John Murray · Apr 13, 2017 1m read

CSP skeleton key

In this recent post I highlighted the importance of a CSP session's Key property in enforcing the level of security your web application may be relying on, and in particular the need to keep the property value secret.

It turns out that if a particular global node has been set on your system, every CSP session will use the same (non-secret) key.

Here's a line of code to tell you if this is happening on your system. Paste it into Terminal in any namespace:

if $get(^%SYS("CSP","NoEncrypt")) write "All CSP sessions are using a common key"

This won't be happening by default, but you may wish to check that it hasn't somehow been turned on.

0 282
Discussion (0)1
Log in or sign up to continue