# I Fixed My Malware Injection Issue With Content-Security-Protection

Recently I updated the setup on my [personal blog](https://blog.donbowman.ca/). I enabled Content-Security-Protection, and setup the report-uri (so that I would get notification of some of the blocked content).

My expectation is this would be empty. After all, my blog doesn't host advertising or user-generated content. But to my surprise, I saw some blocked notifications for rasenalong>dot>com (purposely not made a link here). Huh? What is that? Let's dig in.

After some research I find that some users are getting ads and other scummy content injected **on my site**. I purposely don't place ads on it, I don't want someone else's message showing up. How could this be? What might those ads say?

It turns out these users have a piece of malware called '[LNKR](<http://Lnkr Ad Injector>)'. It was injecting JavaScript into my served page and then placing ads and tracking my users.

I am appalled. My new changes mean that the users browser will block content that gets injected. So no more ads for me, showing who knows what.

If you have not enabled Content-Security-Policy, or if you just want to check your site, head on over to [observatory.mozilla.org](http://observatory.mozilla.org). Its 1-minute, its free, its great.

I've done a short video to talk about this, feel free to watch and [subscribe](http://www.youtube.com/c/Agilicus?sub_confirmation=1).

https://youtu.be/3XdNTMmZg1M