Thank you for sharing this post! I really enjoy seeing people picking up this topic and sharing their ideas and thoughts.
You are bringing up CSP as a measure to prevent certain kinds of attacks, this is a very powerful but also a complex security feature. In my experience, if you do not start with a very strict CSP right from the beginning you will have a hard time adding it later to a production site without breaking anything.
Thank you for sharing this post! I really enjoy seeing people picking up this topic and sharing their ideas and thoughts.
You are bringing up CSP as a measure to prevent certain kinds of attacks, this is a very powerful but also a complex security feature. In my experience, if you do not start with a very strict CSP right from the beginning you will have a hard time adding it later to a production site without breaking anything.
I really like the way that Google explains all of it here:
developers.google.com/web/fundamen...
And the Owasp site is always a good starting point as well: owasp.org/index.php/Content_Securi...
There are a few more headers that already improve the basic security of any web app quite a bit and are easier, if not even trivial to implement.
The most important and notable ones are:
They are all quite good explained - again - on the OWASP site: owasp.org/index.php/OWASP_Secure_H...
@Jamie I think you did a great job on explaining all of this, thank you again.