Best of Security — October 2024

1
Article
DEV·2y
Dockerfile Best Practices: How to Create Efficient Containers
In the era of microservices and cloud computing, optimizing Dockerfiles is essential for building lightweight, fast, and secure containers. Key practices include using minimal base images like Alpine or Scratch, reducing layers by combining commands, optimizing layer caching, installing dependencies wisely, managing secrets carefully, using a '.dockerignore' file, employing multi-stage builds, avoiding running containers as the root user, scanning for vulnerabilities, and directing logs to standard output. Regular updates and using specific version pins also enhance security and reproducibility.
376
3
2
Article
Community Picks·2y
Better Auth
Supports popular frontend, backend, and meta frameworks like React, Vue, Svelte, and more. Provides secure email and password authentication, multiple OAuth providers for social sign-on, built-in two-factor authentication, and tools for managing user access. Extend functionality via official and community plugins.
302
8
3
Article
Community Picks·2y
Best Practices for Storing Access Tokens in the Browser
Web applications often use OAuth 2.0 for data security, which involves storing access tokens. This piece examines various browser storage solutions like local storage, session storage, and cookies, highlighting their vulnerabilities to XSS and CSRF attacks. The token handler pattern is recommended for enhancing security, suggesting encrypted tokens stored in secure cookies and managed by backend components.
159
5
4
Article
Community Picks·2y
10 projects I host on my Proxmox home lab
Self-hosted apps on Proxmox provide greater privacy and control over data. Proxmox supports various projects like Home Assistant, CasaOS, and ZoneMinder for home labs. Tools like Grafana, Pi-hole, and Pi.Alert enhance security and monitoring. The post lists ten projects, including Home Assistant, TrueNAS Scale, and Code Server, illustrating the versatility and utility of Proxmox for personal and advanced users.
106
4
5
Article
Lobsters·2y
Talos Linux
Talos Linux is a minimal, secure, and immutable operating system designed specifically for Kubernetes environments. It supports various platforms including cloud, bare metal, and virtualization. The system is managed entirely via an API, eliminating the need for SSH, shell, or console access. Talos Linux enhances security through mutual TLS authentication, immutable infrastructure, and adherence to best practices set by NIST and CIS. It also ensures predictability and evolvability by providing atomic updates and the latest stable versions of Kubernetes and Linux.
100
4
6
Article
Community Picks·2y
better-auth/better-auth: The most comprehensive authentication library for TypeScript
Better Auth is a comprehensive, framework-agnostic authentication and authorization library for TypeScript. It aims to reduce the need for extensive additional code by offering a rich set of features out of the box, while prioritizing best practices and type safety. Currently in beta, the project focuses on simplicity, consistency, and predictability across different platforms. It supports plugins for advanced functionalities like 2FA and multi-tenant support, and is licensed under the MIT License.
90
3
7
Article
ByteByteGo·2y
EP135: Big Data Pipeline Cheatsheet for AWS, Azure, and Google Cloud
The post covers a variety of topics crucial for engineering leaders, including big data pipelines for AWS, Azure, and Google Cloud. It provides a detailed cheatsheet for key services like data ingestion, storage, processing, and visualization on each platform. It also discusses API architectural styles and offers a concise guide for building secure APIs. Additionally, there's a resource on key data structures used daily and an advertisement for an enterprise conference and a mini crash course on advanced AI tools.
87
2
8
Article
Bytes by ui.dev·2y
Bloomberg's new TypeScript framework
Bloomberg has launched a new TypeScript framework called Stricli, designed for building complex CLIs with type safety and zero dependencies. Unlike other frameworks, it avoids additional dependencies and complexity. Arcjet provides native security for modern platforms like Bun, Next.js, Deno, and Node.js, by embedding security rules alongside the application’s code, making it easy to test and deploy. ViteConf is happening now, and various other updates include ESLint now supporting JSON/Markdown, Eleventy v3.0 release, and Tauri 2.0 updates.
86
3
9
Video
Fireship·2y
Silly Linux mistake exposes a terabyte of secret Pokémon data
Game Freak, the developer behind Pokémon, experienced a significant data breach exposing a terabyte of information. The leaked data includes employee details, Pokémon game source code, and information about the Nintendo Switch 2. The breach occurred due to a misconfigured GitLab server. The hacker, seemingly a fan, chose to withhold some spoilers. The leak also highlights Nintendo's aggressive actions against open-source Switch emulators. New details about unannounced games and project specs were revealed, making this an intriguing discovery for Pokémon fans.
77
8
10
Article
Cerbos·2y
What is Zero Trust Authorization?
Zero trust authorization (ZTA) is a modern approach to cybersecurity that challenges traditional perimeter-based defenses. It operates on three core principles: never trust, always verify; assume breach; and least privileged access. ZTA relies on strong authentication, micro-segmentation, continuous monitoring, and policy-based access controls to enhance security. While offering enhanced visibility, control, and compliance, implementing ZTA can be complex and requires careful planning. Integrating tools like Cerbos can help streamline this process for developers.
73
12
11
Article
Community Picks·2y
why client-side environment variables are a bad idea
Discusses the potential dangers and security risks associated with using client-side environment variables for storing sensitive information, illustrated through a specific case involving Gamersafer. Through detailed recounting of how AWS keys were exposed and the implications thereof, it underscores the importance of server-side API calls for handling sensitive data.
67
7
12
Article
Community Picks·2y
Introduction to Laravel API Development: Setup and Essentials
Dive into building high-performance APIs with Laravel, a powerful PHP framework. Learn how to set up a new Laravel project, optimize it for API development, and utilize tools like Laravel Breeze, Pest PHP, TablePlus, and PHPStan for streamlined workflow. The guide covers essential topics including data modeling, API design, authentication, rate limiting, versioning, pagination, security, and testing.
64
6
13
Article
evolvedev·2y
Quick Docker Security Tips for Developers
Enhance Docker security by using built-in networks to manage container communication and avoiding direct port exposure. Bind ports to `127.0.0.1` for improved security when running Docker on a VPS.
64
8
14
Article
Product Hunt·2y
Rabona Tunnel - Expose Your Localhost Securely
Rabona Tunnel allows developers to securely expose their localhost to the internet. It's a developer tool launched on October 7th, 2024. Ideal for tasks requiring remote access to local development environments.
61
5
15
Article
System Weakness·2y
JSON WEB TOKEN (JWT)
JSON Web Tokens (JWT) are a standard mechanism for transferring cryptographically signed JSON data, commonly used for access control, session handling, and authentication. Unlike traditional session tokens, JWTs store all necessary data client-side, making them ideal for distributed systems. JWTs consist of a payload, a signature, and a header. They are often used with JSON Web Signature (JWS) and JSON Web Encryption (JWE) extensions. JWT vulnerabilities include flawed signature verification, secret key brute-forcing, header parameter injections, and algorithm confusion attacks. To mitigate these risks, it's crucial to perform robust signature verification, use up-to-date libraries, and apply best practices such as setting token expiration dates and avoiding tokens in URL parameters.
52
16
Article
freeCodeCamp·2y
How to Use CDNs to Improve Performance in your Front-end Projects
Styling tools like CSS frameworks and icon libraries enhance the visual appeal of websites. These resources can be accessed via Content Delivery Networks (CDNs), which use distributed servers to deliver web content efficiently. CDNs offer improved website performance, better SEO, and enhanced user experience. There are three CDN hosting methods: remote, local, and hybrid. Each has its own advantages, such as easy global caching with remote CDNs or greater control with local hosting. The choice of method depends on project needs, user base, and security considerations.
50
17
Video
David Bombal·2y
Hacking ARP with Python and Kali Linux (and capture passwords)
The post covers how to hack a network using a Python script to perform ARP poisoning, utilizing Kali Linux and Cisco devices. This practical guide is part of a CCNA course, emphasizing the importance of network security and the need for encrypted protocols over clear text ones. ARP poisoning is demonstrated with a Windows computer and how to capture usernames and passwords. It stresses the importance of learning Python for real-world applications and offers an interactive approach to learning through Brilliant.org.
43
18
Article
Community Picks·2y
An Error-Proof Guide to Computer Security [Comic]
Human error often leads to computer security issues. Six key tips for enhancing digital security include using strong passwords, avoiding password reuse, utilizing a password manager, verifying URLs to prevent phishing, securing physical access to devices, and enabling 2 Factor Authentication. Implementing these simple yet effective strategies can significantly increase your overall security online.
40
3
19
Article
Cerbos·2y
What is access control?
Access control is a crucial aspect of securing modern applications, acting as a gatekeeper for who can access what. It consists of authentication, authorization, and auditing mechanisms to ensure data integrity and user privacy. Challenges include managing permissions at scale and balancing security with user experience. There are multiple approaches like RBAC and ABAC, and selecting the right technology involves considering scalability, developer experience, and compliance needs.
39
9
20
Video
Fireship·2y
Rookie Firebase mistake nearly destroys Arc browser
Arc browser recently faced a serious vulnerability due to misconfigured Firebase security rules. A hacker could have executed CSS and JavaScript on any website via the browser, potentially causing significant harm without the user visiting a malicious site. The issue has been patched swiftly after being reported by a security researcher. The problem was traced back to improperly managed Firestore rules which allowed user IDs to be changed, leading to potential security breaches.
37
4
21
Article
Unzip·2y
🛡️Auth as a Service
Auth as a Service (AaaS) simplifies the implementation of authentication by allowing developers to add some wrapper code and manage setups via environment variables and redirect URLs. It offers features like passwordless logins, user management, and billing integration. While AaaS can accelerate time to market and aid in compliance, concerns about pricing and vendor lock-in are significant. Various providers, such as Auth0, Stytch, and Firebase, compete in this space, each offering unique capabilities and user experiences.
35
22
Article
InfoSec Write-ups·2y
JWT Authentication Bypass leads to Admin Control Panel
A simple JWT vulnerability allowed access to an admin panel on a well-known site. Although JWTs should be signed by a server for security, this example highlights how a minor mistake in implementation can lead to significant security breaches. The author used Burp Suite to identify and exploit the flaw, demonstrating how changes to JWT parameters can bypass authentication if the server's validation is flawed.
34
1
23
Article
Cerbos·2y
What is authorization? Examples and definitions
Authorization is a fundamental component of secure systems that controls access to resources based on rules, contextual details, and checks. Various paradigms like Role-Based Access Control (RBAC), Attribute-Based Access Control (ABAC), Discretionary Access Control (DAC), Mandatory Access Control (MAC), and Relationship-Based Access Control (ReBAC) offer different approaches to managing permissions. Key practices include adhering to the principle of least privilege, conducting regular audits, ensuring scalability, balancing flexibility and security, and monitoring performance. Effective authorization balances ease of use with security, protecting sensitive information while remaining user-friendly.
34
7
24
Video
Low Level Learning·2y
Is Open Source Safer?
Open source software, such as firmware like DD-WRT and OpenWRT, is considered safer from a security perspective because it is widely audited by the community. This widespread scrutiny makes it difficult to introduce vulnerabilities or backdoors. In contrast, proprietary router firmware often prioritizes meeting deadlines and economic constraints, which can compromise security.
32
3
25
Article
ITNEXT·2y
Fuzz Testing Go HTTP Services
Fuzz testing, or fuzzing, is an automated software testing technique used to find bugs, crashes, and security vulnerabilities by inputting large amounts of random data into a program. It is now integrated into Go’s standard library as of Go 1.18, making it part of the regular testing package. Fuzz testing can reveal bugs that traditional testing might miss and is a recommended practice for improving the robustness of code, including HTTP services. The post provides step-by-step instructions for creating fuzz tests in Go, including an example for fuzzing HTTP handlers using Go's `httptest` package.
30
1

See all Security archives