There are two side of the security coin: authentication and authorization. Authentication answers the question of who (a principal) is making the request to a given endpoint. Authorization is what determines if the principal is actually is allowed to do what they are trying to do. If authentication fails, a 401 Unauthorized response should be… Continue reading When to Return a 401 vs 403 HTTP Response
Nginx has a bunch of custom https status codes that it uses internally to signal issues. One such status code is 497: the client made an http request on an https listener. These custom status codes can be used in combination with an error_page directive which can be used to redirect. This will send a… Continue reading Redirecting HTTP Requests on an HTTPS Listener in Nginx (Status Code 497)
Today I've been fighting with Content Security Policy (CSP). Servers may send multiple CSP headers, but there is a catch: Adding additional policies can only further restrict the capabilities of the protected resource I had wrongly assumed that I could pretty up my nginx configuration by splitting up the various *-src directives into separate add_header… Continue reading Working with Multiple Content-Security-Policy Headers
Christopher Davis 