Mew, the Pokémon

Content-Security-Policy (CSP) is an HTTP header returned by servers that gives the client some information on where resources can be loaded. For example setting script-src 'self' in the CSP tells the client that it should only load script resources from the current origin. 'self' for this blog post would mean https://kura.gg.

To make loading those resources more secure you can use hashes or nonces within the CSP that the client can verify. Below I will show how I inject CSP nonces using Cloudflare Workers in to responses from my origin.

Security considerations

Think of this as an academic exercise rather than something you should do.

This article will only explain how I inject the nonces in to responses from the origin. This isn’t really secure given the method I use to do this is pretty dumb — it just adds a generated nonce to <script> and <link rel …

Eevee, the Pokémon

I was a little bored tonight and had a thought; “can I find a way to add a random Pokédex and it’s National Pokédex number as a header to requests on my website?”

The answer is - quite simply - “yes”.

Cloudflare Workers

This website runs on Cloudflare’s content delivery network and as such I have access to Cloudflare Workers, allowing me to run arbitrary code at the edge for incoming requests.

Setting up a worker that picks a random Pokemon and injects it as a header is very simple, add a worker, write the code and add some routing to it.

Try it yourself

curl -sI https://kura.gg/ | grep "x-pokemon"
x-pokemon: Eevee (#133)

The code

let pokemon = [
    "Bulbasaur (#1)", "Ivysaur (#2)", "Venusaur (#3)", "Charmander (#4)", "Charmeleon (#5)",
    "Charizard (#6)", "Squirtle (#7)", "Wartortle (#8)", "Blastoise (#9)", "Caterpie (#10)",
    "Metapod (#11)", "Butterfree (#12)", "Weedle (#13)", "Kakuna (#14)", "Beedrill (#15)",
    "Pidgey …

Gmail provided by the paid Google Workspace service (formerly known as G Suite and Google Apps) has unofficial DNSSEC-signed MX records available for use. The officially supported ones that you’re told to configure do not offer DNSSEC signing.

These MX records have both IPv4 and IPv6 addresses, although the records are not officially supported or documented and may be unreliable or removed at any point. (I’ve been using them for a while now and they seem perfectly fine to me but use at your own risk.)

mx1.smtp.goog
mx2.smtp.goog
mx3.smtp.goog
mx4.smtp.goog

The table below has the MX record and the A and AAAA record values.

mx1.smtp.goog
    216.239.32.151
    2001:4860:4802:32::97

mx2.smtp.goog
    216.239.34.151
    2001:4860:4802:34::97

mx3.smtp.goog
    216.239.36.151
    2001:4860:4802:36 …