magnASCII.io Simone Magnaschi
Senior Full Stack Web Dev
Bookmarks tagged with #security.
Show all

The great SameSite confusion

In this post, I dissect a common misconception about the SameSite cookie attribute and I explore its potential impact on Web security. TL;DR ¶ The SameSite cookie attribute is not well understood. Conflating site and origin is a common but harmful mistake. The concept of site is more difficult to apprehend than meets the eye. Some requests are cross-origin but same-site. SameSite only has effects on cross-site requests. SameSite paints a target on your subdomains’ back. Misguided practitioners may unduly eschew SameSite=Strict. The advent of SameSite ¶ You undoubtedly have heard of the SameSite cookie attribute. It made headlines when, in February 2020, Chrome started rolling out changes to SameSite’s default behaviour. Intended as a defence-in-depth mechanism against cross-site attacks, such as cross-site request forgery (CSRF) and cross-site script inclusion (XSSI), SameSite had been lying dormant at the heart of implementing browsers since its inception in 2016.
Saved on: 2021-02-05

React Authentication: How to Store JWT in a Cookie | by Ryan Chenkie | Medi

If that’s the case, there’s a decent chance that your API is secured somehow. Maybe you’re making authentication and authorization happen with JSON Web Tokens. If so, there’s also a decent chance…
Saved on: 2021-01-22

Ok Google: please publish your DKIM secret keys – A Few Thoughts on Cryptog

The Internet is a dangerous place in the best of times. Sometimes Internet engineers find ways to mitigate the worst of these threats, and sometimes they fail. Every now and then, however, a major …
Tags: #security
Saved on: 2020-11-17

The Ultimate WordPress Security Checklist

WordPress security checklist with the latest and updated methods to secure a WordPress site from a variety of security vulnerabilities.
Saved on: 2020-09-10

How I helped fix Canadaʼs COVID Alert app

On July 31st, Canada's COVID Alert app was made available for general use, though it does not have support for actually reporting a diagnosis in most provinces, yet. In Quebec, we can run the tracing
Tags: #security
Saved on: 2020-08-25

Should I encrypt, hash or encode?

Having a basic understanding of these terms can go a long way when writing code.
Tags: #security
Saved on: 2020-02-09

Developers: Get Ready for New SameSite=None; Secure Cookie Settings

UPDATE (10/28/2019): We've revised the 2nd and 3rd bullet points in the section "How to Prepare; Known Complexities" below. In May, Chrome ...
Saved on: 2019-10-24

CSRF is (really) dead

A little while back I wrote a blog post about how "CSRF is dead". It focused on SameSite cookies, a powerful yet simple feature to protect your website against CSRF attacks. As powerful as it was, and as much as it will kill CSRF, you had to enable it on your site, and that was the problem. Now, we're solving that problem. -------------------------------------------------------------------------------- SameSite Cookies To understand the problem of CSRF and the solution that SameSite Cookie
Tags: #security
Saved on: 2019-09-07

mkcert: valid HTTPS certificates for localhost

(or for any other name) The web is moving to HTTPS, preventing network attackers from observing or injecting page contents. But HTTPS needs TLS certificates, and while deployment is increasingly a solved issue thanks to the ACME protocol and Let's Encrypt, development still mostly ends up happening over HTTP because no one can get an universally valid certificate for localhost [https://letsencrypt.org/docs/certificates-for-localhost/]. This is a problem because more and more browser features
Saved on: 2019-01-07

Cloud Armor - Denial of Service Defense | Google Cloud

Google Cloud Armor is a network security service that provides defenses against DDoS and application attacks, and offers a rich set of WAF rules.
Saved on: 2018-03-22

ACME v2 and Wildcard Certificate Support is Live - Issuance Policy - Let's

We’re pleased to announce that ACMEv2 and wildcard certificate support is live! With today’s new features we’re continuing to break down barriers for HTTPS adoption across the Web by making it even easier for every website to get and manage certificates. ACMEv2 is an updated version of our ACME protocol which has gone through the IETF standards process, taking into account feedback from industry experts and other organizations that might want to use the ACME protocol for certificate issuance an...
Tags: #security
Saved on: 2018-03-14

Paseto is a Secure Alternative to the JOSE Standards (JWT, etc.) - Paragon

Paseto (Platform-Agnostic Security Tokens) is everything JWT should be, but isn't (namely, secure)
Saved on: 2018-03-05

The 2018 Guide to Building Secure PHP Software - Paragon Initiative Enterprises Blog

Everything a developer needs to know to build secure software in the PHP programming language in the year 2018
Tags: #php #security
Saved on: 2017-12-16

Troy Hunt: The 6-Step "Happy Path" to HTTPS

It's finally time: it's time the pendulum swings further towards the "secure by default" end of the scale than what it ever has before. At least insofar as securing web traffic goes because as of this week's Chrome 62's launch, any website with an input box is now doing this when served over an insecure connection: It's not doing it immediately for everyone [https://textslashplain.com/2017/10/18/chrome-field-trials/], but don't worry, it's coming very soon even if it hasn't yet arrived for yo
Saved on: 2017-10-19

Face ID, Touch ID, No ID, PINs and Pragmatic Security

I was wondering recently after poring through yet another data breach how many people actually use multi-step verification. I mean here we have a construct where even if the attacker has the victim's credentials, they're rendered useless once challenged for the authenticator code or SMS which is subsequently set. I went out looking for figures and found the following on Dropbox: > "less than 1% of the Dropbox user base is taking advantage of the company’s two-factor authentication feature": htt
Saved on: 2017-09-14

Upgrading existing password hashes

Still using MD5 or SHA-1 to store user passwords and want to gracefully migrate to e.g. bcrypt? Want to do it properly to protect all passwords in the database? Here's how.
Saved on: 2017-09-06

How We Engineered CMS Airship to be Simply Secure - Paragon Initiative Enterprises Blog

A deep dive into the security engineering decisions that went into CMS Airship. A lot of the decisions we made are subtle.
Tags: #php #security
Saved on: 2017-03-20
❤️
</>
2025