Best of Security โ September 2024
- 1
- 2
LogRocketยท2y
Understanding JWT, OAuth, and Bearer tokens
In the digital world, authentication and authorization are essential for secure access to online services. JWTs (JSON Web Tokens), OAuth, and Bearer tokens play crucial roles in ensuring security. JWTs are tamper-proof tokens composed of three parts: header, payload, and signature, used for securely transmitting information. OAuth typically utilizes JWTs to transport user information securely. Bearer tokens, included in HTTP headers, authenticate users for accessing protected resources. Understanding these concepts helps improve web security.
- 3
Community Picksยท2y
All Proton Drive apps are now open source
Proton has announced that all Proton Drive apps, including desktop versions, are now fully open source. This move highlights Proton's commitment to privacy and transparency, allowing the community and security experts to inspect and verify the apps' security. Open-source code helps in identifying potential vulnerabilities and strengthens user trust. Proton also supports various open-source projects and encourages community involvement through initiatives like their Bug Bounty Program.
- 4
The New Stackยท2y
Learning Linux? Start Here
Learning Linux has never been easier, thanks to numerous resources and user-friendly distributions. The key areas to focus on include mastering the command line, learning access control methods, managing hardware and services, selecting and deploying a distribution, system maintenance, and configuring networking. Hands-on experience with virtual machines and using tools like Vim, Nano, systemctl, and ssh is essential. Efficient user and permission management, along with understanding package managers and firewalls, are crucial skills for Linux administration. Start with a structured learning plan to become proficient in this versatile operating system.
- 5
DEVยท2y
GitHub Foundations certification is free! ๐๐ฅ๐ฒ
GitHub Foundations certification exam is now free for verified students on GitHub Education. Previously costing $99, this offer requires students to register with a school-issued email and enable two-factor authentication on their GitHub account. The exam covers GitHub basics, including repositories, commits, and project management. Upon passing, students receive a Credly badge as digital proof of their achievements.
- 6
JWT authentication: Best practices and when to use it
JWTs are a widely used method for secure data transmission between parties. Although beneficial for API authentication and inter-service communication, JWTs pose challenges, especially in sessions due to token invalidation and storage issues. For secure use, store JWTs in HttpOnly cookies and utilize HTTPS. Consider alternatives for session management to address the limitations and potential security risks associated with JWTs.
- 7
David Heinemeier Hanssonยท2y
Passwords have problems, but passkeys have more
Implementing passkeys can be extremely complex and their user experience is often subpar. Even in ideal conditions with synced devices, they can pose challenges, especially if access is needed from a non-primary device. While passwords have their issues, such as potential breaches if reused across services, passkeys aren't necessarily a better solution. Using email as a second factor on the first login from a new device is a viable alternative. The author concludes that the complexity and challenges of passkeys don't justify their use over traditional passwords and email-based 2FA solutions.
- 8
Understanding the Linux Filesystem: An In-Depth Guide for DevOps Engineers
The Linux filesystem is a hierarchical and unified structure crucial for organizing data on a storage device, treating everything as a file. Essential for DevOps engineers, it includes various filesystem types like Ext4, XFS, and Btrfs, each suited for different use cases. Key concepts include inodes, file permissions, and mounting/unmounting filesystems. Practical management tips include monitoring disk usage, cleaning log files, and performing regular backups.
- 9
Fireshipยท2yThe Internet's most broken protocol
The Border Gateway Protocol (BGP), a critical component of the Internet, has been at fault for several major outages and security breaches, as it was designed without stringent modern security measures. To mitigate these issues, a new solution involving the Resource Public Key Infrastructure (RPKI) is being implemented to cryptographically sign route announcements, though adoption is varied globally.
- 10
Hacker Newsยท2y
Container Desktop
Container Desktop provides a consistent UI across Windows, Mac, and Linux, facilitating learning and managing container environments with tools like podman. It supports multiple engines, including Linux native, LIMA for MacOS, and WSL for Windows. Users can manage containers, images, networks, pods, machines, secrets, and volumes efficiently, with a focus on security and ease of use.
- 11
Semaphoreยท2y
API Security Best Practices: Protecting Your Data in Transit
APIs are essential for modern web development, making them prime targets for cyberattacks. Securing APIs involves best practices such as encrypting communication via HTTPS, authenticating endpoints, using API gateways, enforcing fine-grained access control, and implementing rate limiting. Regular audits, penetration tests, and the use of security tools like linters, SCA, and SAST tools are also crucial. Following established security standards, such as those from OWASP, can further fortify API security.
- 12
How to Create a Secure Newsletter Subscription with NextJS, Supabase, Nodemailer and Arcjet ๐๐ฏ
Learn how to build a secure newsletter subscription form using NextJS, Supabase, Nodemailer, and Arcjet. This guide addresses common challenges like spam sign-ups, email validation, and bot protection, integrating robust security measures and validation techniques for a seamless double opt-in process.
- 13
GitGuardianยท2y
How to Handle Secrets in Go
Learn how to handle secrets in Golang, exploring various methods like reading from ENV files, using secret managers, and leveraging platform-managed identities. The most secure approach is to synchronize secrets from the secret manager to the runtime environment, enabling seamless integration without altering the app's code. Avoid token-based methods and reading directly from ENV files for better security in cloud-native applications.
- 14
freeCodeCampยท2y
How to Implement API Rate Limiting in Strapi CMS
This post provides a comprehensive guide to implementing API rate limiting in a Strapi CMS application. It covers setting up a Strapi project, adding rate limiting using koa2-rate-limit and express-rate-limit, and configuring middleware to ensure API security. Practical code examples and detailed steps are included to help developers restrict access and prevent DDoS attacks.
- 15
Dreams of Codeยท2y
Setting up a production ready VPS is a lot easier than I thought.
Deploying applications to the cloud has become much easier with numerous platforms as a service, but VPS offers more consistent billing and better suitability for long-running tasks. The author shares their experience and challenges in setting up a production-ready VPS, including configuring DNS, enhancing security, setting up automated deployments, and using traffic for load balancing and TLS certificates. Tools like Watchtower and traffic simplify these tasks, making it easier to attain a reliable and secure production environment.
- 16
jaywcjlove/DevHub: A feature-rich offline application, is meticulously crafted to support developers in their daily tasks while ensuring the utmost security of their data
DevHub is an offline application designed to support developers with a wide array of tools while ensuring top-notch data security. It includes a diverse set of utilities such as SSL Manager, Image Watermark, Password Generator, JSON Formatter, and many more. The app integrates with other applications through URL Scheme and aims to release weekly updates to continually enhance its functionality.
- 17
syncthing/syncthing: Open Source Continuous File Synchronization
Syncthing is an open source continuous file synchronization program designed to be safe, secure, easy to use, automatic, and universally available on common computers. It empowers individual users with secure, easy file synchronization and offers built-in automatic upgrade mechanisms. The software can be run in various environments, including Docker, and features several GUI implementations for major operating systems.
- 18
System Weaknessยท2y
Naabu port scanner
Naabu is a fast port scanner written in Go, designed to be reliable and simple to use, especially useful in conjunction with other tools for attack surface discovery in bug bounties and pentests. It can be installed from its GitHub page and comes with various switches similar to Nmap for different functionalities like live host scanning, defining ports, threading, and rate limiting. It's particularly efficient for scanning multiple targets compared to Nmap.
- 19
What is Rate Limiting? Exploring the Role of Rate Limiting in Protecting Web APIs from Attacks
Rate limiting is a crucial technique used in safeguarding APIs from malicious activities like DDoS attacks, brute-force attacks, and unauthorized web scraping. It regulates the frequency of client requests to a server, enhancing security and efficiency. Various algorithms like Fixed Window, Sliding Window, Leaking Bucket, and Token Bucket are used to implement rate limiting. Best practices include choosing the right algorithm, setting reasonable limits, handling errors efficiently, and ensuring proper logging and monitoring.
- 20
asayerยท2y
Implementing rate limiting to protect APIs from abuse
Rate limiting is essential for managing API resources and protecting systems from abuse, such as DDoS and brute force attacks. The core strategies include IP-based, server-based, and geography-based limits. Various algorithms like Fixed Window, Sliding Window, Token Bucket, and Leaky Bucket are used to implement these limits. Cloud services and external tools provide functionalities to aid in implementing rate limiting. Choosing the right strategy based on traffic patterns and infrastructure is crucial for optimal performance.
- 21
An0n Aliยท2y
How to Use AI for OSINT?
Learn how to leverage AI for Open Source Intelligence (OSINT) by automating data scraping from social media profiles and using tools like ChatGPT and Lenso.ai for advanced search and analysis. This guide discusses how AI can help in tasks such as personality analysis, behavior assessment, and even facial recognition from old photos. It also highlights potential misuse and ethical concerns related to AI in OSINT.
- 22
Product Huntยท2y
Uploadcare File Uploader - Take a shortcut to scalable and secure file uploads
Uploadcare File Uploader is a tool designed for scalable and secure file uploads, popular among developers. It was first launched on February 11th, 2015, and has a 5-star rating from 4 users. Featured in Developer Tools and Tech, it offers a reliable solution for handling file uploads.
- 23
Auth.js adoption guide: Overview, examples, and alternatives
Auth.js simplifies the implementation of user authentication in web applications, supporting various strategies like OAuth and SSO. Originally called NextAuth, it was redesigned to work not just with Next.js but various JavaScript frameworks. With built-in support for numerous databases, Auth.js handles essential functionalities such as user registration, login, and session management. Despite its learning curve and some criticisms, it remains a comprehensive solution for secure authentication. The guide provides a step-by-step tutorial to set up Auth.js in a Next.js project and demonstrates its customization capabilities.
- 24
Dockerยท2y
10 Docker Myths Debunked
Containers have roots dating back to the 1970s with Unix systems, but Docker brought them into the mainstream in 2013. Despite its widespread use, several myths persist about Docker. This post clarifies misconceptions such as Docker's open-source status, differences from virtual machines, various Docker products, security measures, and its broad applicability beyond just microservices. Docker remains a leading tool in container technology, supported by extensive learning resources and a commitment to open standards.
- 25
It's Fossยท2y
What is Hugging Face?
Hugging Face is a platform where users can upload, download, and find over 900,000 pre-trained AI models. Initially started as a chatbot project in 2016, it evolved into a central hub for AI models, valued at $4.5 billion by 2023. The platform simplifies collaboration in machine learning projects, offering features like model hosting and an inference API for demos. Despite its benefits, including supporting startups with flexible pricing plans, Hugging Face has faced security concerns over malicious AI models. The company has implemented malware scanners to address these issues.