browser-security

Sessions are fine when they are treated like security-sensitive state. I set HttpOnly, Secure, and SameSite deliberately, rotate session identifiers after login, and keep idle timeout separate from absolute timeout. Weak cookie settings are still a co

I like CSP reporting because it reveals both rollout mistakes and active attack attempts. The endpoint should accept reports quietly, avoid noisy validation failure loops, and forward the data into normal observability systems. Reporting without triag

CORS is not an authentication control, but bad CORS settings still widen attack surface unnecessarily. I allow exact origins, restrict methods and headers, and avoid wildcard credentials combinations entirely. If the front-end origin list is unclear,

CSP design is about reducing script execution freedom without breaking the app. I prefer nonces over unsafe-inline, keep the allowed source list tight, and roll policies out in report-only mode first. That gives teams a workable path from permissive f