---
title: "Block Old Browsers Based on Signing Time | Security Cookbook"
description: "Enforce minimum Chrome and Firefox versions using CEL secure signing time, keeping browsers patched against active exploits and CVEs."
doc_version: "1"
last_updated: "2026-05-22"
canonical: "https://northpole.security/cookbook/block-old-browsers"
---
[Back](https://northpole.security/cookbook)

### Idea

One of the most complicated pieces of software you run that needs to be kept up to date is your browser. Just this year we saw CVE-2025-4664 for Chrome and CVE-2025-2857 for Firefox, and compliance programs like FedRAMP and Cyber Essentials Plus require that software be kept up to date.

Santa's CEL rules let you enforce a maximum time since an application was signed, and this is one of our favorite examples from our CEL rule cookbook.

### Solutions

ExecutionBlock Old Chrome Versions

Require Chrome signed after May 31, 2025

Signing ID

EQHXZ8M8AV:com.google.Chrome

CEL Expression

target.secure\_signing\_time \>= timestamp("2025-05-31T00:00:00Z") ? ALLOWLIST : BLOCKLIST

Copy

Custom Message

This version of Chrome is too old. Please update.

ExecutionBlock Old Firefox Versions

Require Firefox signed after May 31, 2025

Signing ID

43AQ936H96:org.mozilla.firefox

CEL Expression

target.secure\_signing\_time \>= timestamp("2025-05-31T00:00:00Z") ? ALLOWLIST : BLOCKLIST

Copy

Custom Message

This version of Firefox is too old. Please update.

### Mitre Attack

Tactics

[Initial Access](https://attack.mitre.org/tactics/TA0001/)

Techniques

[T1189: Drive-by Compromise](https://attack.mitre.org/techniques/T1189/)

### Tags

browserchromefirefoxcompliance

### Deployment Notes

Update the timestamp periodically to enforce a rolling window of acceptable browser ages. Consider setting different thresholds for different teams based on their risk tolerance.

### Testing Instructions

1.  Deploy the rule to a test host
2.  Download an old version of Chrome from Chrome's download page
3.  Try to open it
4.  Verify Santa blocks the execution with your custom message

### Resources

[CEL Rules Cookbook - Apps Signed Since XTake a look](https://northpole.dev/cookbook/cel/#apps-signed-since-x)

## Sitemap

- [Home](https://northpole.security/index.md)
- [Workshop](https://northpole.security/workshop.md)
- [Santa](https://northpole.security/santa.md)
- [Features](https://northpole.security/features.md)
- [Cookbook](https://northpole.security/cookbook.md)
- [Docs](https://northpole.security/docs.md)
- [Blog](https://northpole.security/blog.md)
- [Glossary](https://northpole.security/glossary.md)
- [About](https://northpole.security/about.md)
- [Contact](https://northpole.security/contact.md)