AI agents: see /llms.txt for a full index of this site, or /llms-full.txt for concatenated documentation.

Back
Execution ControlExecutionUpdated Dec 2, 2025

Block Old Browsers Based on Signing Time

Enforce minimum Chrome and Firefox versions using CEL secure signing time, keeping browsers patched against active exploits and CVEs.

Idea

One of the most complicated pieces of software you run that needs to be kept up to date is your browser. Just this year we saw CVE-2025-4664 for Chrome and CVE-2025-2857 for Firefox, and compliance programs like FedRAMP and Cyber Essentials Plus require that software be kept up to date.

Santa's CEL rules let you enforce a maximum time since an application was signed, and this is one of our favorite examples from our CEL rule cookbook.

Solutions

ExecutionBlock Old Chrome Versions
Require Chrome signed after May 31, 2025
Signing ID
CEL Expression
Custom Message
ExecutionBlock Old Firefox Versions
Require Firefox signed after May 31, 2025
Signing ID
CEL Expression
Custom Message

Mitre Attack

Tags

browserchromefirefoxcompliance

Deployment Notes

Update the timestamp periodically to enforce a rolling window of acceptable browser ages. Consider setting different thresholds for different teams based on their risk tolerance.

Testing Instructions

  1. Deploy the rule to a test host
  2. Download an old version of Chrome from Chrome's download page
  3. Try to open it
  4. Verify Santa blocks the execution with your custom message

Resources

CEL Rules Cookbook - Apps Signed Since XTake a look