Patrick Kerrigan

Blog - posts tagged "security"

Chrome XSS Auditor and HTML editors

by Patrick Kerrigan, . Tags: Security Web

Chrome, along with Edge, Opera and Safari, has built in support for detecting and preventing Cross Site Scripting (XSS) attacks. This works well as a safety net to protect users when websites fail to protect themselves from such attacks, but can cause issues with applications which allow users to post HTML in forms. This shows in chrome as an error page with the text "ERR_BLOCKED_BY_XSS_AUDITOR" and can be quite intimidating for users trying to perform a legitimate operation.

SVG and Content Security Policy in Edge

by Patrick Kerrigan, . Tags: Security Bugs

Recently I've been trying to make some improvements to sites that I'm ivolved with, particularly converting images to SVG format and implementing HTTP Content Security Policy (more to come on those later). While doing so I ran into a strange issue to do with how Microsoft Edge handles the combination of these two technologies which only seems to be documented in an Edge bug report.

Protecting your domain with DMARC

by Patrick Kerrigan, . Tags: Email Security

In order to combat spam and fraudulent email it's become common practice to deploy technologies such as SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) to provide a means for receivers to verify whether a message is from who it claims to be. Unfortunately, these are not foolproof and can still allow fraudulent messages to slip through. There's also no way of knowing what a receiver will do with messages that fail these checks and no way of knowing how effective they are. DMARC (Domain-based Message Authentication, Reporting and Conformance) goes some way towards improving this.

Switching to SSL

by Patrick Kerrigan, . Tags: Web Linux Cryptography Security

As Google have publicly stated that a site's usage of SSL will now start to play a part in the ranking of its pages in search results (and presumably other search engines will follow suit) I decided it was time to switch this site to SSL. With online privacy an even bigger concern than ever there's no reason not to use cryptography where possible. I'm posting the steps I took here as a guide for anyone else thinking of making the same move in the hope that someone might find it useful.