In this post, I dissect a common misconception about the SameSite cookie attribute and I explore its potential impact on Web security. TL;DR ¶ The SameSite cookie attribute is not well understood. Conflating site and origin is a common but harmful mistake. The concept of site is more difficult to apprehend than meets the eye. Some requests are cross-origin but same-site. SameSite only has effects on cross-site requests. SameSite paints a target on your subdomains’ back. Misguided practitioners may unduly eschew SameSite=Strict. The advent of SameSite ¶ You undoubtedly have heard of the SameSite cookie attribute. It made headlines when, in February 2020, Chrome started rolling out changes to SameSite’s default behaviour. Intended as a defence-in-depth mechanism against cross-site attacks, such as cross-site request forgery (CSRF) and cross-site script inclusion (XSSI), SameSite had been lying dormant at the heart of implementing browsers since its inception in 2016.

If that’s the case, there’s a decent chance that your API is secured somehow. Maybe you’re making authentication and authorization happen with JSON Web Tokens. If so, there’s also a decent chance…

The Internet is a dangerous place in the best of times. Sometimes Internet engineers find ways to mitigate the worst of these threats, and sometimes they fail. Every now and then, however, a major …

WordPress security checklist with the latest and updated methods to secure a WordPress site from a variety of security vulnerabilities.

On July 31st, Canada's COVID Alert app was made available for general use, though it does not have support for actually reporting a diagnosis in most provinces, yet. In Quebec, we can run the tracing

Having a basic understanding of these terms can go a long way when writing code.

UPDATE (10/28/2019): We've revised the 2nd and 3rd bullet points in the section "How to Prepare; Known Complexities" below. In May, Chrome ...

A little while back I wrote a blog post about how "CSRF is dead". It focused on SameSite cookies, a powerful yet simple feature to protect your website against CSRF attacks. As powerful as it was, and as much as it will kill CSRF, you had to enable it on your site, and that was the problem. Now, we're solving that problem. -------------------------------------------------------------------------------- SameSite Cookies To understand the problem of CSRF and the solution that SameSite Cookie

(or for any other name) The web is moving to HTTPS, preventing network attackers from observing or injecting page contents. But HTTPS needs TLS certificates, and while deployment is increasingly a solved issue thanks to the ACME protocol and Let's Encrypt, development still mostly ends up happening over HTTP because no one can get an universally valid certificate for localhost [https://letsencrypt.org/docs/certificates-for-localhost/]. This is a problem because more and more browser features

Google Cloud Armor is a network security service that provides defenses against DDoS and application attacks, and offers a rich set of WAF rules.

We’re pleased to announce that ACMEv2 and wildcard certificate support is live! With today’s new features we’re continuing to break down barriers for HTTPS adoption across the Web by making it even easier for every website to get and manage certificates. ACMEv2 is an updated version of our ACME protocol which has gone through the IETF standards process, taking into account feedback from industry experts and other organizations that might want to use the ACME protocol for certificate issuance an...

Paseto (Platform-Agnostic Security Tokens) is everything JWT should be, but isn't (namely, secure)

Everything a developer needs to know to build secure software in the PHP programming language in the year 2018

It's finally time: it's time the pendulum swings further towards the "secure by default" end of the scale than what it ever has before. At least insofar as securing web traffic goes because as of this week's Chrome 62's launch, any website with an input box is now doing this when served over an insecure connection: It's not doing it immediately for everyone [https://textslashplain.com/2017/10/18/chrome-field-trials/], but don't worry, it's coming very soon even if it hasn't yet arrived for yo

I was wondering recently after poring through yet another data breach how many people actually use multi-step verification. I mean here we have a construct where even if the attacker has the victim's credentials, they're rendered useless once challenged for the authenticator code or SMS which is subsequently set. I went out looking for figures and found the following on Dropbox: > "less than 1% of the Dropbox user base is taking advantage of the company’s two-factor authentication feature": htt

Still using MD5 or SHA-1 to store user passwords and want to gracefully migrate to e.g. bcrypt? Want to do it properly to protect all passwords in the database? Here's how.

A deep dive into the security engineering decisions that went into CMS Airship. A lot of the decisions we made are subtle.