I have the privilege of working with a startup like company that has gone through a hypergrowth phase over the last 5 years. When I was hired, I was the 2nd Application Security Engineer in a 9 person Security team . We’re now a ~70 person Security org made of 7 different teams that are responsible for various aspects of securing our member’s data and the company.

In this post I plan on sharing a few things I’ve learned and observed over the last 5 years that I wish someone had told me when we were a small Security team…

TL;DR: I’m open-sourcing a Hapi plugin that provides a fair amount of flexibility in regards to enabling Feature Policy on a route/frame level so it should be easy for any Hapi developer to deploy Feature-Policy in a manner that adds real protection

I came across HTTP Feature Policy during a W3C WebAppsec meeting in September 2019 but back then I didn’t give it much thought until recently I found myself needing to use this to solve a problem. The problem I was trying to solve was allowing our application to access one’s location (if the member consents to it) for…

I have heard many people in the industry state that the level of effort to deploy Content Security Policy (CSP) is not worth the value it brings. I disagree; it depends on what threat model are you solving for.

This is not yet another post that explains what CSP is. I personally followed Google’s csp.withgoogle.com website and found it helped me deploy a config quickly. Here’s another good resource that links you to blog posts on how companies have deployed this in the past and references to tools such as Mozilla’s Observatory.

Why did I deploy CSP in my organization?

Was it to prevent content injection attacks? Not…