[guardian-dev] HTTP Security Headers for guardianproject.info

Hans-Christoph Steiner hans at guardianproject.info
Tue Sep 19 03:48:00 EDT 2017


Not being a web developer, I have just discovered the world of HTTP
Security Headers.  I set up https://guardianproject.info with a strong
but conservative set of them.  These headers mostly restrict how
Javascript can be run, to help prevent cross-site scripting attacks.

Mozilla has a nice scanner for it:
https://observatory.mozilla.org/analyze.html?host=guardianproject.info#third

This all reminds me yet again of the days of the dotcom web browser wars
in the late 90s, where Netscape and Microsoft were competing by adding
"features" as fast as possible with little forethought.  Plus, those
engineers were working 100+ hour weeks.  And now we are stilling paying
the price, with the state of web security and privacy still so bad that
we need these arcane headers.

.hc

-- 
PGP fingerprint: EE66 20C7 136B 0D2C 456C  0A4D E9E2 8DEA 00AA 5556
https://pgp.mit.edu/pks/lookup?op=vindex&search=0xE9E28DEA00AA5556


More information about the guardian-dev mailing list