Tag
Notes tagged “security”
Every note filed under security, newest first.
A filtered view of the notes.
2026
- The Header That Can't Be Cached
Cache-Control from first principles — and why a page carrying a CSP nonce must be told never to be stored, not merely "don't cache."
- Trust No Script
Why a strict Content Security Policy is one of the hardest headers to deploy — and how to read a real one with Google's CSP Evaluator.
- Can I Use This Library?
A strict CSP quietly turns every dependency into a security decision. Here is the tree I walk to make it — per library, and across a whole app.
- The URL Is the Hash
Content-addressing on the wire — how the web quietly became a content-addressed store, where fingerprinted URLs and Subresource Integrity are real Merkle edges and the cache that looks most like one isn't.
- You Don't Want Separate Repos
A repository is a database; splitting a subproject out trades a content hash for a version string — and there's only one case where that trade is actually forced.