Your Strict-Transport-Security definition is missing the "includeSubDomains" flag. STS is a lot more effective if you use that flag.
You should discuss how X-Frame-Options prevents sites legitimately loading your pages inside frames too. I believe Reddit does this amongst others in order to displays a small control panel at the top of the page. X-Frame-Options is appropriate for many sites, but perhaps not for blogs.
You should talk about how CSP prevents most bookmarklets from working. For example readability and instapaper. I really like CSP, but people should be made aware of this.
Yeah, I decided not to get into all of the options of each header. Partially because I was writing from a plane without wifi and partially because the response I was hoping for was "these things exist - I'll go read the docs on them".
That said, your points about X-Frame-Options and CSP are definitely important for usability. Maybe I'll update the post w/ some of those details.
Good to know - thanks. More support is better, but the thing I really like about CSP is how it is still useful as a canary even with only partial browser support.
I know people who actually implement this are going to have their heads screwed on around the right way, but having a page where you know you can generate server processing, and that is potentially not going to have much security around it screams out to me to be a good place to start an attack from.
Especially as the spec is a bit vague about exactly what happens when (no head specified for example, doesn't say about including cookies or any other information). Also, fiesta.cc's CSP Report URI returns a response that says to keep the connection open.
And, if you manage to get a script injected to a popular page, the site itself acts as a distribution system to enable distribution to multiple users.
Something about this says it's not been thoroughly thought through to me.
On that page you'll notice it mentions "request-headers". That was in FF4 and FF5, but was removed in FF6 because of something I reported.
The headers sent in the report included "Proxy-Authorization", so it was possible to steal web proxy credentials by forcing a policy violation on your site. Chromes implementation didn't include the headers from the start. For more info:
Sorry about that - we use Tumblr to host the blog and have had some issues before. I just converted to a pastebin for you, unfortunately didn't think to include any of the comments but here you go: http://pastebin.com/yHw7L0Fy
"The hackers behind the attack on StartCom failed to obtain any certificates that would allow them to spoof websites in a similar fashion, and they were also unsuccessful in generating an intermediate certificate that would allow them to act as their own certificate authority, Nigg said in an email."
As opposed to the Comodo breach where the attackers successfully managed to get fake certificates for several high-profile sites.
Ha fair enough, and thanks! One problem with the CA system is that (as far as I understand) it really doesn't matter whether you choose a particularly secure CA or not - you're as vulnerable as the most vulnerable CA. That's why something like public-key pinning is important.
You should discuss how X-Frame-Options prevents sites legitimately loading your pages inside frames too. I believe Reddit does this amongst others in order to displays a small control panel at the top of the page. X-Frame-Options is appropriate for many sites, but perhaps not for blogs.
You should talk about how CSP prevents most bookmarklets from working. For example readability and instapaper. I really like CSP, but people should be made aware of this.