CSP on addons.mozilla.org (AMO)
Content Security Policy (CSP) is one of the most important steps a website can take to reduce its vulnerability profile. Implemented properly, it can reduce the risk of cross-site scripting (XSS) attacks to near zero.
AMO is one of the highest profile sites both at Mozilla and on the internet at large. An XSS attack against it could lead millions of Firefox users to unwittingly install addon exploits. After six years of hard work, the Mozilla Infosec team and the AMO team successfully implemented CSP.
You can read my write-up of our experiences on the Mozilla Hacks blog.