undefined | Better HN

0 pointsdeergomoo4y ago0 comments

For the HTTPS thing, they’re suggesting client-side encryption. Which, to me, seems to be a combination of no real benefit and opens a window to introduce vulnerabilities if we get anything wrong.

Interestingly, I checked a few big sites, and while Google doesn’t, Facebook and Amazon both use client-side encryption. Is it just to provide some extra protection for pwned users who have trusted bad certs? I’m no security expert, and I’m struggling to think of any real benefit.

For the JS/CSS thing, I have literally no idea.

0 comments

scintill764y ago

If you're stuck following their recommendations, you could try to sniff Accept headers or user agent or something to "block access" to JS/CSS but still allow the browser to load them in your page. Might risk breaking the app though.

j / k navigate · click thread line to collapse

0 pointsdeergomoo4y ago0 comments

For the JS/CSS thing, I have literally no idea.

0 comments

scintill764y ago

j / k navigate · click thread line to collapse