Tag: security

Why I’m done with Chrome

Mathew Green shares his reasons for leaving the Google Chrome development team.  I recommend reading the whole thing, but here’s a quote from the “What’s changed?” part:

A few weeks ago Google shipped an update to Chrome that fundamentally changes the sign-in experience. From now on, every time you log into a Google property (for example, Gmail), Chrome will automatically sign the browser into your Google account for you. It’ll do this without asking, or even explicitly notifying you. (However, and this is important: Google developers claim this will not actually start synchronizing your data to Google — yet. See further below.)

Your sole warning — in the event that you’re looking for it — is that your Google profile picture will appear in the upper-right hand corner of the browser window. I noticed mine the other day:

 

 

open-policy-agent/opa – Open Source, general purpose policy agent

open-policy-agent/opa is an Open Source general  purpose policy agent.

OPA gives you a high-level declarative language to author and enforce policies across your stack.

With OPA, you define rules that govern how your system should behave. These rules exist to answer questions like:

  • Can user X call operation Y on resource Z?
  • What clusters should workload W be deployed to?
  • What tags must be set on resource R before it’s created?

You integrate services with OPA so that these kinds of policy decisions do not have to be hardcoded in your service. Services integrate with OPA by executing queries when policy decisions are needed.

When you query OPA for a policy decision, OPA evaluates the rules and data (which you give it) to produce an answer. The policy decision is sent back as the result of the query.

HTTP : The headers we want

The headers we want” is a very simple, straight to the point blog post on the Fastly blog.  Unlike many other more generic articles on the subject, it doesn’t try to explain the meaning of every HTTP header out there, and it doesn’t go into deep theory or the meaning of life, the universe and everything.

Instead it tells you plain and clear which headers should be emitted by your website or web application.  And these cover everything from the usual Content-Type and Content-Length, all the way down to the CORS and Server-Timing.

Once the basic functionality of your website or web application is done and out of the way, this blog post comes in handy with the specific best practices to make your site more secure and much faster.

For more on the same subject, have a look at “The headers we don’t want” in the same blog.

Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet

Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet” is a list of general recommendations and specific techniques to protect web applications against the CSRF attacks.  That is, before the CSRF attacks will become obsolete.