or so. Ortus has rolled out our own OpenAI-powered chat bot, which is fueled by all of the documentation in our GitBooks! This behaves similar to the ChatGPT you've likely played with, but is custom loaded with all of our most recent documentation.https://chatgpt.ortussolutions.com/https://community.ortussolutions.com/t/openai-powered-chatgpt-has-arrived-for-ortus-documentation/9582Adobe ColdFusion 2023 Beta now on ForgeBoxAdobe ColdFusion 2023's public beta is now on ForgeBox for you to test out in CommandBox servers or Docker containers. Use "cfengine=adobe@2023-beta" to start it up and ensure you're on the latest CFConfig.  Happy testing!https://twitter.com/bdw429s/status/1638987316445446144Webinar / Meetups and WorkshopsOrtus Event Calendar for Googlehttps://calendar.google.com/calendar/u/0?cid=Y181NjJhMWVmNjFjNGIxZTJlNmQ4OGVkNzg0NTcyOGQ1Njg5N2RkNGJiNjhjMTQwZjc3Mzc2ODk1MmIyOTQyMWVkQGdyb3VwLmNhbGVuZGFyLmdvb2dsZS5jb20 CFSummit East 2023 Training Workshop - ColdFusion MVC for Dummies.Before the ColdFusion Summit East in Washington, D.C., on April 4th, 2023. Luis Majano, the creator of The ColdBox Platform, will be leading this workshop, bringing you a deep dive 1-day workshop: ColdFusion MVC for Dummies.The workshop will combine a variety of theories, hands-on coding, and best practices to give you all the tools needed to leave the workshop ready to build MVC-powered apps when you return to your office.https://www.ortussolutions.com/blog/coldfusion-summit-east-2023-mvc-training-workshopCFCasts Content Updateshttps://www.cfcasts.comRecent Releases Secure your ColdBox Apps with cbSecurity 3 - March 2023 Webinarhttps://cfcasts.com/series/ortus-webinars-2023/videos/secure-your-coldbox-apps-with-cbsecurity-3 Mastering CommandBox 5 - 5 new videos - https://cfcasts.com/series/mastering-commandbox-5 ModCFML IIS / Boncode CFConfig Improvements Custom tray icon actions Minibox Start Pure HTML server 2023 ForgeBox Module of the Week Series - 1 new Video https://cfcasts.com/series/2023-forgebox-modules-of-the-week  2023 VS Code Hint tip and Trick of the Week Series - 1 new Video https://cfcasts.com/series/2023-vs-code-hint-tip-and-trick-of-the-week  Coming Soon Brad with more CommandBox Videos More ForgeBox and VS Code Podcast snippet videos ColdBox Elixir from Eric Getting Started with Inertia.js from Eric CBWire Series from Grant - Fill out the Poll here https://community.ortussolutions.com/t/poll-cbwire-cfcasts-com-series/9513  Getting Started with ContentBox from Daniel Garcia Conferences and TrainingDev NexusApril 4-6th, 2023 in AtlantaGeorgia World Congress Center285 Andrew Young International Blvd NWAtlanta, GA 30313Kubernetes, Java, Software architecture, Kotlin, Performance Tuninghttps://devnexus.com/CFSummit East 2023 Training Workshop - ColdFusion MVC for Dummies.Before the ColdFusion Summit East in Washington, D.C., on April 4th, 2023. Luis Majano, the creator of The ColdBox Platform, will be leading this workshop, bringing you a deep dive 1-day workshop: ColdFusion MVC for Dummies.The workshop will combine a variety of theories, hands-on coding, and best practices to give you all the tools needed to leave the workshop ready to build MVC-powered apps when you return to your office.https://www.ortussolutions.com/blog/coldfusion-summit-east-2023-mvc-training-workshopCFSummit EastThursday, April 6, 20238:00am - 4:00pmWednesday 5th - CertificationMarriott Marquis Washington, DCComplimentary; breakfast and lunch will be providedhttps://carahevents.carahsoft.com/Event/Details/341389-adobe https://carahevents.carahsoft.com/Event/Details/344168-adobeJ on the BeachBringing DevOps, Devs and Data Scientists together around Big DataMay 10-12, 2023 Malaga, Spainhttps://www.jonthebeach.com/ Ortus Profile: https://www.jonthebeach.com/jobs/54/Ortus%20SolutionsVueJS Live MAY 12 & 15, 2023ONLINE + LONDON, UKCODE / CREATE / COMMUNICATE35 SPEAKERS, 10 WORKSHOPS10000+ JOINING ONLINE GLOBALLY300 LUCKIES MEETING IN LONDONhttps://vuejslive.com/ Into the Box 2023 - 10th EditionMay 17-19, 2023 The conference will be held in The Woodlands (Houston), Texas - This year we will continue the tradition of training and offering a pre-conference hands-on training day on May 17th and our live Mariachi Band Party! However, we are back to our Spring schedule and beautiful weather in The Woodlands! Also, this 2023 will mark our 10 year anniversary. So we might have two live bands and much more!!!IN PERSON ONLY Website launched: https://intothebox.orghttps://itb2023.eventbrite.com/ VueConf.usNEW ORLEANS, LA • MAY 24-26, 2023Jazz. Code. Vue.Workshop day: May 24Main Conference: May 25-26https://vueconf.us/ CFCampJune 22-23rd, 2023Marriott Hotel Munich Airport, FreisingCall for Speakers is closedhttps://www.cfcamp.org/More conferencesNeed more conferences, this site has a huge list of conferences for almost any language/community.https://confs.tech/https://github.com/scraly/developers-conferences-agenda Blogs, Tweets, and Videos of the Week3/18/23 - Blog - Michael Horne - Chromebook CFML development environment tutorialThis is partly an aide-memoire for me on setting up an environment for CFML development on a Chromebook. The specific Chromebook is a Lenovo S330.My pre-requisite is that you've got a Lucee/ColdFusion application ready to go, although basically you could start from scratch with a simple index.cfm file wherever you eventually start CommandBox, but let's leave that for later.https://recantha.co.uk/chromebook-cfml-development-environment-tutorial/Good guide for any Linux machine.3/22/23 - Blog - James Moberg - Generate Sanitized Email Hash (as Integer)While reviewing the logs of failed contact form submissions, I identified a couple email address variations that were exploiting some Gmail features in an attempt to bypass our filters. (Gmail has a "plus" feature and ignores periods in addresses.) A SQL query using REPLACE to remove all periods revealed that this comment form spammer had performed 279 attempts using 162 variations of their 15 character gmail username in an effort to circumvent our filters. We log the full email address that was posted and, when matching via SQL solely using the email addresses, it appeared as each email address was only used 2-4 times... versus the 279 obfuscated attempts.To better identify & highlight abusers via SQL queries, an EmailHash (INT) column has been added to the database table. When searching or logging the email address, the value is sanitized (remove + string and . from the username) and then a java hashCode is generated. Using integers to join database records is much faster than using varchar and has lower storage requirements.https://dev.to/gamesover/generate-sanitized-email-hash-as-integer-4n3e3/22/23 - Blog - Ben Nadel - Russian Doll Content Wrapping With CFSaveContent In ColdFusionIn web development, the term "Russian Doll" is sometimes used to refer to content that is wrapped inside another piece of content of the same type. This is based on the Russian Doll toy (Matryoshka), which has a multitude of smaller toys contained within it. In the past, I've looked at using the Russian Doll pattern for error handling in Node.js as well as for error handling in ColdFusion. But, its value extends beyond just errors - I often use the CFSaveContent tag to build up a content payload from the outside in. And, I thought it would make for a nice example.https://www.bennadel.com/blog/4431-russian-doll-content-wrapping-with-cfsavecontent-in-coldfusion.htmColdBox Layouts and Views!3/23/23 - Discourse - Brad Wood - Is Using CommandBox to run Adobe ColdFusion sites safe in production? There were some excellent questions asked on CFML Slack today, and I wanted to get the answers to them out on our community forum where they could benefit the larger community (and Google). In a nutshell, these were the concerns:When I'm using CommandBox, am I really using “Adobe ColdFusion” or am I getting a “copy” of Adobe ColdFusion from the Ortus site?We have an Adobe Support Contract and will Adobe provide support for my CommandBox installation?CommandBox is not using Tomcat, but JBoss Undertow. Will it be capable of managing the load of a production site?These are great questions, and one any Enterprise would want answered before committing to CommandBox. Let's go through them categorically.https://community.ortussolutions.com/t/is-using-commandbox-to-run-adobe-coldfusion-sites-safe-in-production/9581/13/29/23 - Blog - Ben Nadel - Getting FusionReactor User Experience Monitoring (UEM) To Play Nicely With Content Security Policy (CSP) In ColdFusionFor the past few days, I've been digging into some network latency issues on my blog. And, in response to some of my public messaging on the topic, David Tattersall suggested that I look into FusionReactor's User Experience Monitoring (UEM). Whereas FusionReactor's Java agent provides server-side insights and confidence, the UEM module is designed to shed light on the end-user experience (UX). After all, the server-side leg is only part of the journey. Getting UEM up-and-running is easy; but, out of the box, it doesn't play very nicely with my Content Security Policy. As such, I wanted to share how I got it working on my ColdFusion blog.https://www.bennadel.com/blog/4436-getting-fusionreactor-user-experience-monitoring-uem-to-play-nicely-with-content-security-policy-csp-in-coldfusion.htmCFML JobsSeveral positions available on https://www.getcfmljobs.com/Listing over 55 ColdFusion positions from 35 companies across 28 locations in 5 Countries.2 new jobs listed this weekFull-Time - Senior Application Developer at Aurora, IL - United StatesPosted Mar 24https://www.getcfmljobs.com/jobs/index.cfm/united-states/SeniorAppDev-Aurora-IL/11559Contract - Coldfusion Developer at Jacksonville, FL - United StatesPosted Mar 24https://www.getcfmljobs.com/jobs/index.cfm/united-states/CFDeveloper-Jacksonville-FL/11558Other Job LinksThere is a jobs channel in the CFML slack team, and in the Box team slack now tooForgeBox Module of the WeekChatGPT APIBy Matt GiffordA ColdFusion CFC to interact with the chatgpt APIInstantiate the core component chatgpt.cfc and pass in the required properties like so:var chat = new chatgpt(    apiKey = 'xx-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx');ExampleUse chatgpt to create:var resp = chat.chatCompletion(model='gpt-3.5-turbo',messages=[{"role": "user", "content": "Write me a poem about a summer day with popcorn and unicorns"}]);https://forgebox.io/view/chatgptVS Code Hint Tips and Tricks of the WeekGrammarlyThis extension brings Grammarly to VS Code.Grammarly leads the industry in building AI-enabled services to help people communicate effectively every day. The words you choose can champion your voice, build connections, and spur your academic or professional growth.Communication assistance with Grammarly means a consistent experience of robust, real-time feedback on your writing.https://www.grammarly.com/https://marketplace.visualstudio.com/items?itemName=znck.grammarlyThank you to all of our Patreon SupportersThese individuals are personally supporting our open source initiatives to ensure the great toolings like CommandBox, ForgeBox, ColdBox,  ContentBox, TestBox and all the other boxes keep getting the continuous development they need, and funds the cloud infrastructure at our community relies on like ForgeBox for our Package Management with CommandBox. You can support us on Patreon here https://www.patreon.com/ortussolutionsDon't forget, we have Annual Memberships, pay for the year and save 10% - great for businesses. Bronze Packages and up, now get a ForgeBox Pro and CFCasts subscriptions as a perk for their Patreon Subscription. All Patreon supporters have a Profile badge on the Community Website All Patreon supporters have their own Private Forum access on the Community Website All Patreon supporters have their own Private Channel access BoxTeam Slack https://community.ortussolutions.com/Top Patreons ( amiable ) John Wilson - Synaptrix Tomorrows Guides Jordan Clark Gary Knight Mario Rodrigues Giancarlo Gomez  David Belanger   Dan Card Jeffry McGee - Sunstar Media Dean Maunder Nolan Erck  Abdul Raheen And many more PatreonsYou can see an up to date list of all sponsors on Ortus Solutions' Websitehttps://ortussolutions.com/about-us/sponsors Thanks everyone!!!Homework Watch Social Media CFcamp Call for Speakers is closing Into the Box - Early bird tickets ending soon. ★ Support this podcast on Patreon ★

In this episode of Ventures, I (https://www.linkedin.com/in/wclittle) continue the Product and Code series that I started in Episode 128 to talk about how to best collect feedback on your initial idea and what the application.html.erb file is in a Ruby on Rails app. I walk through the head tag, briefly discuss the Content Security Policy (CSP) and Cross-Site Request Forgery (CSRF) tags, and then showcase different parts of how the application layout file constructs the HTML, CSS, and JavaScript to be sent to a requesting browser.Visit https://satchel.works/@wclittle/ventures-episode-133 for more information. You can watch this episode via video here.   0:00 - Recap the series that started back with Episode 128 (https://podcasts.apple.com/us/podcast/learn-web2-web3-product-management-and-software/id1523559862?i=1000590794177) 0:40 - Product tip - get feedback from friends of friends that fit your target customer2:20 - Walk through the application.html.erb file in a Ruby on Rails app. Talking through Content Security Policy (https://www.stackhawk.com/blog/rails-content-security-policy-guide-what-it-is-and-how-to-enable-it/) and Cross-Site Request Forgery (https://samuelmullen.com/articles/csrf-protection-and-ruby-on-rails) 5:12 - Walking through the “View Source” that the application.html.erb file outputs to the browser. 

This episode is sponsored in part by ZOOM Platform. No, not the video conferencing app ZOOM Platform! The premier DRM-Free games portal. Remember: you can also always follow the show on Twitter @dotnetcoreshow, and the shows host on Twitter @podcasterJay or visit our Contact page. Welcome to season 5 of the award-winning .NET Core Podcast! Check that link for proof. Hello everyone and welcome to The .NET Core Podcast is a podcast where we reach into the core of the .NET technology stack and, with the help of the .NET community, present you with the information that you need in order to grok the many moving parts of one of the biggest cross-platform, multi-application frameworks on the planet. I am your host, Jamie "GaProgMan" Taylor. In this episode, I talked with Tanya Janca about application security (sometimes called appsec), We Hack Purple which is a community of people who want to help make all applications more secure, the free courses that We Hack Purple are providing, and we swap stories of working to make applications more secure. Along the way, we discuss Tanya's new book, OWASP, recommended security headers for HTTP (and most importantly Content-Security Policy), and how important they can be when the spam really hits the fan. Tanya has actually been on the podcast in the past, back on episode 77 when we talked about her book Alice and Bob Learn Application Security. Interestingly, Tanya has a whole new book planned, which she'll be working on when this episode drops. The full show notes, including links to some of the things we discussed and a full transcription of this episode, can be found at https://dotnetcore.show/episode-105-more-app-security-with-tanya-janca   Useful Links from the episode: Tanya on Twitter We Hack Purple Community We Hack Purple Podcast OWASP OWASP's global chapters Remember to rate and review the show on Apple Podcasts, Podchaser, or wherever you find your podcasts, this will help the show's audience grow. Or you can just share the show with a friend. And don't forget to reach out via our Contact page. We're very interested in your opinions of the show, so please do get in touch. You can support the show by making a monthly donation on the show's Patreon page at: https://www.patreon.com/TheDotNetCorePodcast

Kent Ickler // Background Over four years ago now, I wrote a blog post on fixing missing Content-Security-Policy by updating configuration on webservers: https://www.blackhillsinfosec.com/fix-missing-content-security-policy-website/. Content-Security-Policies instruct a user's web browser how it should behave on certain security considerations. Oh, how times have changed. Here at Black Hills Information Security (BHIS), we've actually migrated webservers, hosting […] The post Fixing Content-Security-Policies with Cloudflare Workers appeared first on Black Hills Information Security.

This week on the podcast we take a look at Content Security Policy, a web app security standard designed to combat Cross Site Scripting attacks against websites and web apps. Before that though, we'll cover the latest security news including a resurgence in ransomware attacks and the long overdue death of TLS versions 1.0 and 1.1.

In this video I explain in details what are third party cookies and how do they work and explain the same site property that google changed 0;30 SameSite 6;00 CORS 6;22 Content Security Policy https://www.youtube.com/watch?v=nHOuakyHX1E https://blog.chromium.org/2020/01/building-more-private-web-path-towards.html --- Send in a voice message: https://anchor.fm/hnasr/message

Neil Matatall is a product security engineer at GitHub. He focuses on designing and engineering user experiences solutions related to authentication and account recovery. Working remotely from Hawaii, Neil is a strong believer in the future of remote work. Neil joins us for a deep-dive into Content Security Policy. We explore what it is, the [...] The post Neil Matatall — Content Security Policy appeared first on Security Journey Podcasts.

Is Content Security Policy dead? Magento security mastermind Willem Degroot thinks so. We delve into a bunch of topics and have a rousing debate around the future of security and – of course – Magento’s...

HTTP Header sind in der Webentwicklung bekannt. Doch wusstet ihr, dass sie als mächtige Werkzeuge eingesetzt werden können, um die Performance, Sicherheit und Barrierefreiheit eurer Webseite zu beeinflussen? In Folge 54 haben wir Stefan Judis zu Gast, Developer Evangelist bei twilio, der uns vom Potenzial der Header erzählt. HTTP, kurz für Hypertext Transfer Protocol, verwendet Header, um Metadaten im Austausch von Server und Browser beim Aufrufen einer Webseite mitzuliefern. Sie können für verschiedene Anwendungszwecke nützlich sein. Stefan erzählt uns in dieser Folge von Kniffen, die uns bisher nicht so geläufig waren. Er beschreibt beispielsweise den Header “Strict-Transport-Security”, der für einen eingestellten Zeitraum bestimmt, dass die Seite nur über HTTPS aufgerufen werden kann. Mit dieser Möglichkeit kann die Sicherheit für Webseitenbesucher erhöht werden wie auch mit jenem, der Zugriffsrechte von Third-Party-Tools beschränkt. Um die Zugänglichkeit für alle Webnutzer zu gewährleisten und Datenverkehr zu reduzieren, spricht Stefan außerdem von Headern zur Bestimmung der maximalen Bildgröße. Auf diese Weise wird neben größerer Barrierefreiheit und Optimierung für langsamere Endgeräte zugleich eine bessere Performance geschaffen.Stefan Judis ist als langjähriger Frontend-Entwickler mit weiteren Beispielen bewaffnet und überzeugt uns in dieser Folge von der Wichtigkeit von HTTP Headern. Möchtet ihr noch mehr über ihn erfahren? Folgt ihm doch auf Twitter! Timecodes:(00:33) - Was ist ein Responsible Developer?(01:41) - Stefans Werdegang und Wege zum besseren Web(11:59) - Was ist ein HTTP Header?(13:15) - Content-Security-Policy(22:50) - Strict-Transport-Security(29:06) - SameSite Cookies - Strict oder Lax?(32:57) - gzip, Brotli und Cache-Control(44:29) - Medientypen im Accept-Header und Client Hints(52:22) - Save-Data-Header(55:02) - Preloading(57:55) - Google AMP und Feature-Policy Header(62:31) - Picks of the DayPicks of the Day Stefan: Sammlung hilfreicher Entwickler-Tools, die man sonst wieder vergessen würde. Dennis: My Truphone – Dual E-Sim für's iPhone, einfach für's Ausland einen Datenplan kaufen und direkt lossurfen. Jojo: Blog des Center for Humane Technology – Technologie soll den Menschen dienen, ohne sie abhängig zu machen. Schreibt uns! Schickt uns eure Themenwünsche und euer Feedback. podcast@programmier.bar Folgt uns! Bleibt auf dem Laufenden über zukünftige Folgen und Meetups und beteiligt euch an Community-Diskussionen. Twitter Instagram Facebook Besucht uns! Erfahrt hier, wann das nächste Meetup in unserem Office in Bad Nauheim stattfindet. Meetup Musik: Hanimo

Whilst the British Airways breach of 2018 is 'old news' it has been bought to the fore front of everyone's mind with the recent announcement that they face a record-breaking GDPR fine of £183 million. Secarma's Technical Director discusses what we know about the BA breach, the misconceptions over what may have happened and the remediation steps you can take after a data breach. 2'25 - What happened to British Airways? 13’31 - Attack misconceptions 15’51 - Have there been similar attacks? 21'45 - Can you remove third party scripts? If not what should you do? 22’27 - Are you using Content Security Policy and Sub Resource Integrity? Download on iTunes: apple.co/2Ji61Ek Listening time: 29 minutes For more information, follow us on Twitter @secarma or email us at podcast@secarma.com Hosted by: Holly Grace Williams, Technical Director at Secarma

Do you know what the 3rd-party scripts on your website are up to? In this week’s episode of FounderQuest, the guys talk about CSP (Content Security Policy) and how it can enhance security in the browser. They also weigh adding it as a feature of Honeybadger vs. a standalone product. CSP - learn it, live it, love it, on this week's FounderQuest.

This episode, we enjoy "Facebook Breach Time" and discuss some crazy vulnerabilities found in Tesla vehicles. We also breakdown our Big Topic of the week: What's a VPN? Special guest Scott Helme, talks VPNs, Content Security Policy and bringing Hack Yourself First to the UK. Tweet us @1Password. We talked about... Latest Facebook security breach finds millions of records on Amazon servers Zuckerberg eats toast! Researchers trick Tesla’s Autopilot into driving into oncoming traffic Enter our giveaway! Tweet us a phrase for our next show with #wanttheshirt Follow Scott Helme on Twitter here. Find out more about Hack Yourself First UK here. What the phrase?! I will show you where lobsters spend the winter • A Russian way of threatening someone. To enter our giveaway tweet us a phrase for the end of our next show and hashtag #wanttheshirt

Summary Security researcher Scott Helme tells me how Content Security Policy and Subresource Integrity are used to fight cross site scripting. Details Who he is, what he does. What cross site scripting is; well known examples; how it works; crypto mining with cross site scripting (XSS). Input validation, output encoding, more frameworks are handling validation. Content Security Policy (CSP), what it is, how it works; trusting CDNs; how to use CSP on a site, CSP Wizard, browser support; future changes. Subresource Integrity, what it is, how it works; trusting third party scripts; what happens if script fails validation. NoScript, browser extensions, DNS filters and VPNs. Scott's upcoming events; training. Full show notes

Добрый день уважаемые слушатели. Представляем новый выпуск подкаста RWpod. В этом выпуске: Ruby Announcing Hanami v1.3.0, Ruby 2.6 Range#cover? now accepts Range object as an argument и Rails 5.2 adds DSL for configuring Content Security Policy header Maintaining 65k open connections in a single Ruby process, Performance of Regular Expressions и Building a Ruby C Extension From Scratch Building auto login for fast Rails development with Sorcery, A Safer RuboCop и Introducing Enkrip JavaScript Node v11.0.0, Storybook 4.0 is here! и React v16.6.0: lazy, memo and contextType Introducing Hooks, Recompose future и Playing Mortal Kombat with TensorFlow.js. Transfer learning and data augmentation 5 Tips to Write Better Conditionals in JavaScript, IronDB - a resilient key-value store for the browser и Lazy-brush - smooth drawing with a mouse, finger or any pointing device

Jeśli tworzysz strony lub aplikacje webowe, Content-Security-Policy pozwoli Ci jedną linijką konfiguracji znacznie poprawić ich bezpieczeństwo. Zawartość odcinka: Dla kogo jest ten odcinek? Wstęp: dlaczego pozostając przy opcji domyślnej NIE jesteśmy bezpieczni Przykładowe ataki klasy code-injection Cross Site Scripting (XSS) Cross Site Styling (the "other" XSS) Clickjacking Rozwiązanie/mitygacja: Content-Security-Policy Gdzie znaleźć więcej informacji? Zachęcam do zapisania się na listę z powiadomieniami o nowych odcinkach i do śledzenia podcastu "Programowanie na śniadanie" na Facebooku. Podcast znajdziesz też po nazwie "Programowanie na śniadanie" w katalogu swojej aplikacji do podcastów, np. Pocket Casts.

Jeśli tworzysz strony lub aplikacje webowe, Content-Security-Policy pozwoli Ci jedną linijką konfiguracji znacznie poprawić ich bezpieczeństwo. Zawartość odcinka: Dla kogo jest ten odcinek? Wstęp: dlaczego pozostając przy opcji domyślnej NIE jesteśmy bezpieczni Przykładowe ataki klasy code-injection Cross Site Scripting (XSS) Cross Site Styling (the "other" XSS) Clickjacking Rozwiązanie/mitygacja: Content-Security-Policy Gdzie znaleźć więcej informacji? Zachęcam do zapisania się na listę z powiadomieniami o nowych odcinkach i do śledzenia podcastu "Programowanie na śniadanie" na Facebooku. Podcast znajdziesz też po nazwie "Programowanie na śniadanie" w katalogu swojej aplikacji do podcastów, np. Pocket Casts.

In today's podcast we hear that the Shadow Brokers are back, and again mangling English like a bad scriptwriter doing Ensign Chekhov fan-fiction. Russian leaders continue to scoff at American elections, and WikiLeaks continues to leak. Microsoft doesn't patch fast enough to suit Google. Researchers consider the scope, threat, and mitigation of the Mirai IoT botnet. We welcome Rick Howard from Palo Alto Networks to the show. Ferruh Matvituna explains how Content Security Policy can protect against cross site scripting. And Furby's back, but this time it's connected.

Malware Using Maxmind For Geolocation https://isc.sans.edu/forums/diary/Maxmindcom+Abused+As+AntiAnalysis+Technique/21435/ Content Security Policy of Limited Use in Real World https://research.google.com/pubs/pub45542.html CryptWare Bitlocker Enhancement Vulnerability https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20160831-0_CryptWare_CryptoPro_Manipulation_of_pre-boot_authentication_v10.txt Google Releases Chrome 53 http://googlechromereleases.blogspot.com/2016/08/stable-channel-update-for-desktop_31.html

Malware Using Maxmind For Geolocation https://isc.sans.edu/forums/diary/Maxmindcom+Abused+As+AntiAnalysis+Technique/21435/ Content Security Policy of Limited Use in Real World https://research.google.com/pubs/pub45542.html CryptWare Bitlocker Enhancement Vulnerability https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20160831-0_CryptWare_CryptoPro_Manipulation_of_pre-boot_authentication_v10.txt Google Releases Chrome 53 http://googlechromereleases.blogspot.com/2016/08/stable-channel-update-for-desktop_31.html

Pawel Krawczyk did an interview with us about Content Security Policy. Learn about what it is, and whether or not the latest browsers can support it.   We also talk about how you can get around it, if there are ways to avoid it if you are a bad guy, and how you can get the most out of it. If you're a web developer, and want to reduce your site's chances of allowing XSS, you'll want to take a listen to this.   https://w3c.github.io/webappsec/specs/content-security-policy/#changes-from-level-1 https://w3c.github.io/webappsec/specs/content-security-policy/#directive-sandbox