or "How to detect malware, get scared and improve your JS security"
Disclaimer: I'm not a security expert.
"Unexpected token <"
"Can't find variable: webpackJsonp"
"Syntax error"
"null is not an object"
"_0x37f2x1[_0x86f3[70]][_0x86f3[69]] is not a function"
"Exception invoking info"
Technical Debt
Error handling, plan for the worst
No. Probably not.
$ snyk test
Content-Security-Policy: default-src 'self'
or
<meta http-equiv="Content-Security-Policy" content="default-src 'self';">
default-src 'self' cloud.caspeco.se cdn.caspeco.se
script-src cdn.raygun.io ... sha256-xxxxx
connect-src api.raygun.io ...
report-uri https://report-uri.com
Content-Security-Policy-Report-Only: default-src 'self'
Content-Security-Policy:
upgrade-insecure-requests;
When you can't transform urls to use relative protocol, e.g: "//mydomain.com"
http://foo.bar -> https://foo.bar
It's almost a silver bullet
https://hackernoon.com/im-harvesting-credit-card-numbers-and-passwords-from-your-site-here-s-how-9a8cb347c5b5
What is a CSP?
https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
Supported by all modern browsers
https://caniuse.com/#search=CSP
Great tooling: report-uri.com
(We're hiring!)
anders@caspeco.se - @andersaberg