Extended Validation certificates are expensive and degrade performance. Move to an OV certificate if you can!

Cet article a pour but d’expliquer comment exposer, sans danger, votre API sur le web… et par conséquent à votre entreprise ! Sans oublier les deux objectifs d’une stratégie de sécurisation d’application : mener la vie dure aux attaquants potentiels, tout en facilitant la vie des consommateurs légitimes.

Configuring TLS is perhaps the most complicated and error-prone of all IT tasks, and this tries to make it as easy as possible.

"Every bit of JavaScript you add to a site is a potential way in for a hacker. This is doubly true if that JavaScript is hosted by someone else, such as on a public CDN. Subresource Integrity is a browser feature you can use to make sure that the code being used is exactly what you intended."

I’m harvesting credit card numbers and passwords from your site. Here’s how.

"Due to recently disclosed security vulnerabilities for nearly all computers, you should disable any JavaScript cookie manipulation on your website (e.g. when using the critical CSS technique) by setting your cookies to be SameSite and HttpOnly on the server, as recommended on the Chromium wiki. Otherwise, sensitive data, like session keys, may be exposed to malicious third parties."

How To Remove Unwanted HTTP Response Headers

"Striking the right balance between security and user experience is undoubtedly a big challenge for both large enterprises and small businesses. Yet with a proper DEM solution in place, it doesn’t have to be quite so daunting."

"HTTPS is easier and cheaper than ever before, and it enables both the best performance the web offers and powerful new features that are too sensitive for HTTP. There’s never been a better time to migrate! Developers, check out our set-up guides to get started."

"We created Let’s Encrypt in order to make getting and managing TLS certificates as simple as possible. For Let’s Encrypt subscribers, this usually means obtaining an ACME client and executing some simple commands. Ultimately though, we’d like for most Let’s Encrypt subscribers to have ACME clients built in to their server software so that obtaining an additional piece of software is not necessary. The less work people have to do to deploy HTTPS the better!"

"Observatory by Mozilla is a project designed to help developers, system administrators, and security professionals configure their sites safely and securely."

Si OAuth2 reste un concept flou pour vous ou que vous voulez tout simplement être sûr d’avoir compris ses rouages, cet article de Johann, un ancien collègue Clever Age, devrait vous intéresser.

"La politique de sécurité des contenus vous permet de protéger votre site web des effets de nombreuses vulnérabilités en lien avec l’injection de contenus. Découvrons pourquoi et comment utiliser ce simple en-tête HTTP, pourtant très puissant, et aujourd’hui largement supporté par les navigateurs web."