The Embedded Web

Content Security Policy - The Reality


The Content Security Policy (CSP) is a powerful mechanism to prevent Cross Site Scripting (XSS) attacks on web sites which accounts for the majority of all security vulnerabilities.

But CSP is off to a slow start and is not implemented on the vast majority of web sites. Perhaps the difficulty implementing CSP is to blame?

This post examines a case study deploying CSP and has some recommendations for the social media companies to make it easier to implement CSP.

Content Security Policy Survey


The Content Security Policy (CSP) is a powerful mechanism to prevent Cross Site Scripting (XSS) attacks which accounts for 84% of all security vulnerabilities in web sites. So you would think that such a magic bullet would be widely deployed and promoted.

Think again: CSP is implemented on less than 0.5% of web sites. Further, of those implementing sites, less than 3% are using CSP in the recommended manner that effectively mitigates Cross Site Scripting attacks. In fact, out of 21,823 sites surveyed, less than 0.02% of sites are effectively using CSP.

These are the results of a CSP survey to determine the level of CSP adoption in public web sites.

mbed TLS Integrated


Embedthis products including the Appweb and GoAhead web servers have supported a variety of SSL stacks for secure connectivity including: OpenSSL, mbed TLS, MatrixSSL and NanoSSL. However, this has often required separately downloading and building the SSL software. For some SSL stacks, this can be a long and non-trivial exercise to build the SSL stack for your selected operating system.

SSL is increasingly becoming mandatory and not just an option. Securely authenticating users and controlling access to a management interface requires SSL. Further, the emerging HTTP/2 protocol will use SSL by default. Consequently, we have been searching for a simpler way to offer secure SSL connectivity out-of-the-box.

Stop Using CGI


No, not the dinosaur kind of CGI that is Computer Generated Imagery, but the Common Gateway Interface kind used by web servers to render dynamic content.

CGI for web applications may appear simple and easy, but it is slow, clumsy, insecure and ancient.

Stop using it!

There are much better alternatives for nearly every use case.

What's Next for GoAhead and Appweb


It has been a hectic few months with plenty of releases and new initiatives. GoAhead and Appweb 5 have been updated and Appweb 6 has been released. Both products have started to make extensive use of the Pak package manager and we have a growing set of components available on the Pak Catalog.

But what does the future hold?

Appweb 6 Arrives

Appweb 6 Appweb 6 is released and this marks the start of a new stage for Appweb. This is because Appweb 6 currently almost identical to Appweb 5.4.4. Sounds strange, but Appweb now has all the battle-hardened features needed for embedded web development. So why change version?

© Embedthis Software, 2003-2015. All rights reserved. Privacy Policy and Terms of Use.   Generated on Nov 24, 2015.