Perfectly on time, two minutes before midnight I made it to publish a new article. Today it's about CSP and how you can use them to prevent unexpected/unwanted leaks of user data.
https://shivering-isles.com/self-isolate-your-website
Maybe not my greatest piece, but it's in the spirit on the situation and therefore 🤷 Enjoy! 
Some CSP design guidelines here too
https://webcookies.org/articles/11/typical-content-security-policy-mistakes-and-omissions
There's also CSP checker https://webcookies.org/cookies/shivering-isles.com/30386338?531471#csp
@kravietz To be honest, I wouldn't recommend this scanner. First of all, it recommends a bunch of things, that don't make any sense. Like SRI for resources from the same origin, recommending upgraded requests for a website that enforces HSTS, recommending `'strict-dynamic'` when no third-party requests are made, …
All that in combination with ads for their own service. It leaves a bit of a bad taste.
What do you mean by "ads for their own service"?
P.S. I'm the one developing this scanner so happy to accept any criticism!
> "The header exposes web server version details. These server no purpose apart from making life of security auditors and hackers easier, leading them straight to exploits for this particular version of product. WebCookies.org does offer security design and penetration testing services so we can help!"
It's kind of the point of the server header to make it easy to detect versions. Hiding it is just security by obscurity and makes it harder to inform people about possible problems.
You're right about CSP and SRI, this is due to the fact how rules are implemented currently and is on my TODO list.
And regarding ads for my services... yes, the service is available 100% for free and the infrastructure only costs 200 GBP/per month not counting my work, so I'm definitely not going to hide the fact that I'm also available for hire.
@kravietz Not saying you have to or should. I'm just saying that it's something I'm simply reluctant to recommend to people.