Content Security Policy (CSP)

I been learning about web security in the last few days, and today I learned about CSP or Content Security Policy.


Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. 

MDN web docs

In simple words, it allows you to control the domain for your resources, including images, CSS and Javascript files, this means that you can protect your site from loading external scripts that might cause harm to your visitors.

How does it work?

You can set CSP with HTTP Header by returning Content-Security-Policy or you can add a meta tag to your HTML document.

How do I write a policy?

Let’s write a simple policy for my site:

  • I will start by adding a meta tag to my header
<meta http-equiv="Content-Security-Policy" content="">

As you probably noticed, our content attribute is empty, this is where we’re adding our own rules, let’s add them.

  • Initially I want to allow my site to load resources from my own domain, so our first rule is:
default-src 'self'
  • Since my site is hosted on, I want to load resources form, and, let’s add the rules
default-src 'self' * * *
  • Now the browser will only load resources from those domains on my site, I can be more specific and choose from which domain the site can load scripts, media or images, let’s add only to our images rule
default-src 'self' * *; img-src *
  • My meta tag now looks something like this
<meta http-equiv="Content-Security-Policy" content="default-src 'self' * * *">

You can read more about CSP in the MDN Docs and if you have a WordPress site, you can use this plugin

Always Be Reading

Shekhar Gulati

I became a software engineer by chance. I was offered a job by a software organization during my campus interviews. I took it. And I became a software engineer.

Because I had pursued bachelors in Mechanical engineering, there was little learned about computer science in four years of my undergraduate course. My only interaction with it was during the first semester, where one of the subjects was C programming language. As far as I remember I enjoyed programming a lot. After entering the job, it took me a couple of years to figure out how I can succeed in the professional world. I realized that my magic formula to do good in professional and personal life is Always Be Reading.

In this post, I will share my thoughts on having a beginner mindset and continuously improve yourself to live a meaningful and fulfilling life.

View original post 639 more words

Getting software right is hard. It takes knowledge and skills that most young programmers haven’t yet acquired. It requires thought and insight that most programmers don’t take the time to develop. It requires a level of discipline and dedication that most programmers never dreamed they’d need.
Mostly, it takes a passion for the craft and the desire to be a professional.

Robert C. Martin

git: Pushing to a Remote Branch with a Different Name

Pen and Pants

Normally when I do a push in git I do something like git push origin master, which really means push from the local branch named master to the remote branch named master. If you want to push to a remote branch with a different name than your local branch, separate the local and remote names with a colon:

git push origin local-name:remote-name

View original post

Resizing Vagrant machine hard drive

I was setting up a site this morning when started seeing this error cannot create temp file for here-document: No space left on device, I couldn’t successfully import a database or even cd into any folder on the machine.

After trying a few things I found this gist: which successfully helped me fix the issue.

In my case I only followed steps 1-9, further steps weren’t necessary.