Recently, a developer asked me how to enable Brotli content-compression support in FiddlerCore applications, so that APIs like oSession.GetResponseBodyAsString() work properly when the entity body has been compressed using brotli. Right now, support requires two steps: Put brotli.exe (installed by Fiddler or off Github) into a Tools subfolder of the folder containing your application’s executable. Ensure that theContinue reading “FiddlerCore and Brotli compression”
Author Archives: ericlaw
Content-Types Matter More Than You Think
Every non-empty response from a web server should contain a Content-Type response header that declares the type of content contained in the response. This declaration helps the browser understand how to process the response and can help prevent a number of serious security vulnerabilities. Setting this header properly is more important than ever. The Old DaysContinue reading “Content-Types Matter More Than You Think”
Taking Off Your NameTag
Recently, there’s been some excitement over the discovery that some sites are (ab)using browser password managers to identify users even when they’re not logged in. This technique (I call it the “NameTag vulnerability”) isn’t new or novel, but the research showing that it’s broadly being used “in the wild” is certainly interesting1, and may motivateContinue reading “Taking Off Your NameTag”
What If?
Spoiler alert If you haven’t read For a Lark yet, please go read that first. What If? I like to think. Well, actually, I’m not sure I like to think, but I find it really hard to relax and let my brain rest… given a few minutes of idle time, I usually find myself deep inContinue reading “What If?”
Strict-Transport-Security for *.dev, *.app and more
Some web developers host their pre-production development sites by configuring their DNS such that hostnames ending in .dev point to local servers. Such configurations were not meaningfully impacted when .dev became an official Generic Top Level Domain a few years back, because even as smart people warned that developers should stop squatting on it, Google (the owner of theContinue reading “Strict-Transport-Security for *.dev, *.app and more”