My code is not unsafe(-eval)

I was working on a project this week when I came across something which confused me, and that was the following error in my browser console… Refused to evaluate a string as JavaScript because ‘unsafe-eval’ is not an allowed source of script in the following Content Security Policy directive: ‘self’ In itself, not massively odd.  I…

Easily fixing insecure references

One of the easiest mistakes to make when trying to convert an insecure HTTP website over to a secure HTTPS one is mixed content. Mixed content is when the site itself is loaded over HTTPS, but it contains links to content which are HTTP and therefore insecure – there’s no point knowing that the page…

Require SRI (Sub Resource Integrity)

I’ve written previously about both CSP (Content Security Policy) and SRI (Sub Resource Integrity), both of which are mechanisms that can be used to better secure your website. CSP (or Content Security Policy) allows you to set a number of directives about what types of content can be loaded by your website, and what locations they can…