Profile avatar
webappsec.dev
Leading Google's web security team. Passionate about web security and making secure-by-default web development the norm. Contributed to web platfom security features like CSP, Fetch Metadata, COOP and Trusted Types.
53 posts 2,019 followers 672 following
Regular Contributor
Active Commenter
Posts 16 Comments 34

Building secure web apps shouldn't be a burden. We've built a high-assurance web framework at Google that makes security easy for developers. Learn about our "Secure by Design" approach and how it works in our new blog post: bughunters.google.com/blog/6644316... cc: @ddworken.bsky.social

submitted 23 days ago • 0 comments

Building secure web apps shouldn't be a burden. We've built a high-assurance web framework at Google that makes security easy for developers. Learn about our "Secure by Design" approach and how it works in our new blog post: bughunters.google.com/blog/6644316... cc: @ddworken.bsky.social

submitted 23 days ago • 0 comments

The Great Google Password Heist: 15 years of hacking passwords to test our security (and build team culture!) bughunters.google.com/blog/6355265...

submitted 85 days ago • 0 comments

Modern solutions against cross-site attacks (frederikbraun.de/modern-solut...): An article about cross-site leak attacks and browser-based defenses. You will also learn why web security best practices is always opt-in and finally how YOU can get increased security controls.

submitted 92 days ago • 0 comments

Welcome @shhnjk.bsky.social 🎉

submitted 92 days ago • 0 comments

This is my #IT, #Infosec, and #Cybersecurity starter pack. There’s plenty of room if some people want to be added too. But here are some feeds and people I recommend following go.bsky.app/QYMa3yN

submitted 92 days ago • 4 comments

MITRE: Cross-Site Scripting Is 2024's Most Dangerous Software Weakness www.darkreading.com/application-...

submitted 92 days ago • 5 comments

Handling Cookies is a Minefield: Inconsistencies in the HTTP cookie specification and its implementations have caused a situation where countless websites (including Facebook, Netflix, Okta, WhatsApp, Apple, etc.) are one small mistake away from locking their users out. grayduck.mn/2024/11/21/h...

submitted 98 days ago • 14 comments

Congratulations, this is amazing! Since you asked, our Google CSP/Reporting API collector currently processes ~3.5B reports per day. That's for CSP, COOP, Trusted Types, and custom reporting. It has enabled us to truly scale up deployment of web platform security features across Google in a safe way

submitted 97 days ago • 0 comments

What do you call a padlock for spiders? Web security! ... I'll see myself out...

submitted 100 days ago • 0 comments

It took me twelve years (!) to build up my audience on Twitter. It took 5 days to surpass the 50% point of my Twitter following on Bluesky. I’m hopeful that the overall growth on this site will negate the need to go on Twitter altogether. Sad to see what it devolved into, but thrilled to see it die.

submitted 100 days ago • 2063 comments

Bluesky now has over 20M people!! 🎉 We've been adding over a million users per day for the last few days. To celebrate, here are 20 fun facts about Bluesky:

submitted 100 days ago • 3193 comments

Great article about multipart parsing. Reminds me about the bypasses I found in modsec parser medium.com/@terjanq/waf...

submitted 100 days ago • 1 comment

Signature-based SRI is being spec'd right now: wicg.github.io/signature-ba... This will be useful for many use case and become relevant for PCIv4 compliance which requires assuring the integrity of sourced scripts (6.4.3). Please chime in and share your use cases: github.com/WICG/signatu...

submitted 101 days ago • 4 comments

Web security starter pack is in good shape now and includes many amazing folks passionate about web security like @terjanq.bsky.social and @shehackspurple.bsky.social: go.bsky.app/Uf8dZhz Please share and recommend folks passionate about web security so we can get this community started here 🙂

submitted 101 days ago • 5 comments

Read all about how we made web security measurable at Google! Security signals have allowed us to massively scale our web security program and enabled us to deploy security features like CSP or Trusted Types at scale!

submitted 102 days ago • 0 comments