Tweet

Scott Helme

Feb 23 • 5 tweets • 2 min read

@securityheaders

I'm considering changing the grading criteria on @securityheaders to allow an A+ grade with a CSP that contains unsafe-inline in the style-src directive. What are your thoughts?

This is largely because I've not seen any significant threats posed by inline styles, and, even popular frameworks like Angular require unsafe-inline in the style-src directive: angular.io/guide/security…

I'm tempted to allow the A+ because I don't want it to be unreasonable to achieve the best possible grade. I want the A+ to be the best that site operators can reasonably do to protect themselves and their visitors.

I always respect the great amount of knowledge within the community though, so have your say with a vote and drop a comment below either way! 😎

I had an itch so I wrote a blog post 💪
scotthelme.co.uk/can-you-get-pw…

• • •

Missing some Tweet in this thread? You can try to force a refresh

This Thread may be Removed Anytime!

Twitter may remove this content at anytime! Save it as PDF for later use!

More from @Scott_Helme

Scott Helme

@Scott_Helme

Feb 21

@fastly

@fastly have been working on building their own Certificate Authority called Certainly. Their request to be included in the Mozilla Root Store was made in Aug last year [1]. Nothing unusual about that, but becoming a new Root CA is a *long* process..

[1] bugzilla.mozilla.org/show_bug.cgi?i…

@feistyduck

I've you've attended our TLS/PKI Training [2], you'll know all about this process, but it will take a few years before the new Root CA is widely trusted.

[2] feistyduck.com/training/pract…
cc: @feistyduck @ivanristic

The first delay is getting approved by all of the Root Stores operators. The second delay is actually distributing the new Root Certificates to all clients via updates. I've talked extensively about this problem in the past! [3][4][5][6]

Read 18 tweets

Scott Helme

@Scott_Helme

Dec 9, 2021

@Venafi

It's been a while since I've had chance to sit down and produce a report on the security of the Top 1 Million sites, but thanks to @Venafi's support, the crawler project lives on and a brand new report is out! venafi.com/blog/crawler-r…

It takes a lot of resources to gather this data and a lot of time to analyse it all and write the report, so genuinely, it wouldn't have happened without them. There hasn't been a report for 18+ months so let's take a look at what changed! 😎

HTTPS adoption continues to surge 🔐📈

72% of sites in the Top 1M are now actively redirecting HTTP --> HTTPS 🤩

We're using more HTTPS right now than at any point in history... 😮

Read 14 tweets

Scott Helme

@Scott_Helme

Dec 7, 2021

Currently trying to sign in to AWS but it's borked so I decided to take a look around and found a buggy CSP.

They have defult-src 'none' and then specify allowed hosts, values in direct contradiction with each other.

Even Chrome knows it and, fortunately for them, ignores the 'none' keyword otherwise this page would look spectacularly awful.

Read 4 tweets

Scott Helme

@Scott_Helme

Dec 6, 2021

https://twitter.com/JohnONolan/status/1277934977754132480

I'm laughing and crying at the same because this is actually how it works 🤣😭

https://twitter.com/JohnONolan/status/1277934977754132480

@zeeg

I also recall @zeeg once talking about customers on a $50/mo sub wanting custom legal terms / NDAs / security reviews etc... but I can't find the tweet. It'd take us years to recoup the cost of onboarding them.

The latest one today is "Dear Scott, we signed up to your service and now as our supplier your are required to x, y and z". Security questionnaire, supplier questionnaire, NDA, provide various compliance certs if we have them and they need our invoices in a different format 🤷‍♂️

Read 4 tweets