Handling Authentication Tokens in Single Page Apps

There are broad scenarios in which a single page app (SPA) needs to handle authentication: The SPA is using an API custom built for the app itself -- the API being used is not public in any other way The SPA is using an API built for public consumption -- one with a full fledged… Continue reading Handling Authentication Tokens in Single Page Apps

Working with Multiple Content-Security-Policy Headers

Working with Multiple CSP Headers

Today I've been fighting with Content Security Policy (CSP). Servers may send multiple CSP headers, but there is a catch: Adding additional policies can only further restrict the capabilities of the protected resource I had wrongly assumed that I could pretty up my nginx configuration by splitting up the various *-src directives into separate add_header… Continue reading Working with Multiple Content-Security-Policy Headers