#stuartwriting — Public Fediverse posts

For more detail on HSTS (and Upgrade-Insecure-Requests and hstspreload.org), check out Learn Privacy at https://web.dev/learn/privacy/encryption/#hsts. And if you like that and want me to write things for you, get in touch! #stuartwriting 4/4

For more detail on HSTS (and Upgrade-Insecure-Requests and hstspreload.org), check out Learn Privacy at https://web.dev/learn/privacy/encryption/#hsts. And if you like that and want me to write things for you, get in touch! #stuartwriting 4/4

For more detail on HSTS (and Upgrade-Insecure-Requests and hstspreload.org), check out Learn Privacy at https://web.dev/learn/privacy/encryption/#hsts. And if you like that and want me to write things for you, get in touch! #stuartwriting 4/4

For more detail on HSTS (and Upgrade-Insecure-Requests and hstspreload.org), check out Learn Privacy at https://web.dev/learn/privacy/encryption/#hsts. And if you like that and want me to write things for you, get in touch! #stuartwriting 4/4

For more detail on HSTS (and Upgrade-Insecure-Requests and hstspreload.org), check out Learn Privacy at https://web.dev/learn/privacy/encryption/#hsts. And if you like that and want me to write things for you, get in touch! #stuartwriting 4/4

Add the HSTS header to your outgoing responses:
Strict-Transport-Security: max-age=300; includeSubDomains

Then once it's OK, increase max-age. (It's in seconds and you want it to be 31536000 (1 year) but recovery is hard if you screw up. So go easy at first.)
#stuartwriting 3/4

Add the HSTS header to your outgoing responses:
Strict-Transport-Security: max-age=300; includeSubDomains

Then once it's OK, increase max-age. (It's in seconds and you want it to be 31536000 (1 year) but recovery is hard if you screw up. So go easy at first.)
#stuartwriting 3/4

Add the HSTS header to your outgoing responses:
Strict-Transport-Security: max-age=300; includeSubDomains

Then once it's OK, increase max-age. (It's in seconds and you want it to be 31536000 (1 year) but recovery is hard if you screw up. So go easy at first.)
#stuartwriting 3/4

Add the HSTS header to your outgoing responses:
Strict-Transport-Security: max-age=300; includeSubDomains

Then once it's OK, increase max-age. (It's in seconds and you want it to be 31536000 (1 year) but recovery is hard if you screw up. So go easy at first.)
#stuartwriting 3/4

Add the HSTS header to your outgoing responses:
Strict-Transport-Security: max-age=300; includeSubDomains

Then once it's OK, increase max-age. (It's in seconds and you want it to be 31536000 (1 year) but recovery is hard if you screw up. So go easy at first.)
#stuartwriting 3/4

But in addition to going https, do you know about HSTS? HSTS is short for "HTTP Strict-Transport-Security", and is a way of locking a browser into using HTTPS for your service forevermore. HTTPS is good for privacy, and HSTS is good for HTTPS. #stuartwriting 2/4

But in addition to going https, do you know about HSTS? HSTS is short for "HTTP Strict-Transport-Security", and is a way of locking a browser into using HTTPS for your service forevermore. HTTPS is good for privacy, and HSTS is good for HTTPS. #stuartwriting 2/4

But in addition to going https, do you know about HSTS? HSTS is short for "HTTP Strict-Transport-Security", and is a way of locking a browser into using HTTPS for your service forevermore. HTTPS is good for privacy, and HSTS is good for HTTPS. #stuartwriting 2/4

But in addition to going https, do you know about HSTS? HSTS is short for "HTTP Strict-Transport-Security", and is a way of locking a browser into using HTTPS for your service forevermore. HTTPS is good for privacy, and HSTS is good for HTTPS. #stuartwriting 2/4

But in addition to going https, do you know about HSTS? HSTS is short for "HTTP Strict-Transport-Security", and is a way of locking a browser into using HTTPS for your service forevermore. HTTPS is good for privacy, and HSTS is good for HTTPS. #stuartwriting 2/4

A #WebPrivacy tip.

All the websites you build are https these days, right? Good. If you do http too, you should redirect it to https as well. This protects your users' privacy, and ensures that your site won't show up on whynohttps.com if it becomes popular. #stuartwriting 1/4

A #WebPrivacy tip.

All the websites you build are https these days, right? Good. If you do http too, you should redirect it to https as well. This protects your users' privacy, and ensures that your site won't show up on whynohttps.com if it becomes popular. #stuartwriting 1/4

A #WebPrivacy tip.

All the websites you build are https these days, right? Good. If you do http too, you should redirect it to https as well. This protects your users' privacy, and ensures that your site won't show up on whynohttps.com if it becomes popular. #stuartwriting 1/4

A #WebPrivacy tip.

All the websites you build are https these days, right? Good. If you do http too, you should redirect it to https as well. This protects your users' privacy, and ensures that your site won't show up on whynohttps.com if it becomes popular. #stuartwriting 1/4

A #WebPrivacy tip.

All the websites you build are https these days, right? Good. If you do http too, you should redirect it to https as well. This protects your users' privacy, and ensures that your site won't show up on whynohttps.com if it becomes popular. #stuartwriting 1/4

Take a look at Learn Privacy at https://web.dev/learn/privacy/third-parties/#content-security-policy for how to set up CSPRO on your sites so you can help protect your users' privacy. And if you like that and want me to write things for you, get in touch! #stuartwriting 6/6

Take a look at Learn Privacy at https://web.dev/learn/privacy/third-parties/#content-security-policy for how to set up CSPRO on your sites so you can help protect your users' privacy. And if you like that and want me to write things for you, get in touch! #stuartwriting 6/6

Take a look at Learn Privacy at https://web.dev/learn/privacy/third-parties/#content-security-policy for how to set up CSPRO on your sites so you can help protect your users' privacy. And if you like that and want me to write things for you, get in touch! #stuartwriting 6/6

Take a look at Learn Privacy at https://web.dev/learn/privacy/third-parties/#content-security-policy for how to set up CSPRO on your sites so you can help protect your users' privacy. And if you like that and want me to write things for you, get in touch! #stuartwriting 6/6

Take a look at Learn Privacy at https://web.dev/learn/privacy/third-parties/#content-security-policy for how to set up CSPRO on your sites so you can help protect your users' privacy. And if you like that and want me to write things for you, get in touch! #stuartwriting 6/6

Most of the time, the way you use the sites you build isn't the way that your actual users do. What CSPRO does for you is give you quiet feedback on what your users are experiencing: if your pages load loads of extra JS and pass back user info, you'll know. #stuartwriting 5/6

Most of the time, the way you use the sites you build isn't the way that your actual users do. What CSPRO does for you is give you quiet feedback on what your users are experiencing: if your pages load loads of extra JS and pass back user info, you'll know. #stuartwriting 5/6

Most of the time, the way you use the sites you build isn't the way that your actual users do. What CSPRO does for you is give you quiet feedback on what your users are experiencing: if your pages load loads of extra JS and pass back user info, you'll know. #stuartwriting 5/6

Most of the time, the way you use the sites you build isn't the way that your actual users do. What CSPRO does for you is give you quiet feedback on what your users are experiencing: if your pages load loads of extra JS and pass back user info, you'll know. #stuartwriting 5/6

Most of the time, the way you use the sites you build isn't the way that your actual users do. What CSPRO does for you is give you quiet feedback on what your users are experiencing: if your pages load loads of extra JS and pass back user info, you'll know. #stuartwriting 5/6

What this means is that if you set up CSPRO on your page, you get a free audit of what all your third-party resources are loading. Do they pull in extra JS? Are they loading a million extra URLs? Do they pass back info about your users? Now you get to see that! #stuartwriting 4/6

What this means is that if you set up CSPRO on your page, you get a free audit of what all your third-party resources are loading. Do they pull in extra JS? Are they loading a million extra URLs? Do they pass back info about your users? Now you get to see that! #stuartwriting 4/6

What this means is that if you set up CSPRO on your page, you get a free audit of what all your third-party resources are loading. Do they pull in extra JS? Are they loading a million extra URLs? Do they pass back info about your users? Now you get to see that! #stuartwriting 4/6

What this means is that if you set up CSPRO on your page, you get a free audit of what all your third-party resources are loading. Do they pull in extra JS? Are they loading a million extra URLs? Do they pass back info about your users? Now you get to see that! #stuartwriting 4/6

What this means is that if you set up CSPRO on your page, you get a free audit of what all your third-party resources are loading. Do they pull in extra JS? Are they loading a million extra URLs? Do they pass back info about your users? Now you get to see that! #stuartwriting 4/6

But there's a little-known extra to CSP: the Content-Security-Policy-Report-Only header. With this, if anything on your site tries to load a resource you didn't expect, it won't be denied, but it *will* tell *you* about it with a web hook. #stuartwriting 3/6

But there's a little-known extra to CSP: the Content-Security-Policy-Report-Only header. With this, if anything on your site tries to load a resource you didn't expect, it won't be denied, but it *will* tell *you* about it with a web hook. #stuartwriting 3/6

But there's a little-known extra to CSP: the Content-Security-Policy-Report-Only header. With this, if anything on your site tries to load a resource you didn't expect, it won't be denied, but it *will* tell *you* about it with a web hook. #stuartwriting 3/6

But there's a little-known extra to CSP: the Content-Security-Policy-Report-Only header. With this, if anything on your site tries to load a resource you didn't expect, it won't be denied, but it *will* tell *you* about it with a web hook. #stuartwriting 3/6

But there's a little-known extra to CSP: the Content-Security-Policy-Report-Only header. With this, if anything on your site tries to load a resource you didn't expect, it won't be denied, but it *will* tell *you* about it with a web hook. #stuartwriting 3/6

The Content Security Policy stuff (called "CSP") in browsers is rather a pain to set up. It's useful for security: basically, you can say "this page is allowed to load X, Y, and Z", and if the page tries to load anything else, it'll be denied. #stuartwriting 2/6

The Content Security Policy stuff (called "CSP") in browsers is rather a pain to set up. It's useful for security: basically, you can say "this page is allowed to load X, Y, and Z", and if the page tries to load anything else, it'll be denied. #stuartwriting 2/6

The Content Security Policy stuff (called "CSP") in browsers is rather a pain to set up. It's useful for security: basically, you can say "this page is allowed to load X, Y, and Z", and if the page tries to load anything else, it'll be denied. #stuartwriting 2/6

The Content Security Policy stuff (called "CSP") in browsers is rather a pain to set up. It's useful for security: basically, you can say "this page is allowed to load X, Y, and Z", and if the page tries to load anything else, it'll be denied. #stuartwriting 2/6

The Content Security Policy stuff (called "CSP") in browsers is rather a pain to set up. It's useful for security: basically, you can say "this page is allowed to load X, Y, and Z", and if the page tries to load anything else, it'll be denied. #stuartwriting 2/6

A #WebPrivacy tip.

Most web pages use third-party stuff somehow; web fonts, images, videos, JavaScript. It can be useful (and eye-opening for you, the page developer) to see what these things actually do. Do you know about Content-Security-Policy-Report-Only? #stuartwriting 1/6

A #WebPrivacy tip.

Most web pages use third-party stuff somehow; web fonts, images, videos, JavaScript. It can be useful (and eye-opening for you, the page developer) to see what these things actually do. Do you know about Content-Security-Policy-Report-Only? #stuartwriting 1/6

A #WebPrivacy tip.

Most web pages use third-party stuff somehow; web fonts, images, videos, JavaScript. It can be useful (and eye-opening for you, the page developer) to see what these things actually do. Do you know about Content-Security-Policy-Report-Only? #stuartwriting 1/6

A #WebPrivacy tip.

Most web pages use third-party stuff somehow; web fonts, images, videos, JavaScript. It can be useful (and eye-opening for you, the page developer) to see what these things actually do. Do you know about Content-Security-Policy-Report-Only? #stuartwriting 1/6

A #WebPrivacy tip.

Most web pages use third-party stuff somehow; web fonts, images, videos, JavaScript. It can be useful (and eye-opening for you, the page developer) to see what these things actually do. Do you know about Content-Security-Policy-Report-Only? #stuartwriting 1/6