Best of Security2025

  1. 1
    Article
    Avatar of dotnetsquad.NET·1y

    Do you store the JWT in localStorage, sessionStorage, Cookies? then this post is for you

    Storing JWTs in vulnerable client-side storage (like localStorage, sessionStorage, or cookies) can expose applications to significant security risks. Alternatives include using in-memory storage and implementing a refresh token mechanism. This allows users to maintain their sessions without re-authenticating upon page reloads while mitigating potential attacks. Setting cookies with httpOnly, Secure, and SameSite flags is crucial for security. A short-lived JWT with periodic refreshing enhances protection.

  2. 2
    Article
    Avatar of medium_jsMedium·40w

    Authentication Explained: When to Use Basic, Bearer, OAuth2, JWT & SSO

    Authorization controls what users can do after authentication through three main models: RBAC assigns permissions to roles, ABAC uses attributes and context for fine-grained control, and ACL attaches permissions to individual resources. Real applications like GitHub and Stripe often combine these models. OAuth2 enables delegated authorization without sharing credentials, while JWTs and bearer tokens carry user identity and permissions across systems. The key is choosing the right combination of models and mechanisms based on your application's complexity and security requirements.

  3. 3
    Article
    Avatar of itsfossIt's Foss·1y

    I Feel Like a Hacker Using These Cool Linux Terminal Tools

    Explore a list of entertaining Linux terminal tools that can make you feel like a hacker. Tools like genact, Cmatrix, Hollywood, TEXTREME, No More Secrets, Cool Retro Term, gping, and Bpytop are covered with instructions for installation and use. These tools mimic various effects and animations often seen in movies, creating an impressive display for anyone watching you work on your terminal.

  4. 4
    Article
    Avatar of gitguardianGitGuardian·1y

    Authentication and Authorization Best Practices

    Authentication verifies the identity of a user making an API request, while authorization determines if the user has permission to access a specific API. Various methods such as basic auth, API keys, JWT, and OAuth have their use cases and best practices. These include using HTTPS, secure storage, least privilege principle, and regular security audits. Common mistakes to avoid involve using HTTP, storing API keys in code, and ignoring input validation.

  5. 5
    Article
    Avatar of thedevcraftThe Dev Craft·52w

    I built this Chrome Extension, roast me.

    Introducing Entropy, a Chrome extension designed to automatically hide secrets and personally identifiable information (PII) from your screen during screen sharing. This feature addresses security concerns around information leaks. The creator welcomes feedback and ideas for improvement.

  6. 6
    Article
    Avatar of hnHacker News·42w

    Read That F*cking Code!

    AI coding tools like Claude Code enable developers to generate working code without reading it, but this practice leads to three critical issues: architectural decay, loss of domain knowledge, and security vulnerabilities. The author advocates for two responsible approaches: fast prototyping with post-session review for peripheral features, and synchronous pair-coding for core functionality. A comprehensive checklist covers architecture consistency, security scoping, meaningful tests, documentation, error handling, and performance considerations.

  7. 7
    Article
    Avatar of troyhuntTroy Hunt·1y

    Have I Been Pwned 2.0 is Now Live!

    The revamped Have I Been Pwned website has been launched, introducing new features, improved search functionality, and a dedicated breach page with targeted advice. Email verification is enhanced, domain search is refined, and a new central dashboard consolidates user features. The site maintains the same API while adopting modern web technologies for better performance. A merch store is also available as part of the new offerings.

  8. 8
    Article
    Avatar of collectionsCollections·25w

    Critical Vulnerability in React Server Components: Immediate Action Required

    React2Shell (CVE-2025-55182) is a critical remote code execution vulnerability with a CVSS score of 10.0, affecting React 19.0-19.2.0 and Next.js 15.x-16.x. The flaw stems from unsafe deserialization in React's Flight protocol, allowing unauthenticated attackers to execute arbitrary code through crafted HTTP requests. State-sponsored groups and cybercriminals are actively exploiting it to deploy cryptocurrency miners and backdoors. Organizations must upgrade to patched versions (React 19.0.1+, Next.js 15.0.5+) immediately, as the vulnerability impacts 39% of cloud environments and 6% of all websites. WAF rules and endpoint restrictions provide temporary mitigation.

  9. 9
    Article
    Avatar of freecodecampfreeCodeCamp·1y

    How to Harden Your Node.js APIs – Security Best Practices

    Learn how to enhance the security of your Node.js APIs with practical tips focusing on using environment variables, input validation, rate limiting, enforcing HTTPS, securing HTTP headers with Helmet, data sanitization, and strong authentication and authorization methods. These measures aim to protect against SQL injection, brute force attacks, and data leaks, among other threats.

  10. 10
    Article
    Avatar of bytebytegoByteByteGo·1y

    EP156: Software Architect Knowledge Map

    Becoming a Software Architect involves mastering programming languages, gaining proficiency in essential tools, understanding key design and architectural principles, and acquiring knowledge in platforms, data analytics, networking, and security. Supporting skills such as decision-making, communication, and leadership are also crucial for a well-rounded skill set.

  11. 11
    Article
    Avatar of infosecwriteupsInfoSec Write-ups·1y

    5 Tools I Wish I Knew When I Started Hacking

    Starting in hacking and cybersecurity can be overwhelming due to the vast array of tools available. This post introduces five essential tools for beginners: Burp Suite for web application testing, Nmap for network scanning, Amass for subdomain enumeration, CyberChef for data encoding/decoding, and Gobuster for directory enumeration. Learning to use these tools can significantly streamline tasks and enhance your penetration testing capabilities. Bonus tips include focusing on one tool at a time, staying updated with new features, and monitoring GitHub repositories.

  12. 12
    Video
    Avatar of bytegradByteGrad·1y

    Next.js 15 Authentication COMPLETE Guide (+ Best Practices, Pitfalls)

    This post provides a comprehensive guide on implementing authentication in Next.js 15, emphasizing server-side security, proper use of cookies and tokens, and the importance of roles and permissions. It highlights best practices and pitfalls to avoid when using server components and middleware to protect routes and actions. Additionally, it underscores the benefits of using third-party services for authentication to avoid errors and save development time.

  13. 13
    Article
    Avatar of devtoolsDev Tools·1y

    She Shared Her Screen… and Her AWS Secret (Yes, she's a FANG)

    A senior engineer accidentally exposed her AWS credentials during a Zoom meeting, highlighting the risks of screen sharing without adequate safeguards. The post discusses the widespread issue of accidentally sharing sensitive information and introduces Entropy, a Chrome extension that detects and redacts secrets and PII in real-time. Entropy aims to prevent such leaks by securing data during screen sharing and is customizable for different security needs.

  14. 14
    Article
    Avatar of lonely_programmerLonely Programmer·50w

    You have no power here

  15. 15
    Article
    Avatar of webcraftWebCraft·1y

    The Backend-for-Frontend (BFF) Pattern: Secure Auth Done Right

    The Backend-for-Frontend (BFF) pattern addresses security risks in web applications by storing JWTs server-side in Redis, eliminating exposure to XSS attacks and enhancing session management. This pattern is particularly suited to SPAs and mobile apps, offering improved scalability and user experience with silent token refreshes and instant logouts.

  16. 16
    Article
    Avatar of hnHacker News·32w

    How I Almost Got Hacked By A 'Job Interview'

    A developer shares a close call with a sophisticated phishing attack disguised as a legitimate job interview. The scam involved a fake LinkedIn profile from a real company, a coding challenge containing obfuscated malware designed to steal crypto wallets and credentials, and professional social engineering tactics. The attack was discovered by using an AI assistant to scan the codebase for suspicious patterns before execution. The malware was embedded in server-side code with full Node.js privileges and connected to a remote payload that disappeared within 24 hours.

  17. 17
    Article
    Avatar of communityCommunity Picks·1y

    7 Crucial PostgreSQL Best Practices

    PostgreSQL is a powerful relational database management system. To ensure optimal performance, security, and maintainability, follow best practices such as consistent naming conventions, appropriate schema design, efficient indexing and querying, proper access control, comprehensive backup strategies, routine maintenance and monitoring, effective database version control, and high availability configurations. Regularly review and update these practices, document deviations, and stay informed about PostgreSQL updates to build a robust database infrastructure.

  18. 18
    Article
    Avatar of collectionsCollections·1y

    Wiz Research Uncovers Exposed DeepSeek Database Leaking Sensitive Information

    Chinese AI startup DeepSeek faced criticism after a major data breach exposed over one million records due to an unsecured ClickHouse database. The breach, discovered by Wiz, revealed sensitive information like user chat histories and API keys. The incident has raised significant global and regulatory concerns about the privacy policies and security measures of AI startups, especially with potential state access in China. The exposure highlighted the critical need for robust cybersecurity practices as AI adoption grows.

  19. 19
    Article
    Avatar of bytebytegoByteByteGo·1y

    EP161: A Cheatsheet on REST API Design Best Practices

    REST API design involves best practices such as using resource-oriented paths, applying HTTP verbs properly, maintaining API versioning, and utilizing standard error codes. Ensuring APIs are idempotent and supporting pagination can enhance performance and reliability. Security measures like using API Keys, JWTs, OAuth2, and HTTPS are crucial for protecting APIs in production.

  20. 20
    Article
    Avatar of dotnet.NET Blog·1y

    Why we built our startup in C#

    Tracebit chose C# for building their B2B SaaS security product due to its productivity, cross-platform capabilities, popularity, rich standard library, expressive language features, and excellent tooling. Despite its reputation as a stable language without much buzz in the startup community, C# provides advantages such as a large talent pool, quality libraries, robust documentation, and fewer unexpected roadblocks. Its performance and open-source nature further enhance value for startups looking for a solid development foundation.

  21. 21
    Article
    Avatar of last9Last9·1y

    Your Go-To Linux Commands Cheat Sheet

    A comprehensive cheat sheet covering essential Linux commands for directory navigation, file management, user and permission management, system monitoring, networking, disk usage, software handling, system performance, log management, task automation, and firewall security. It's an invaluable resource for both new users and seasoned admins to enhance productivity and streamline system administration tasks.

  22. 22
    Article
    Avatar of devtoDEV·1y

    System Design for DevOps Engineers

    This guide dives into system design, covering topics like communication protocols, CI/CD, architecture patterns, databases, caches, microservices, payment systems, and developer productivity tools with a focus on DevOps and security. It compares REST and GraphQL, explains how gRPC works, discusses webhooks, outlines common strategies to improve API performance, and reviews the evolution of HTTP protocols from 1.0 to HTTP/3.0. The post emphasizes the importance of efficient and safe API design and explores various caching strategies and best practices for microservice architecture.

  23. 23
    Article
    Avatar of microservicesioMicroservices.io·52w

    Authentication and authorization in a microservice architecture: Part 2 - Authentication

    Implementing authentication in a microservice architecture can be complex and error-prone. The API Gateway serves as a central point for handling authentication, delegating the process to an identity and access management service for enhanced security. OAuth 2.0 and OpenID Connect protocols are commonly used, with tokens like JWTs facilitating secure communication between client requests and backend services.

  24. 24
    Article
    Avatar of communityCommunity Picks·1y

    Making Beautiful API Keys

    Developers are often dissatisfied with the aesthetics and usability of conventional API keys. A startup focused on developer-first solutions created a new package called 'uuidkey' to solve this problem. This package encodes UUIDv7 using Crockford Base32 and adds dashes for symmetry and readability. These keys are secure, globally unique, sortable, and more visually appealing. The keys are also performant in PostgreSQL and designed for easy implementation.

  25. 25
    Article
    Avatar of collectionsCollections·1y

    Comprehensive Guide on REST API Best Practices for 2024

    Building secure and reliable APIs is key for modern web development. This guide provides best practices for designing RESTful APIs including resource-based architecture, stateless communication, proper URI and HTTP method usage, robust security measures, efficient data transfer, batch operations, versioning, clear documentation, and thorough testing.

See all Security archives