Tag

Notes tagged “security”

Every note filed under security, newest first.

A filtered view of the notes.

2026

  1. The Header That Can't Be Cached

    Cache-Control from first principles — and why a page carrying a CSP nonce must be told never to be stored, not merely "don't cache."

  2. Trust No Script

    Why a strict Content Security Policy is one of the hardest headers to deploy — and how to read a real one with Google's CSP Evaluator.

  3. Can I Use This Library?

    A strict CSP quietly turns every dependency into a security decision. Here is the tree I walk to make it — per library, and across a whole app.

  4. The URL Is the Hash

    Content-addressing on the wire — how the web quietly became a content-addressed store, where fingerprinted URLs and Subresource Integrity are real Merkle edges and the cache that looks most like one isn't.

  5. You Don't Want Separate Repos

    A repository is a database; splitting a subproject out trades a content hash for a version string — and there's only one case where that trade is actually forced.

Type to search · ↑↓ to move · ↵ to open · Esc to close