Content-Security-Policy. Make it tight.

Google, allow it to reference your images so they show in the search box.

Wildcards. You can specify the left-side (*.domain) but not the right side (domain.*).

OK, lets look up the list of google domains. I'll let you Bing that. The answer is here.

Huh. That is a lot.

Its larger than the probably allowable size of a Content-Security-Policy header. What is one to do? make img-src be *? But then the ad malware wanders in. Pick a few and hope?

Anyone have a suggestion for a best practice?

I see a lot of entries for (purposely not linked) in my Content-Security-Policy logs. These are folks who have some malware installed on their desktop, when they surf to my blog, they get redirected and advertising injected. Except that my CSP forbids this (since I don't allow them img-src or script-src permission).

I wrote about this earlier. I'm appalled that such things exist. I'm also saddened that its come to this, a spy-vs-spy one-upmanship games where people like me spend time adding rules to prevent malware writers from taking advantage of folks.

Once again, I'll suggest an action. Head to Enter a site name that you use. If it doesn't get a great score, write to the owner: get it fixed.


Something interesting / disturbing just happened to me. I was trying out my new bluetooth headset to make sure it supported aptX and would pair to two devices. So, while watching a youtube video, i used skype to dial my phone.

Oddly, I got a high-fidelity playback of my voice mail (ironically a bunch of CRA scams). Hmm, but its not from the phone. Its from the PC. Weird.

So I dig in a bit. It turns out that if my caller ID is set to my own phone number, it just assumes its me and starts playing.

Given that caller ID is trivial to spoof, this means there's really no security here.

Anyone else care to try this? I tried on Koodoo if it matters.


Over on my corporate blog I did a post with more details. But, recently I updated this site's Content-Security-Policy rules. I enabled reporting of errors (expecting none).

To my surprise and chagrin, there were some reports. How? The site that was being blocked rasenalong<dot>com. Huh? Not mine, not my content, I don't use CDN, I don't serve ads.

Turns out that some of you have a malware extension in your browser called LNKR. And, it modifes the page of my site to add a bit of its own JavaScript, which then fetches scuzzy ads and places them on my site.

This was the subject of last night's Chautauqua. I have posted the video (and the slides) if you want to see.

I am appalled. I Can't Even.

I've also posted a shorter lightboard video which talks about this a bit. Go forth and fix your own sites now, please.

I thought I would share some of the hands-on how-to and learning of hardening some web sites and applications. I posted a bit about this here (and in vid @ bottom).

If you are interested in sharing learning on assessing a web app/api/site for security. How to harden it, showing some of the tools, come on out.

I will then show some of the complex things you can do w/ a Web Application Firewall (WAF) using resty-lua-waf ( as an example, if you are stuck with a weak app and no way to fix its code.


  • Content-Security-Policy
  • XSS-*
  • Cross Origin Request Sharing
  • HTTP Strict Transport Security
  • TLS setup


Feel free to open and be amazed @ the score of 0/100 (F).

Link below for where/when etc.

Waterloo Technology Chautauqua

Kitchener, ON
583 Members

[Chautauqua]( is a principle of continuous adult education.The seed of this group is a set of people who have worked together on a va...

Next Meetup

Securing a web (site/app/api): hands on!

Tuesday, Jan 28, 2020, 7:00 PM
7 Attending

Check out this Meetup Group →