So what did the Gmail team learn while protecting their app?
- “Prevent vulnerabilities through product design”
- “Empower users to take action through a meaningful feedback UI”
- “Any defense can be defeated – use defense in depth with multiple layers of protection”
- “Detection systems are imperfect – implement catch-up mechanisms”
- “Make it hard for attackers to understand your defenses”
- “Implement an emergency system“ as a last resort
And now for other interesting reads:
Let’s Encrypt & Nginx
Set up Let’s encrypt, nginx and security headers
How I got XSS’d by my ad network
XSS from ad networks on a security researcher’s blog
The misunderstood X-XSS-Protection
Rails sends the recommended setting by default, but an interesting read.
Secure websites shun HTTP Public Key Pinning
HTTP Public Key Pinning not widely adopted, also because a small mistake could wipe out an online business
Uber bug bounty: Turning self-XSS into good-XSS
How self-XSS can still be used to affect other users
Like this kind of articles?
Subscribe to hear about new Rails security resources first. Only helpful articles and guides. Monthly(ish) updates, no spam.
