Implementing Content Security Policy with CspBuilder wizard

Exactly for this purpose I have written that consumes the Content Security Policy violation reports generated by browsers and turns them into a working CSP header.

CONFidence 2013, 28-29 May 2013, Kraków, Poland

End of May brings yet another iteration of excellent security conference happening in our home city of Krakow — CONFidence 2013.

Getting free gigabytes of secure online storage... by cleaning trash


For a few years now I've been using Wuala as my online storage of choice, mainly because of its security related features. Recently it approached the limit of my purchased space...

Zaproszenie do udziału w konwersatorium „Polityka ochrony cyberprzestrzeni"

ISSA Polska objęła swoim patronatem konwersatorium poświęcone „Polityce ochrony cyberprzestrzeni", serdecznie zapraszamy do udziału w konwersatorium. Wstęp wolny.

Polemika - Unizeto o podpisie elektronicznym

Poniżej publikuję w całości odpowiedź Tomasza Litarowicza z Unizeto na mój artykuł sprzed miesiąca, będący z kolei komentarzem do artykułu p. Litarowicza w Computerworldzie.

Do Not Track (DNT) tutorial for Django


Do Not Track (DNT) HTTP header is already supported by many browsers, but it was not really clear what it is supposed to do apart from expressing user's preference not to be tracked. I think it may help to demonstrate this on an example.

Content Security Policy 1.1 kicking off

While support for "standard" Content Security Policy is not really consistent among browsers, elements of CSP 1.1 start to appear in wild.

Most common attacks on web applications

This page contains most currently known quantitative data sets on web application attack methods, collected as result (and as an addendum) to a discussion on new OWASP Top 10 in early 2013. Note that these data sets are sometimes of very different nature and often cannot be directly compared. Nonetheless, I strongly believe in most cases they give a pretty good picture on how are applications attacked in real life.

Rosnąca popularność podpisu elektronicznego

W niedawnym artykule opublikowanym w Computerworld przedstawiciel Unizeto mówi, że "zainteresowanie e-podpisem rozwija się na całym świecie". Czy faktycznie?

If you see BEGIN PGP SIGNED then your email program is broken


XKCD has posted a nice cartoon that demonstrates a fundamental flaw in how security experts treat those who they should protect — the end users.

The mess with X-Frame-Options: ALLOWALL

Seemingly a quite new invention, X-Frame-Options option "ALLOWALL", comes amid the standardization process of X-Frame-Options header.

So what are the "most critical" application flaws? On new OWASP Top 10

Ongoing work on the new issue of OWASP Top 10 gives us an opportunity to perform a reality check on the data it was based on, especially order and importance of vulnerabilities. All that reduces to a simple question: how do we measure "criticality" of an application issue?

Should you use MD5 and SHA-1 hashes for file integrity?

The Mandiant advanced persisten threat reports were published on a website along with MD5 and SHA-1 hashes intended... actually, to do what?


If you're looking for a quick way to list all cookies used by a specific website you should try

Confusion over AUTOCOMPLETE=OFF attributes in HTML forms


Before HTML5 location and scope of the autocomplete attribute was not really standardized, which causes some confusion both among programmers and pentesters.

Syndicate content