Browsing posts by tag
Security
Content Security Policies and Content Delivery Networks
• Tagged Security and Performance
Report URI is a service which provides monitoring of things like Content Security Policy violations on your website. They had a pentest carried out and this section about their CSP stuck out to me:
You can also see that our external list of sites that can load script is very small, by design, and does not include any of the variety of JavaScript CDNs out there. Inclusion of something like cdnjs.com or code.jquery.com would have allowed the inclusion of outdated libraries from those locations that have potential security issues, allowing an attacker to cause harm. This is the reason we self-host our own JavaScript files but you should also consider specifying a path in your CSP directives if that isn’t an option like cdnjs.com/jquery/not-vulnerable-version. [Source]
Continue reading “Content Security Policies and Content Delivery Networks”