SameSite and Yesod

SameSite is a promising cookie option that can mitigate the chances of being vulnerable to a CSRF attack. The latest version of the Cookie library supports this option, and you can start using it...

Compile-time verified dynamic CSP headers

Dynamic CSP headers are tricky, especially if user input is involved. A URL such as https://foo.com/bar%20%2A can result in headers like: Content-Security-Policy: script-src https://foo.com * This kills the...