Categories
Security

Security.txt in the wild

A few years ago, I covered here in the blog the “security.txt spec”. A standard place with the security related contacts, designed to help researchers, and other people, find the right contacts to report vulnerabilities and other problems. At the time, I added it to my personal domain, as an example. When I wrote the […]

Categories
Security

Meet the InfoSec Planet

If you are a frequent reader of this blog, you might already know that I created a small tool to generate a simple webpage plus an RSS feed, from the content of multiple other RSS sources, called worker-planet. This type of tool is often known as a “planet”: In online media a planet is a […]

Categories
Security Technology and Internet

What to use for “TOTP” in 2023?

At the start of last week, we received great news regarding new improvements to a very popular security app, “Google Authenticator”. A feature it was lacking for a long time was finally implemented, “cloud backups”. However, after a few days, the security community realized the new feature wasn’t as good as everybody was assuming. It […]

Categories
Security Technology and Internet

Controlling the access to the clipboard contents

In a previous blog post published earlier this year I explored some security considerations of the well known “clipboard” functionality that most operating systems provide. Long story short, in my opinion there is a lot more that could be done to protect the users (and their sensitive data) from many attacks that use of clipboard […]

Categories
Security

Inlineshashes: a new tool to help you build your CSP

Content-Security-Policy (CSP) is an important mechanism in today’s web security arsenal. Is a way of defending against Cross-Site Scripting and other attacks. It isn’t hard to get started with or to put in place in order to secure your website or web application (I did that exercise in a previous post). However when the systems […]

Categories
Security Technology and Internet

Who keeps an eye on clipboard access?

If there is any feature that “universally” describes the usage of computers, it is the copy/paste pattern. We are used to it, practically all the common graphical user interfaces have support for it, and it magically works. We copy some information from one application and paste into another, and another… How does these applications have […]

Categories
Python Software Development

Why you shouldn’t remove your package from PyPI

Nowadays most software developed using the Python language relies on external packages (dependencies) to get the job done. Correctly managing this “supply-chain” ends up being very important and having a big impact on the end product. As a developer you should be cautious about the dependencies you include on your project, as I explained in […]

Categories
Security

Security.txt

Some days ago while scrolling my mastodon‘s feed (for those who don’t know it is like Tweeter but instead of being a single website, the whole network is composed by many different entities that interact with each other), I found the following message: To server admins: It is a good practice to provide contact details, […]

Categories
Software Development Technology and Internet

CSP headers using Cloudflare Workers

Last January I made a small post about setting up a “Content-Security-Policy” header for this blog. On that post I described the steps I took to reach a final result, that I thought was good enough given the “threats” this website faces. This process usually isn’t hard If you develop the website’s software and have […]

Categories
Technology and Internet

Setting up a Content-Security-Policy

A couple of weeks ago, I gave a small talk on the Madeira Tech Meetup about a set of HTTP headers that could help website owners protect their assets and their users. The slides are available here, just in case you want to take a look. The content of the talk is basically a small […]