Behind the Firewall ft. Trevor Murphy

by Morgan Prost / May 21st, 2026

Security headers are supposed to make things simpler, but what happens when they’re misunderstood?

Pentester, Trevor Murphy has spent the last five years focused on client-side security, and he’s seen the landscape shift dramatically. 

“When I first started in pen testing, web app security was a lot more fragmented. You had a separate header for each directive, one rule per line. Now, with Content Security Policies (CSPs), it’s all condensed into a single header that can enforce multiple rules at once. It’s more efficient, but also easier to misconfigure.”

Content Security Policies (CSPs) are designed to streamline protection, but he is noticing a trend: teams are mixing legacy headers with modern ones or applying CSPs without fully understanding them.

This is resulting in conflicts, misconfigurations, and unexpected openings.

In a recent test, he was able to upload malicious code that would have been executed under older setups. But thanks to properly implemented CSPs, the browser now checks for subtle indicators – like one-time codes that verify content authenticity – blocking the attack.

Security is evolving. It’s more compact, yes, but also more complex.

 This is a reminder that checkbox security isn’t enough. We need to ask deeper questions:

Do we really understand what our policies are doing?

Recent Editions:

Behind the Firewall ft. Jeneil Russell

May 22nd, 2026

Read More

Behind the Firewall ft. Shannon Lane

May 22nd, 2026

Read More

Behind the Firewall ft. Kyle Pardue

May 22nd, 2026

Read More

Behind the Firewall ft. Randy Bartels

May 22nd, 2026

Read More

Behind the Firewall ft. Suzette Corley

May 22nd, 2026

Read More