Practical Security Guides For Your Team
Clear, non-alarmist guidance for real web vulnerabilities so your team can prioritize fixes confidently.
Security Safety Net Weakened by Permissive Script Settings
mediumYour website has a security header called a Content Security Policy (CSP) — think of it like a bouncer that controls which scripts are allowed to run on your pages. Right now, two settings in that policy ('unsafe-inline' and 'unsafe-eval') are telling the bouncer to let almost anyone in, which largely defeats the purpose of having one. This is a defence layer that isn't doing its job properly, not an active attack.
Webpages Can Be Embedded by Other Sites (Clickjacking Risk)
mediumYour website is missing a security setting that tells browsers whether your pages are allowed to be embedded inside other websites. Without it, a malicious site could invisibly overlay your pages to trick your visitors into clicking buttons or links they didn't intend to — a technique called clickjacking. This is a missing protection layer, not an active attack in progress.
Missing Browser Security Policy Leaves Site Without a Content Filter
mediumYour website is missing a security instruction called a Content Security Policy (CSP). Think of it like a guest list for your website — it tells visitors' browsers which scripts and resources are allowed to run, and blocks everything else. Without it, your site is missing one layer of protection that could help limit the damage if another vulnerability were ever found.