This is completely awesome. Thanks, guys! Great questions from the host, Julian. April, you are awesome! I've learned so much. My web development training program completely ignored this kind of thing (which really irritates me), but the information provided here cleared up a lot. (Admittedly, a good bit was beyond my pay grade!) The only important issue I'm having is understanding where/how this actually gets deployed. If I'm understanding correctly, you are accessing the server through some kind of console (something called nginx?), but I have no idea how to set that up. Is that console just accessing a specific file sitting on the server and making changes to it? What files are the correct server-side files? I know that's probably outside the scope of this video, but it would be helpful to have a little more context about deployment. Also, if a website is static, can we just slap the CSP in the head? Thanks again!

Tnx for a lot of useful info. I'm getting slightly different results between your add-on and actual vhost config (CSP evaluator is a little bit more precise honestly), but that observatory link rocks!!! Easier way to get around all the stuff I need to fix.

Nice "dot-suffix" trick to bypass the security on add-ons ^^

"reasonable"? 34:58 What exactly is 'UNreasonable' when it comes to site security, or is this not actual security but only a euphemism to make people jump on a bandwagon due to propaganda? Peer pressure much?

Looks like a girl, sounds like a guy. What is it?