Security

Passkeys for Normal People This is a pretty good overview of the current state of passkeys with some nice examples of the various ways sites might implement them.

Even Troy Hunt (a well-known security researcher and creator of Have I Been Pwned) fell for a phishing email. He wrote all about it on his blog: A Sneaky Phish Just Grabbed my Mailchimp Mailing List I found it a valuable read, not only for the lessons learned, but it’s also a reminder that it could have happened to any of us. The email looks fairly well crafted and I appreciated his analysis of the factors that led to him falling victim. It’s important to remember that even the most security-minded people can make mistakes and that security is hard. ...

Today I learned that there is a Content-Security-Policy (CSP) directive connect-src that you can use to restrict all outgoing requests from your website to only the domains that you specify. This is a powerful mitigation against any kind of script injection attacks since no data can then be exfiltrated from your page. It applies to XMLHttpRequest (AJAX), WebSocket, fetch(), <a ping> or EventSource. CSP is an HTTP response header for enhancing the security of a site and there are of course several other directives you might want to enable. ...