Content Security Policy applied to Single Page Applications: Is it worth it with unsafe-inline?

does applying ‘unsafe-inline’ render CSP more or less pointless?

Preventing XSS is one of the main benefits of a CSP. If you need to allow inline scripts, that benefit is mostly gone.

But there are still some situations where a CSP can prevent exploitation of issues. Examples:

  • Clickjacking: a CSP can prevent it
  • HTML injection: Even if no XSS can be gained, HTML injections can be used to exfiltrate data. A CSP may be able to mitigate some of the impact (by restricting form actions, images sources, etc)
  • CSS injection: If you don’t have inline CSS, you can prevent CSS injection via CSP
  • even with unsafe-inline, a CSP may make XSS more difficult to exploit. The easiest way to exploit XSS is to include a remote script, as an attacker doesn’t have to worry about length or special character restrictions in the payload
  • enforce content to be loaded via HTTPS

Does anyone have any good ideas of how to handle CSP on an SPA?

The same way as with any application: Don’t have inline scripts. Instead, you should have all your scripts in .js files, which you then include from a trusted origin (this actually seems easier to achieve in a SPA compared to a classic application which may have inline JavaScript all over the place).

You can also allow a specific script block using a nonce or hash source (which implemented correctly prevents XSS).

Even if you need to allow unsafe-inline for now, I’d still recommend implementing a CSP which is as restrictive as possible given the situation.

It will help you implement future features in a way compatible with a restrictive CSP. And when you get around to removing inline js, you just need to remove unsafe-inline from the CSP that you have in place already (instead of having multiple issues to worry about implementing a new CSP).

In the ASIC-age, is it worth starting mining Bitcoin at home?

Generally, it’s not worth your time and effort to mine at home! (Some exceptions may apply.)

Age of ASIC mining

CPU mining has been unprofitable since 2011, GPU mining just slightly later.

Today, ASICs rule mining. The Bitcoin network has more than 1.7 Ehash/s (Oct 2016) now which is 1,700,000,000,000 Mhash/s. Your graphics card will be running full blast to churn out a few hundred Mhash/s, your CPU maybe a few dozen.

With CPU or GPU you will never collect a sufficient balance with a mining pool that you could even get paid out. It’s a waste of time, even if you don’t pay for power.

Mining has gone big scale

Meanwhile, ASIC mining has gone industrial. Corporations are building mining centers in regions with very cheap power, and filling them with millions of USD worth of ASIC miners. Greater mining power in one hand does have some slight advantages which adds to their more efficient processes.

Finally, ASIC miners have been catching up quickly technologywise: Every few months new chips get announced moving the scale down a few more nm. Currently, we are reaching 16nm technology (Oct 2016), which is already pretty close to the general state of the art. The problem with that is that every step of miniaturization comes with a leap in power efficiency, quickly obsoleting older generations of ASICs. Chances are that your investment will outdate before it pays for itself – even when you are just looking at cost of acquisition and have no cost of power.

Mining profits tend to zero

The mining market tends to reach an equilibrium: While it is very profitable to mine, there is room for investments. The additional mining power increases the difficulty for all which in turn reduces the profitability. When the difficulty rises, it drives out the least cost efficient mining operations, in turn increasing the profitability of the remaining miners. If you’re not in a particularly advantageous position, you will be quickly pushed out of the market.

Also see: Why does mining profitability tend towards zero?

If you’re not paying for your power, someone else is

Anyway, if you’re “not paying for your power”, because it’s included in rent (e.g. in a dormitory), you’re either privatizing profits by socializing costs, i.e. stealing from your neighbors, or you’ll be paying for it next year when your landlord increases your rent to cover the higher power bill.

If you produce a power surplus or use the ASIC to replace electric heating, hey, you might be one of that exceptions I mentioned going in.

There might be some altcoins that can still be profitably CPU/GPU mined and traded for Bitcoin thereafter, but I am not sure whether even they are worth it when you factor in your time investment.


If you have understood all of the above, please feel free to check out

Is Siteground Cloud hosting worth it


Hello guys, I need your advice!
I have 7 websites for a total of about 500k sessions per month.

To date I am hosting all sites on a GoGeek Siteground plan, but unfortunately I have reached 40000 account executions per day, that are the very limit of siteground shared hosting.

I suspect there are many bots in these “account executions” but none of the siteground technicians has been able to help me, in fact they have limited me to advising me on the upgrade to cloud hosting (of course…)

Now I have two options

1) Switch to cloud hosting (from $30 a month for the shared plan to $64 a month for the Cloud hosting with 2 CPU Cores, 4GB Ram, 40SSD, 5TB data transfer).

2) Divide my sites into 2 separate shared hosting
Today the Gogeek shared plan costs $ 30 / month, but I could also open an $ 18 / month Growbig

I don’t know, what would you do? Does anyone have Siteground cloud hosting experience? It is much more powerful than shared hosting (Siteground datacenters are in Europe, I have visitors mainly from Italy).
All in all I like Siteground, despite being quite expensive.

Thank you guys!

Is cPanel worth the added expense.


For me I say it is. Just for the amount of clients that are used to it. I have tried to use different once in the past and that tended to create more tickets than anything. This ended up costing more than just using Cpanel.

Yes the new pricing set everyone back but heck if you have over 100 accounts already just raise your new pricing by 30 cents and move on.

EasyWP review – is it worth it?

(IMG)

Here is a test from EasyWP (my website) versus another budget web host (same website)

and I compared both with another website (faster website)
You can see that EasyWP isn't as fast as it claims, and one more thing: your CDN isn't really a CDN. You have to buy your domain name from them to use this CDN, and in the end it is the CDN itself worse than CloudFlare free version!

This is my review and I hope someone read it before paying EasyWP or namecheap for hosting. They are not as good as they say they are

Transparency FYI:
Report link: https://gtmetrix.com/compare/XIIJgejG/tEVpp9zL/14Px7lDL
Link to my website: https://www.visit.guide/
SEMrush