Monday, September 25, 2017



Wednesday, September 20, 2017

CSP (Content Security Policy)

CSP (Content Security Policy) is a tool which developers can use to lock down their applications in various ways, mitigating the risk of content injection vulnerabilities such as cross-site scripting, and reducing the privilege with which their applications execute.

CSP is not intended as a first line of defense against content injection vulnerabilities. Instead, CSP is best used as defense-in-depth. It reduces the harm that a malicious injection can cause, but it is not a replacement for careful input validation and output encoding.

Besides CSP, Web application should try to avoid Cross-site Scripting (XSS), Cross-Site Request Forgery (CSRF) etc security attacks.

There are two options to implement CSP, one is on server side through HTTP response header, the other is client side through HTML meta element. Here are the details:

The Content-Security-Policy HTTP response header field is the preferred mechanism for delivering a policy from a server to a client.
Content-Security-Policy: script-src 'self';
                         report-to csp-reporting-endpoint
The Content-Security-Policy-Report-Only HTTP response header field allows web developers to experiment with policies by monitoring (but not enforcing) their effects.
Content-Security-Policy-Report-Only: script-src 'self';
                                     report-to csp-reporting-endpoint
A Document may deliver a policy via one or more HTML meta elements whose http-equiv attributes are an ASCII case-insensitive match for the string "Content-Security-Policy".
<meta http-equiv="Content-Security-Policy" content="script-src 'self'">
There are many directives including script-src, frame-src, style-src, image-src etc to define the content security policies. For details, please check out

Thursday, September 14, 2017

Fucoidan - 褐藻多糖硫酸酯

Fucoidan is a natural food compound with a funny name that has shown promise in fighting cancer. Found in many forms of brown seaweed, fucoidan is a type of complex carbohydrate called a polysaccrharide and is composed of various sugars, sugar acids and sulfur-containing groups. While seaweed has been a staple food in Asian countries for thousands of years, brown seaweed has only been the focus of research for the past decade. Fucoidan, in particular, has received the most attention.

In US market, there are two categories of Fucoidan.

One is imported from Japan price around $300:
Nature Medic Fucoidan Powered with AHCC  (
Umi No Shizuku Fucoidan Umi - 120 capsules (

Another is regular supplement, pricing around $30:
Absonutrix 500mg Fucoidan Pure Brown Seaweed Extract 120 Capsules
Optimized Fucoidan with Maritech 926 - Life Extension - 60 Veggie Caps
Doctor's Best Fucoidan 70%, Non-GMO, Vegan, Gluten Free, 60 Veggie Caps

You can also search Fucoidan on amazon and ebay