Practical, citation-backed guides written for engineers at the keyboard.
A practical guide to Strict-Transport-Security: how the max-age ramp works, when to add includeSubDomains and preload, and the cases where deploying HSTS too aggressively will break a site you cannot easily roll back.
by Dowon Oh
A working developer's reference for the modern HTTP security-header set: Content-Security-Policy, Strict-Transport-Security, X-Frame-Options, Permissions-Policy, Cross-Origin-Opener-Policy + Cross-Origin-Embedder-Policy, and Referrer-Policy — what each does, how to set it, and the realistic ways each one breaks a production site.
by Dowon Oh
A working developer's guide to Content-Security-Policy: how the directives compose, why inline scripts and eval are flagged, when nonces beat hashes, and the report-only-first migration path that keeps a real site from breaking on day one.
by Dowon Oh