Bookmarks tagged with #security.
Show all
Show all
The great SameSite confusion
In this post, I dissect a common misconception about the SameSite cookie attribute and I explore its potential impact on Web security. You undoubtedly have heard of the SameSite cookie attribute.
Saved
on: 2021-02-05
React Authentication: How to Store JWT in a Cookie | by Ryan Chenkie | Medi
If that’s the case, there’s a decent chance that your API is secured somehow. Maybe you’re making authentication and authorization happen with JSON Web Tokens. If so, there’s also a decent chance you’re keeping your JWTs in local storage.
Saved
on: 2021-01-22
Ok Google: please publish your DKIM secret keys – A Few Thoughts on Cryptog
The Internet is a dangerous place in the best of times. Sometimes Internet engineers find ways to mitigate the worst of these threats, and sometimes they fail. Every now and then, however, a major Internet company finds a solution that actually makes the situation worse for just about everyone.
Tags:
#security
Saved
on: 2020-11-17
The Ultimate WordPress Security Checklist
www.cloudways.com is using a security service for protection against online attacks. This process is automatic. You will be redirected once the validation is complete.
Saved
on: 2020-09-10
How I helped fix Canadaʼs COVID Alert app
On July 31st, Canada's COVID Alert app was made available for general use, though it does not have support for actually reporting a diagnosis in most provinces, yet.
Tags:
#security
Saved
on: 2020-08-25
Should I encrypt, hash or encode?
I’m not a security expert, but as a software engineer I feel like it’s part of my job to do everything in my power to protect our customer’s data.
Tags:
#security
Saved
on: 2020-02-09
Developers: Get Ready for New SameSite=None; Secure Cookie Settings
When a resource on a web page accesses a cookie that matches the site the user is visiting, this is same-site or “first party” context.
Saved
on: 2019-10-24
CSRF is (really) dead
A little while back I wrote a blog post about how "CSRF is dead". It focused on SameSite cookies, a powerful yet simple feature to protect your website against CSRF attacks. As powerful as it was, and as much as it will kill CSRF, you had to enable it on your site, and that was the problem.
Tags:
#security
Saved
on: 2019-09-07
mkcert: valid HTTPS certificates for localhost
The web is moving to HTTPS, preventing network attackers from observing or injecting page contents.
Saved
on: 2019-01-07
I don't understand what's wrong with just using cookies for authentication.
I'm writing an app-server and there is an option to just use secure cookies for authentication. Here's how it seems to work: You define a 32-byte secret key on the server When the user logs in, you check the database to see if the bcrypt hashes match, and if so, you call request.
Saved
on: 2018-10-21
How to manage any kind of secret with AWS Secrets Manager
AWS Secrets Manager is a service recently released designed to make the management of secrets easier. It provides built-in support for Amazon RDS, making it very easy to set and rotate secrets and use the CLI or an SDK to retrieve secrets from applications.
Saved
on: 2018-07-08
Cloud Armor - Denial of Service Defense | Google Cloud
Cloud Armor benefits from our experience of protecting key internet properties such as Google Search, Gmail, and YouTube. It provides built-in defenses against L3 and L4 DDoS attacks.
Saved
on: 2018-03-22
Let's Encrypt CloudFront Cert Renewal with AWS Lambda · Dan Vittegleo
Saved
on: 2018-03-18
ACME v2 and Wildcard Certificate Support is Live - Issuance Policy - Let's
We’re pleased to announce that ACMEv2 and wildcard certificate support is live! With today’s new features we’re continuing to break down barriers for HTTPS adoption across the Web by making it even easier for every website to get and manage certificates.
Tags:
#security
Saved
on: 2018-03-14
Paseto is a Secure Alternative to the JOSE Standards (JWT, etc.) - Paragon
This is a follow-up to our 2017 blog post that made the case for avoiding JSON Web Tokens (JWT) and its related standards. Many developers responded to our post with the same question: "What should we use instead of JWT?" Today, I'm happy to announce a viable replacement.
Saved
on: 2018-03-05
The 2018 Guide to Building Secure PHP Software
As the year 2018 approaches, technologists in general—and web developers in particular—must discard many of their old practices and beliefs about developing secure PHP applications. This is especially true for anyone who does not believe such a feat is even possible.
Saved
on: 2017-12-16
Troy Hunt: The 6-Step "Happy Path" to HTTPS
It's finally time: it's time the pendulum swings further towards the "secure by default" end of the scale than what it ever has before.
Saved
on: 2017-10-19
Face ID, Touch ID, No ID, PINs and Pragmatic Security
I was wondering recently after poring through yet another data breach how many people actually use multi-step verification.
Saved
on: 2017-09-14
Upgrading existing password hashes
Still using MD5 or SHA-1 to store user passwords and want to gracefully migrate to e.g. bcrypt? Want to do it properly to protect all passwords in the database? Here's how. One of the biggest e-commerce sites in the Czech Republic, Mall.cz, has suffered a breach.
Saved
on: 2017-09-06
Everything you need to know about HTTP security headers
Some physicists 28 years ago needed a way to easily share experimental data and thus the web was born. This was generally considered to be a good move.
Saved
on: 2017-05-16
How We Engineered CMS Airship to be Simply Secure
CMS Airship is a Free Software content management system (available on Github) that we introduced to the world last year.
Saved
on: 2017-03-20
Encrypt Everything in 2017 - Tozny
As part of an ongoing series, we’re helping to explain the various steps to encrypt and protect your most valuable data. Follow along each week for practical privacy how-tos.
Saved
on: 2017-01-30