Checking for insecure references

Insecure content is one of those things that can be tricky to find, even though it’s easy to workaround.  Let’s start by being clear about what we’re talking about. Insecure content is when your website itself is using HTTPS (the address starts with https://) but some of the content links (eg. images, javascript, stylsheets, etc.)…

Cloudflare Server-Side Excludes

Cloudflare has a great little piece of functionality called “Server-Side Excludes”, tucked away on the “Scrape Shield” tab.  The idea is that if you have some information that you’d rather not have a suspicious person (or bot!) seeing, but you don’t want to hide the page from them completely, you can just hide the specific…

Easily fixing insecure references

One of the easiest mistakes to make when trying to convert an insecure HTTP website over to a secure HTTPS one is mixed content. Mixed content is when the site itself is loaded over HTTPS, but it contains links to content which are HTTP and therefore insecure – there’s no point knowing that the page…

Sonarwhal renamed to Webhint

A little over a year ago I wrote a post about testing your website with sonarwhal, a new tool I’d heard about for testing you website for security, performance and accessibility issues.  I then followed that up with a post about sonarwhal via the command line. I did promise to go through and fix all the issues…

Require SRI (Sub Resource Integrity)

I’ve written previously about both CSP (Content Security Policy) and SRI (Sub Resource Integrity), both of which are mechanisms that can be used to better secure your website. CSP (or Content Security Policy) allows you to set a number of directives about what types of content can be loaded by your website, and what locations they can…