Scott Helme

Good morning Barbados! 🤩🌅🏝️🇧🇧

Client-Side Security and Observability Protect user data and prevent client-side data breaches with real-time browser security controls.

Join me tomorrow for this webinar on CSP Integrity, our most cutting-edge feature for client-side security!

report-uri.com/webinar/csp_...

Integrity Policy - Monitoring and Enforcing the use of SRI This has been a long time coming so I'm excited that we now have a working standard in the browser for monitoring and enforcing the use of SRI across your website assets! SRI refresher For those...

Do you want to quickly and easily know if all of your JavaScript assets across your site are using SRI? Now you can!

Announcing the open-beta of Integrity Policy!

scotthelme.co.uk/integrity-po...

No, the crash reports are quite limited in that regard. Their main goal is to let you know something is happening that you might have no other way to find out about.

How We (Almost) Found Chromium's Bug via Crash Reports to Report URI Tracking down bugs in software is a pain that all of us who write code must bear. When we're talking about outright errors in a web page, you typically have something to get you started (such as…

A strange Chromium bug triggered by a CSP directive that caused a crash went unsolved for months, and we had the data right in front of us in Report URI to explain why it was happening 😮 www.troyhunt.com/how-we-almos...

We provide information on the steps for remediation, and link out to verified sources of information on the vulnerability if you'd like more information.

Along with identifying the JS files on your site, we can also cross-check them against our database of Known Vulnerabilities, and flag when you're loading JS with serious issues!

Of course, this also means that you can detect when/if those JS files change, as they will start reporting a new hash. This is a great way to be able to monitor for undesirable changes to 3rd-party dependencies.

We've already built a database of almost 13,000,000 fingerprints that we have verified, meaning we can reliably identify files loading on your site.

You can now fingerprint JS running on your site with a cryptographically secure hash function and have that data sent to report-uri.com This is native browser functionality, so there is no code to deploy anywhere!

Capture JavaScript Integrity Metadata using CSP! Today we're announcing the open beta of a brand new and incredibly powerful feature on the Report URI platform, CSP Integrity! Having the ability to collect integrity metadata for scripts running on y...

We've just launched an awesome new feature at report-uri.com! You can now collect Integrity Metadata, natively from the browser, for JavaScript running on your site!

It takes seconds to deploy, so read the thread for the amazing benefits this will bring.

scotthelme.co.uk/capture-java...

New dates! Practical TLS and PKI Training - Nov 10-13 2025.
And if you can't wait that long, we still a few tickets for the training next week. Join us! From @ivanristic.com and with @scotthelme.bsky.social
www.feistyduck.com/training/pra...

It has, but there's always an element of ongoing work. It's not just extensions, but corporate proxies/firewalls, AV software on the client, and anything that can interfere with the page.

Our filtering has become pretty good 👍

Trillion with a T: Surpassing 2 Trillion Events Processed!🚀🚀 We’ve just passed a monumental milestone: 2 trillion events processed through Report URI!!! That’s 2,000,000,000,000 events for CSP, NEL, DMARC, and other browser-generated and email telemetry reports...

To celebrate, we've just launched a seriously cool public dashboard that gives heaps of insight into our traffic! Check it out, and there is something in there I've wanted to build for a very long time:

scotthelme.co.uk/trillion-wit...

This is absolutely unbelievable!!!

We've just passed through 2 trillion events processed at
Report URI!!! report-uri.com

🤯🥳🎉

New dates! Practical TLS and PKI, Sep 22-25. From @ivanristic.com, based on the Bulletproof book, with lots of exercises to give you hands-on experience. Your teacher will be @scotthelme.bsky.social. And now is a good time to grab an Early Bird ticket ($300 off).
www.feistyduck.com/training/pra...

Our final TLS and PKI Training before the summer will take place on 3-6 June. Four half-days, with real-world exercises to work on during the training and afterwards. With @scotthelme.bsky.social and from @ivanristic.com Join us! www.feistyduck.com/training/pra...

Four weeks until the next Practical TLS and PKI Training - Join @scotthelme.bsky.social on June 3-6 to learn how to deploy secure servers and design secure web applications. Four half days, Pacific Time AM. From @ivanristic.com.
www.feistyduck.com/training/pra...

Certificate renewal should be fully automated by then, and ideally by now already. Once renewal is automated, how often you renew really doesn't matter any more. I have no idea when any of my certificates renew, they just do it!

I might like this version of the graph more! 🤔

Well, hopefully, you wouldn't leave it so close to expiry, I'd probably recommend every 30 days.

Here's what that looks like when viewing the full history, which shows we recently stalled out on our progress to shorter certificates, and even these new deadlines are a much reduced rate of progress:

Straight to the point, here is the schedule for the reduction in certificate lifetimes!

March 15th 2026: All new certificates capped at 200 days validity

March 15th 2027: All new certificates capped at 100 days validity

March 15th 2029: All new certificates capped at 47 days validity!

Shorter certificates are coming! Well, I was certainly hoping for this result, but wasn't necessarily expecting it! I'm pleased to report that Ballot SC-081v3 passed, and that shorter certificate lifetimes are now coming! The Sche...

Oh yeah! Shorter certificates are coming!!
😎🔒🌍⌚

scotthelme.co.uk/shorter-cert...

Hacking my Tesla Powerwalls to be the ultimate home energy solution! I've had solar and batteries at home for quite some time now, and despite my experience with them being really awesome, there were a few little things that were bugging me. Using systems from various ...

I've had a little fun with my Tesla Powerwalls, Home Assistant and Teslemetry over the holiday weekend!

scotthelme.co.uk/hacking-my-t...

No, it hooks up to my DNS provider and sets DNS TXT records, I don't use the HTTP validation mechanism.

Even if I switch to cellular data, or VPN to a new IP address altogether, they still don’t work. This is an example with my email signature, but no images work at all.

It doesn't seem like rate limits make sense, and the status codes we're getting for images in our emails is a 403, not something like a 429 as I'd expect. We also don't send/receive that many emails so rate limits again don't sound very likely?

This is pretty nuts, we've been having issues with our @fastmail.com emails where images aren't working...

They're suggesting rate limits at @cloudflare.social are the issue, but how much sense does that make?

Either way, Fastmail recommendation is to stop using their app and web interface?!

Stronger Than Ever: How We Turned a DDoS Attack Into a Lesson in Resilience Operating an online service like Report URI, it comes with the territory. The ever present threat of attack is something we are fully aware of, and prepare for as best we can. Being the regular subjec...

We've made a few more improvements to report-uri.com over the last week!

scotthelme.co.uk/stronger-tha...