← Back
Projects
09 shipped
CSP Playground
↗
2026-05-03
Content-Security-Policy:
default-src
'self'
;
script-src
'unsafe-inline'
https:;
object-src
*
;
CRIT
unsafe-inline in script-src
HIGH
object-src wildcard
MED
base-uri missing
Agent Identity Lab
↗
2026-05-02
user
passkey
RFC 8693
token-exchange
act: agent
ai
✓
agent
attested
ttl 5m
AuthZ Lab — IDOR / BOLA
↗
2026-04-27
A
alice
GET /orders/1003
(owned by bob)
naive
200 OK
hardened
404
WHERE id = ? AND owner_id = ?
Labs
↗
2026-04-27
Identity
CSP
[SYS]
Prompt Injection
169.254
.169.254
SSRF
Prompt Injection Lab
↗
2026-04-26
[SYSTEM]
ignore previous
exfil <data>
✗ followed
✓ refused
SSRF / Cloud Metadata Lab
↗
2026-04-26
app
GET 169.254.169.254
IMDS
169.254
.169.254
IAM creds
Secure-by-default Next.js Starter
↗
2026-04-01
1
2
3
4
5
6
7
8
9
export
const
headers
= {
'CSP'
:
'default-src self'
,
'HSTS'
:
'max-age=63072000'
,
'X-Frame'
:
'DENY'
,
'Referrer'
:
'same-origin'
,
'COOP'
:
'same-origin'
,
};
// safe by default
// not opt-in
AI Codegen Audit
↗
2026-03-12
-
eval(userInput);
-
innerHTML = data;
+
JSON.parse(userInput);
+
textContent = data;
sanitize(input);
return safe;
Audit
B+
Identity Lab
↗
2026-02-20
Sign in
name@domain.com
Continue with Passkey
WebAuthn · FIDO2
Projects — Marwan Diallo