CSP Cheat Sheet
Need a hand with Content Security Policy?| Scott Helme
CSP is the Content Security Policy for your website’s pages. Think of it as a foreman on a construction site, checking all the material loads coming to the gate, verifying that they meet the requirements and sources defined by you, the architect. Accepting pine paneling for oak paneling in the specs would be disastrous for […] The post Are You Down With CSP? appeared first on PHP Architect.| PHP Architect
by Source Defense The Source Defense Research team has uncovered another active eSkimming campaign which demonstrates the use of novel techniques, and an increasing adversarial focus on attacking websites with techniques that bypass eSkimming security controls which focus solely on protecting payment pages. This indicates an evolution on the part of our adversaries in terms The post New Breed of Magecart: GTMs Working Together, JavaScript Hidden in CSS appeared first on Source Defense.| Source Defense
by Source Defense On a recent Source Defense roundtable, seasoned QSAs gathered to discuss the latest PCI DSS 4.0.1 updates—specifically requirements 6.4.3 and 11.6.1—and how organizations should respond. What followed was a frank, practical, and sometimes surprising conversation about merchant eligibility, the limits of iframe protection, and what compliance now looks like in an eSkimming-threatened The post What QSAs Are Saying About PCI DSS 4.0.1 and eSkimming Controls appeared first o...| Source Defense
by Source Defense A recent incident at Blue Shield of California highlights the critical importance of client-side security controls when implementing third-party scripts on healthcare websites. The nonprofit health plan has disclosed a significant data breach affecting 4.7 million members, stemming from a misconfiguration of Google Analytics on their web properties between April 2021 and The post Client-Side Security Breach Alert: Blue Shield of California Exposes 4.7 Million Members’ Heal...| Source Defense
Source Defense Research Blog | April 23, 2025 A Familiar Threat Resurfaces in the UK Our Source Defense Research team has uncovered an active Magecart-style eSkimming attack targeting a major UK-based online homeware retailer among a list of others. This campaign employs the same technique we observed earlier this year on another UK site, and The post New Magecart Variant Targets UK Retailer in Stealthy Double-Entry Attack appeared first on Source Defense.| Source Defense
With the introduction of PCI DSS 4.0, merchants are now grappling with new requirements that aim to enhance the security of cardholder data. At a recent roundtable hosted by Source Defense, industry veterans gathered to dissect these changes and their implications for businesses of all sizes. The post Polyfill – Additional Analysis and Discovery: Signs of PII and Credential Harvesting, Broad Exposure through Digital Supply Chain appeared first on Source Defense.| Source Defense
Don't Wait - Get Moving Now on eSkimming Security! There are more than 50 new requirements in PCI DSS 4.0. That's a lot to worry about and a lot to get ready for in just a short period of time. Realistically, with an impending Q4 code-freeze, you have the next six months to tackle it all. The post [Recording] A 90 Day Action Plan for 6.4.3 and 11.6.1 appeared first on Source Defense.| Source Defense
Join us for a webinar that will dig into CoalFire's thoughts and answer the questions you have! We'll dig deep into the requirements found in 6.4.3 and 11.6.1. We'll look at CoalFire's view on what is really in scope. The post [Recording] Go With The Payment Flow appeared first on Source Defense.| Source Defense
Join us for this informative discussion around strict new requirements for PCI DSS Compliance. We'll examine the changes outlined in 6.4.3 and 11.6.1. You’ll leave with an actionable timeline and guidance for success that will ensure readiness and successful compliance before the looming deadline. The post [Recording] Understanding PCI DSS 4.0 in Higher Education appeared first on Source Defense.| Source Defense
Source Defense gathered hundreds of the world’s largest merchants, Payment Service Providers, QSACs and Card Associations to hear from a prominent group of leading thinkers in compliance and data security standards to deliberate the forthcoming tides of transformation encapsulated in PCI DSS version 4.0.. The post [Recording] PCI Dream Team Roundtable appeared first on Source Defense.| Source Defense
eSkimming is a growing threat to businesses of all sizes. This type of attack involves injecting malicious code into a website to steal credit card data as it is entered by customers. eSkimming attacks can be difficult to detect and prevent, but there are a number of steps that businesses can take to protect themselves. The post [Recording] Kick Starting PCI DSS 4.0 appeared first on Source Defense.| Source Defense
eSkimming is a growing threat to businesses of all sizes. This type of attack involves injecting malicious code into a website to steal credit card data as it is entered by customers. eSkimming attacks can be difficult to detect and prevent, but there are a number of steps that businesses can take to protect themselves. The post [Recording] Cyber Academy Learning Session 1 of 3 appeared first on Source Defense.| Source Defense
As we continue to expand and improve our offering, one particular area of focus over recent months has been on PCI DSS Compliance. Whilst 'compliance' might not be the first thing that many get excited about, the recent requirements introduced by the PCI SSC required some pretty solid| Scott Helme
Some time ago, while reading up on new CSS features, I asked myself: Is it possible to leak the entire content of an HTML text node only using CSS?| pspaul's blog
The Sonar Research team discovered critical code vulnerabilities in Proton Mail, Skiff and Tutanota. This post covers the technical details of the XSS vulnerability in Proton Mail.| www.sonarsource.com
In this post I go over how to create a least-privilege CSP policy from scratch.| Diogo Mónica
Even though www.diogomonica.com is a statically generated HTML blog, I took the time to go from an F on securityheaders.io to an A+.| Diogo Mónica
Looking at CSP Manager that lets you control the CSP from Umbraco| iO tech_hub
In this month’s newsletter: China energy transition updates Special column – power market reform Policy monitoring If you would like| China Energy Transformation Program
Webinar Replay: Community Enablement Watch the webinar, then CLICK HERE to visit our PCI DSS 4.0 Resource Center Download the CoalFire whitepaper below [Whitepaper] CoalFire Provides Guidance on PCI DSS 6.4.3 and 11.6.1 Guidance from CoalFire on the eSkimming Security requirements found in PCI DSS 4.0. The most talked about and concerning new requirements in PCI| Source Defense
Project88 reflects on major human rights events during the first year of the U.S.-Vietnam diplomatic upgrade, including the revelation of Directive 24, the arrest of key labor reformers, the attempted extradition of Montagnard activist Y Quynh Bdap from Thailand, and the secret trial of energy policy expert Ngo Thi To Nhien.| Project88
With the introduction of PCI DSS 4.0, merchants are now grappling with new requirements that aim to enhance the security of cardholder data. At a recent roundtable hosted by Source Defense, industry veterans gathered to dissect these changes and their implications for businesses of all sizes.| Source Defense
Webinar Replay: Community Enablement Watch the webinar, then CLICK HERE to visit our PCI DSS 4.0 Resource Center Download the CoalFire whitepaper below [Whitepaper] CoalFire Provides Guidance on PCI DSS 6.4.3 and 11.6.1 Guidance from CoalFire on the eSkimming Security requirements found in PCI DSS 4.0. The most talked about and concerning new requirements in PCI| Source Defense
The latest version of PCI DSS just dropped and it's really awesome to see that one of the most notorious threats that we face online when it comes to payment card data is now being directly addressed. Magecart has wreaked havoc on some really large brands and well known organisations| Scott Helme
You’ve probably run into a scenario like this before and never understood why: You assign a new, seemingly harmless policy into a configuration profile in Intune, and now the device reboots a…| Out of Office Hours
Summary of changes in the Alexa Top 1M since February of 2018|
Continual improvement in the Alexa Top 1 Million sites|
Just how bad is security in the top one million sites? Better!|
Just how bad is security in the top one million sites? Better!|
Just how bad is security in the top one million sites? Very bad.| grayduck.mn
Implementing CSP on AMO took six years, but we did it!| grayduck.mn
CSP allows you to whitelist sources of content the browser can load. An effective solution to XSS, it can be easily deployed and is widely supported.| Scott Helme
This is a tale of how we found a wormable XSS on Twitter, and how we managed to fully bypass its CSP policy.| Virtue Security
