Over on my corporate blog I did a post with more details. But, recently I updated this site’s Content-Security-Policy rules. I enabled reporting of errors (expecting none).

To my surprise and chagrin, there were some reports. How? The site that was being blocked rasenalong<dot>com. Huh? Not mine, not my content, I don’t use CDN, I don’t serve ads.

Turns out that some of you have a malware extension in your browser called LNKR. And, it modifes the page of my site to add a bit of its own JavaScript, which then fetches scuzzy ads and places them on my site.

This was the subject of last night’s Chautauqua. I have posted the video (and the slides) if you want to see.

I am appalled. I Can’t Even.

I’ve also posted a shorter lightboard video which talks about this a bit. Go forth and fix your own sites now, please.

I thought I would share some of the hands-on how-to and learning of hardening some web sites and applications. I posted a bit about this here (and in vid @ bottom).

If you are interested in sharing learning on assessing a web app/api/site for security. How to harden it, showing some of the tools, come on out.

I will then show some of the complex things you can do w/ a Web Application Firewall (WAF) using resty-lua-waf (https://github.com/p0pr0ck5/lua-resty-waf) as an example, if you are stuck with a weak app and no way to fix its code.


  • Content-Security-Policy
  • XSS-*
  • Cross Origin Request Sharing
  • HTTP Strict Transport Security
  • TLS setup


Feel free to open https://observatory.mozilla.org/analyze/www.rbcroyalbank.com and be amazed @ the score of 0/100 (F).

Link below for where/when etc.

Waterloo Technology Chautauqua

Kitchener, ON
583 Members

[Chautauqua](https://en.wikipedia.org/wiki/Chautauqua) is a principle of continuous adult education.The seed of this group is a set of people who have worked together on a va…

Next Meetup

Securing a web (site/app/api): hands on!

Tuesday, Jan 28, 2020, 7:00 PM
7 Attending

Check out this Meetup Group →


Over on my company blog I’ve posted a video and some info on how you can very simply assess the security of a website you might use. I encourage you to give it a try, pick your bank, get the score, post below, convince a friend to do the same.

I’ve posted my bank (RBC Royal Bank of Canada) below to get the conversation started.



Over on my company YouTube channel i’ve done a few videos now, trying out the settings and so on. The topics are all going to be Cloud Native, Kubernetes, Cyber Security, Zero-Trust, etc.

Now that I kind of have the hang of it, I’m soliciting topics that you think would be interesting to explore. Feel free to add them in the comments here, and/or on the YouTube Channel. (and feel free to subscribe to the YouTube channel!)

Want to know more about Istio? Cloud Native? Costing of public cloud? Workload-based firewalls using things like SPIFFE and SPIRE? OpenID, 2-Factor, authentication?

How about some of the more mundane, like moving a legacy .NET application to a container, Linux, cloud?

Anyway, let me know the topics of interest. Subscribers to the channel help, comments help, here, there, on my Corporate blog, on the LinkedIn feed, etc.

Following the LinkedIn helps the most cuz then your contacts also see some percentage.

On the latest one, you can see my Blender attempt at the intro.

Another topic I started to cover was our reslience strategy and how we deal with single failures and embrace them.

Know a not-for-profit, charity, or academic who has an idea to build a resilient, trusted and secure internet for all Canadians? Do they need a bit of money to make that idea sing? Perhaps they want to consider applying for a CIRA community investment program grant.

How you ask? Head on over to https://cira.ca/improving-canadas-internet/grants and it will explain eligibility and criteria, but generally ideas relating to Infrastructure, Digital Literacy, Cybersecurity, Community Leadership.

You get a +1 if the idea is supporting students or northern, rural, indigenous communities.