Content Security Policy headers can grow very long and as such are error prone if edited manually. One way to resolve that is generating them using a template language from a clean YAML structure, for example using Ansible.
Back in 90's the IPSec suite of protocols was originally invented to provide host-to-host encrypted communications but as result of number of factors is ended up used almost exclusively as gateway-to-gateway protocol for VPN tunnels. Exploring options to secure my cloud infrastructure I found out that IPSec can be quite successful in this task, greatly reducing the burden of transport encryption at application layer.
HTTP Public Key Pinning is now a pretty well established standard, as defined by RFC 7469, with a visible presence among production websites (e.g. python.org). There's one controversial topic that has been recently raised on a number of forums, including IETF and OWASP, but is little known outside.
Having a number of domains that were registered long time ago and even once used for sending any email typically results in tons of spam being not only sent to these addresses — which you can just filter and ignore — but also from them as they are used to build fake headers by the spam software. Here's one method to deal with that.
I have been through hundreds of penetration tests over the last few years, both on the testing side and on the "defending" side. Actually, in many cases I'm doing routine, internal security testing on apps that then go through a 3rd party pentest, so I can compare their results with mine. It's probably not very surprising that BurpSuite is the tool of choice for almost everyone, because it's reliable, feature-rich and well priced — £199 per year in this business is really cheap.
Content Security Policy violation reports are usually very helpful in not only debugging your security policy, but actually for building it from scratch. There's however one case when they can be quite annoying...
Spending two weeks in Russia I had an opportunity to look at how their Internet censorship system operates in practice. As human rights watchdogs alarmed already, the scope of blocked websites now goes way beyond the typical criminal content declared initially by the government and now routinely includes political content. The good news is that the system is still easily bypassable even by an unexperienced user.
Looking for a Twitter API library that would work with Python 3 I stumbled upon a number of projects that implement OAuth authentication protocol in a rather superfulous way (but "baroque" would be a better word here).
Emerging Threats publishes excellent, free IP blacklists for general usage at servers and routers, in formats suitable for use with iptables and other popular firewalls. Unfortunately, on low memory and small CPU devices, loading ~1.5k iptables rules is a performance killer — here's how to do this more efficiently using ipset.
Play Framework comes equipped with a pretty complete object-relational mapping (ORM) features to enable fast and easy exchange of data between web forms and database models. As usual, with fast and easy comes the risk of abuse and Play is no exception here.