Tech is political: The people under attack in Palestine 🇵🇸, Iran 🇮🇷, and Lebanon 🇱🇧 are people like us. They’re our brothers and sisters, too. Read up on their history, scrutinize what you’re told, and demand that they be respected and included. Hide

Frontend Dogma

“security” News Archive

Definition, related topics, and tag feed

Definition · Supertopics: user-experience · Subtopics: authentication, authorization, certificates, cors, cryptography, csp, csrf, hashing, malware, privacy, provenance, randomness, rate-limiting, sanitization, ssh, ssl, tls, validation, vulnerabilities, xss (non-exhaustive) · “security” RSS feed (per email)

Entry (Sources) and Additional TopicsDate#
Reuse Less Software553
dependencies, processes
Wednesday, June 17, 2026 Security Releases (nod)552
release-notes, nodejs
The VibeSec Reckoning (mfo)551
ai, vibe-coding
Megalodon: Mass GitHub Repo Backdooring via CI Workflows550
github, ci-cd
GitHub Internal Repositories Breached via Malicious Nx Console VS Code Extension (the)549
github, vs-code, microsoft
GitHub Hacked—Internal Source Code Repositories Compromised via Employee Device548
github
Mini Shai Hulud: Compromised @antv npm Packages Enable CI/CD Credential Theft547
npm, dependencies, ci-cd
Mini Shai-Hulud Strikes Again: 317 npm Packages Compromised546
npm, dependencies
“The Worst Leak That I’ve Witnessed”: US Cybersecurity Agency Leaves Its Digital Keys Out in Public on GitHub (giz)545
passwords, github
A Worm Just Ate Its Way Through the npm Registry… (fir)544
videos, npm, dependencies, tanstack
Hardening TanStack After the npm Compromise (cru+/tan)543
tanstack
Hackers Abuse Google Ads and Claude.ai Shared Chats to Distribute macOS Malware542
apple, unix-like, google, claude, anthropic, ai
Weekend at Bernie’s (and)541
dependencies, foss, metrics
Behind the Scenes Hardening Firefox With Claude Mythos Preview (fre+/moz)540
firefox, mozilla, browsers, claude, anthropic, ai
Trustworthy JavaScript for the Open Web (moz)539
javascript, open-web, firefox, mozilla, browsers
The Zero-Days Are Numbered (moz)538
firefox, mozilla, browsers, ai, anthropic
Vercel April 2026 Security Incident537
vercel
AI Will Never Be Ethical or Safe (j9t)536
ai, ethics
No One Owes You Supply-Chain Security (pur)535
dependencies, rust
Someone Bought 30 WordPress Plugins and Planted a Backdoor in All of Them534
wordpress, plugins
Anthropic Debuts Preview of Powerful New AI Model Mythos in New Cybersecurity Initiative (tec)533
anthropic, ai
Adversarial AI: Understanding the Threats to Modern AI Systems (jet)532
ai, concepts
Attackers Are Hunting High-Impact Node.js Maintainers in a Coordinated Social Engineering Campaign (sar/soc)531
nodejs, foss
Post Mortem: Axios npm Supply Chain Compromise530
axios, npm
The Hidden Blast Radius of the Axios Compromise (ahm/soc)529
dependencies, npm, axios
Minimum Release Age Is an Underrated Supply Chain Defense (dan)528
dependencies, npm, bun, pnpm, yarn, deno, renovate, dependabot, axios
Prevent Claude Code From Accessing .env (jad)527
claude, anthropic, ai, environments
Axios Compromised on npm—Malicious Versions Drop Remote Access Trojan526
npm, dependencies, axios
Node.js Brotli UAF (mai)525
nodejs, permissions, brotli, compression, claude, ai
Malicious PyPI Package—LiteLLM Supply Chain Compromise524
dependencies, vulnerabilities
Developing a Minimally HashDoS Resistant, Yet Quickly Reversible Integer Hash for V8 (joy/nod)523
nodejs, hashing
Tuesday, March 24, 2026 Security Releases (nod)522
release-notes, nodejs
Supply-Chain Attack Using Invisible Code Hits GitHub and Other Repositories (dan/ars)521
github, dependencies
OWASP’s Top 10 Ways to Attack LLMs: AI Vulnerabilities Exposed520
videos, vulnerabilities, ai, owasp
A GitHub Issue Title Compromised 4,000 Developer Machines519
github, ai
How to Steal npm Publish Tokens by Opening GitHub Issues (nec)518
npm, github, ai
MCP Servers and the Return of the Service Account Problem (aem)517
servers, mcp, ai
Security Advisory: Addressing Recent Vulnerabilities in Angular (ang)516
angular
An Exploit… in CSS?! (css)515
css
Goodbye “innerHTML”, Hello “setHTML”: Stronger XSS Protection in Firefox 148 (moz)514
javascript, methods, xss, firefox, mozilla, browsers
Europe Is Ready to Ditch US Tech for Private Alternatives (pro)513
tooling, privacy, metrics
WebSocket Penetration Testing: A Complete Guide to CSWSH512
guides, websockets, testing
Node.js Path Traversal: Prevention and Security Guide (loi)511
guides, nodejs
Cryptography Usage in Web Standards (w3c)510
standards, cryptography
OpenJS Foundation Security Program: Annual Report 2025 (ope)509
openjs
A Security Checklist for Your React and Next.js Apps508
react, nextjs
How to Implement Rate Limiting in nginx (naw/one)507
how-tos, servers, nginx, rate-limiting
Securing npm Is Table Stakes (nza+/cha)506
podcasts, interviews, npm, ai
Security (vik+/htt)505
web-almanac, studies, research, metrics, tls, certificates, cookies, csp, http-headers, apis, sanitization, configuration
Node.js January 2026 Security Release: What Changed and Why It Matters (nod)504
nodejs
Tuesday, January 13, 2026 Security Releases (nod)503
release-notes, nodejs
Mitigating Denial-of-Service Vulnerability From Unrecoverable Stack Space Exhaustion for React, Next.js, and APM Users (mco+/nod)502
nodejs, vulnerabilities, react, nextjs, tooling, monitoring, performance
npm to Implement Staged Publishing After Turbulent Shift Off Classic Tokens (sar/soc)501
npm, dependencies, github
Security Basics for Vibe-Coders (owe/pro)500
fundamentals, vibe-coding, ai
Testing Methods: Accessible Authentication (Enhanced) (dec)499
accessibility, testing, wcag, authentication
Testing Methods: Accessible Authentication (Minimum) (dec)498
accessibility, testing, wcag, authentication
Denial of Service and Source Code Exposure in React Server Components (rea)497
react, components
Thursday, December 18, 2025 Security Releases (nod)496
release-notes, nodejs
How We’re Protecting Our Newsroom From npm Supply Chain Attacks (rya/pnp)495
npm, dependencies, case-studies
No More Tokens—Locking Down npm Publish Workflows (zac)494
npm, dependencies, github, processes
[Next.js] Security Advisory: CVE-2025-66478 (seb)493
nextjs
Critical Security Vulnerability in React Server Components (rea)492
react, components
Decreasing [Let’s Encrypt] Certificate Lifetimes to 45 Days (mat/let)491
http, certificates, lets-encrypt
Taking Down Next.js Servers for 0.0001 Cents a Pop490
servers, nextjs, vulnerabilities
The Shai-Hulud 2.0 npm Worm: Analysis, and What You Need to Know489
npm, dependencies
GitLab Discovers Widespread npm Supply Chain Attack (git)488
npm, dependencies, gitlab, github, aws, gcp, azure
Automated npm Secret Rotation in GitHub Actions (mhe)487
npm, automation, github-actions
What Developers Really Mean by “Bad Code” (jet)486
maintainability, scalability, consistency, quality
Introducing the OWASP Top 10:2025 (she+/owa)485
introductions, owasp, vulnerabilities
Removing XSLT for a More Secure Browser (dro)484
chromium, chrome, google, browsers, xsl, web-platform
Will npm’s New Security Steps Stop Attacks? (rev)483
npm, github, maintenance, foss
HTTPS by Default (jde+)482
http, chrome, google, browsers
Agentic AI and Security (ksi/mfo)481
ai, architecture
Octoverse: A New Developer Joins GitHub Every Second as AI Leads TypeScript to #1480
github, metrics, productivity, ai, foss, programming
Glassworm: First Self-Propagating Worm Using Invisible Code Hits OpenVSX Marketplace479
code-editors, vs-code, microsoft
Improving the Trustworthiness of JavaScript on the Web478
javascript, web-apps
Past Time for Passkeys (nor)477
videos, passkeys, passwords, authentication
Secure Coding in JavaScript476
javascript, frameworks
My Conclusions After Using Signed Exchanges on My Website for 2 Years (paw)475
signed-exchanges, performance
Lazy-Loading as a Security Measure474
lazy-loading, angular, react
Backend Concepts Every Experienced Developers Must Know473
concepts, network, concurrency, apis, databases, caching, scalability, observability, architecture
Fixing Safari Mixed Content Issues With Vite and mkcert472
safari, apple, browsers, vite, tooling
How Deno Protects Against npm Exploits (den)471
deno, npm
Strengthening npm Security: Important Changes to Authentication and Token Management470
npm
How Hackers Use AI to Find Vulnerabilities Faster469
ai
CAPTCHA, When Security Takes Precedence Over Accessibility468
captcha, accessibility
Our Plan for a More Secure npm Supply Chain (xco)467
npm, dependencies, foss
npm Security Best Practices466
npm, provenance, best-practices
This May Be the Worst One (the)465
videos, npm, dependencies
Ongoing Supply Chain Attack Targets CrowdStrike npm Packages (pvd+/soc)464
npm, dependencies
ctrl/tinycolor and 40+ npm Packages Compromised463
npm, dependencies
How Maintainer Burnout Is Causing a Kubernetes Security Disaster462
kubernetes, maintenance, foss, economics
Oh No, Not Again… a Meditation on npm Supply Chain Attacks (tan)461
npm, dependencies, microsoft
Anatomy of a Billion-Download npm Supply-Chain Attack460
npm, dependencies
npm Author Qix Compromised via Phishing Email in Major Supply Chain Attack (bur+/soc)459
npm, dependencies
CORS Explained: Stop Struggling With Cross-Origin Errors458
cors, http-headers, http
How OpenJS-Hosted Projects Benefit From Security Support (ope)457
openjs, hosting, foss
Why You Absolutely Need to Have Automated Dependency Management in Place (j9t)456
dependencies, maintainability, maintenance, automation, tooling
What Your Website’s Style Says About You—and How Hackers Can Use It Against You (err)455
css, javascript
Hardening Node.js Apps in Production: 8 Layers of Practical Security454
nodejs, best-practices
eslint-config-prettier Compromised: How npm Package With 30 Million Downloads Spread Malware453
prettier, eslint, npm, malware
AI Agents Are Creating a New Security Nightmare for Enterprises and Startups452
ai, apis
npm Phishing Email Targets Developers With Typosquatted Domain (sar/soc)451
npm
Tuesday, July 15, 2025 Security Releases (nod)450
release-notes, nodejs
Contagious Interview Campaign Escalates With 67 Malicious npm Packages and New Malware Loader (soc)449
npm, dependencies
Dependabot Supports Configuration of a Minimum Package Age448
dependabot, configuration
MCP Security Vulnerabilities and Attack Vectors447
mcp, ai
A New Era of Code Quality446
quality
JWTs Are Not Session Tokens, Stop Using Them Like One445
json-web-tokens, authentication
Design Patterns for Securing LLM Agents Against Prompt Injections (sim)444
studies, research, ai, prompting, software-design-patterns
The Growing Risk of Malicious Browser Extensions (soc)443
browser-extensions
Escaping “<” and “>” in Attributes—How It Helps Protect Against Mutation XSS (sec)442
html, attributes, xss, escaping, chrome, google, browsers
HTML Spec Change: Escaping “<” and “>” in Attributes (sec)441
html, attributes, escaping, xss
Beware of End-of-Life Node.js Versions—Upgrade or Seek Post-EOL Support (mco/nod)440
nodejs, maintenance
How to Access Local MCP Servers Through a Secure Tunnel439
how-tos, mcp, ai, servers, network
Docker Launches Hardened Images, Intensifying Secure Container Market438
docker
Modernizing Security437
modernization, processes
Securing Your Node.js App From Command Injection436
nodejs
Passkeys for Normal People (tro)435
authentication, passkeys, examples, concepts
npm Targeted by Malware Campaign Mimicking Familiar Library Names (soc)434
npm, malware, dependencies, link-lists
What Is an Encryption Backdoor? (int)433
encryption, vulnerabilities, concepts
Cybersecurity Leaders Are Staying in the Shadows (ste)432
community, culture
Principles for Coding Securely With LLMs (sea)431
ai, principles
Threat Actors Misuse Node.js to Deliver Malware and Other Malicious Payloads430
nodejs, malware
TLS Certificate Lifetimes Will Officially Reduce to 47 Days429
tls, certificates
LLMs Can’t Stop Making Up Software Dependencies and Sabotaging Everything (tho/the)428
ai, dependencies, slop
Secure a Vue App With OpenID Connect and the BFF Pattern (due)427
vuejs, authentication, backend-for-frontend
Teaching Code in the AI Era: Why Fundamentals Still Matter (ali)426
training, ai, programming, vibe-coding, scalability, performance, quality, testing, documentation
Stop Using Jenkins in 2025 (oso)425
jenkins, github-actions, ci-cd
Node.js Test CI Security Incident (nod)424
nodejs, retrospectives
Website Hijack Campaign Now Impacting 150,000 Sites (gad)423
Malware Found on npm Infecting Local Package With Reverse Shell (rev)422
npm, dependencies
Five Things Vibe Coders Should Know (From a Software Engineer)421
vibe-coding, sanitization, rate-limiting
GitHub Suffers a Cascading Supply Chain Attack Compromising CI/CD Secrets (inf)420
github, ci-cd
How to Prevent WordPress SQL Injection Attacks (sma)419
how-tos, wordpress, sql, databases
Lazarus Strikes npm Again With New Wave of Malicious Packages (soc)418
npm, dependencies
Updates on CVE for End-of-Life Versions (raf/nod)417
nodejs
What Is the OWASP Top 10 and How Can Your Team Benchmark Security? (jet)416
owasp, vulnerabilities, qodana, jetbrains
How to Protect Your Web Applications From XSS (tor/w3c)415
how-tos, web-apps, xss
In Tech, What Matters and What Is Dangerous (ham)414
community, foss, open-web
Secure UX: Building Cybersecurity and Privacy Into the UX Lifecycle (uxm)413
user-experience, processes
The Fallacy of Balance: Challenging the Notion of Security and Accessibility as Opposing Objectives (deq)412
videos, accessibility
It Is No Longer Safe to Move Our Governments and Societies to US Clouds (ber)411
cloud-computing, privacy, legal
How OWASP Helps You Secure Your Full-Stack Web Applications (eri/sma)410
owasp, monitoring, authentication, vulnerabilities, configuration, csrf, cryptography, authorization
10 Common Web Development Mistakes to Avoid Right Now409
mistakes, mobile, performance, accessibility, seo, navigation, analytics, testing
Tightening Every Bolt (bag)408
videos, processes, code-reviews, testing
On Generative AI Security (sch)407
ai, lessons, microsoft
Understanding CORS Errors in Signed Exchanges (paw)406
cors, errors, signed-exchanges
Keep Your Node.js Apps Secure With “npx is-my-node-vulnerable” (tre)405
packages, npm, nodejs
How I Open-Sourced My Secret Access Tokens From GitHub, Slack, and npm—and Who Actually Cares404
github, slack, npm
Node.js EOL Versions CVE Dubbed the “Worst CVE of the Year” by Security Experts (sar/soc)403
nodejs, documentation
Tuesday, January 21, 2025 Security Releases (raf/nod)402
release-notes, nodejs
APIs Are Quickly Becoming the Latest Security Battleground (and Nightmare)401
apis
CDN-First Is No Longer a Performance Feature (osv)400
content-delivery, performance, caching, embed-code, privacy
The Cyber-Cleanse: Take Back Your Digital Footprint (cyb)399
privacy
15 Principles for Secure Programming (rak)398
principles, validation, testing
Important Topics for Frontend Developers to Master in 2025397
learning, javascript, typescript, css, frameworks, git, apis, testing, performance, ci-cd, websockets
How to Automate OWASP Security Reviews in Your Pull Requests? (cod)396
how-tos, owasp, automation, code-reviews, coderabbit
Developer Guide: How to Implement Passkeys395
guides, how-tos, authentication, passkeys
5 Technical Trends to Help Web Developers Stand Out in 2025394
trends, career, javascript, ai, low-and-no-code
Avoid Hotlinking Images With “Cross-Origin-Resource-Policy”393
images
Content Security Policy Level 3 (mik/w3c)392
standards, csp
Security (htt)391
web-almanac, studies, research, metrics
JavaScript Import Attributes (ES2025) (tre)390
javascript
Exploring Internet Traffic Shifts and Cyber Attacks During the 2024 US Election389
traffic
Cross-Site WebSocket Hijacking: Understanding and Exploiting CSWSH (pen)388
websockets
Securing Your Express REST API With Passport.js387
nodejs, express, json-web-tokens, apis, rest, tooling
SecretLint—a Linter for Preventing Committing Credentials (tre)386
tooling, linting
The Importance of UX in Cybersecurity (uxm)385
user-experience, usability
Understanding “npm audit” and Fixing Vulnerabilities384
npm, vulnerabilities, nodejs
Top 4 Web Vulnerabilities With Example and Mitigation383
vulnerabilities, sql, databases, xss, csrf
How to Implement Content Security Policy (CSP) Headers for Astro (tre)382
how-tos, http, http-headers, csp, astro, vercel, cloudflare
Why Code Security Matters—Even in Hardened Environments381
vulnerabilities, file-handling, nodejs
Database 101: SSL/TLS for Beginners380
introductions, databases, ssl, tls, authentication
Cloudflare Study: 39% of Companies Losing Control of Their IT and Security Environment (tre)379
studies, research, engineering-management
NIST Recommends Some Common-Sense Password Rules (sch)378
passwords, guidelines
I Finally Understand OAuth377
authorization, oauth, processes
Fake GitHub Site Targeting Developers (jul/san)376
github
Hacking Cars in JavaScript (Running Replay Attacks in the Browser With the HackRF) (dev)375
javascript
Gaining Access to Anyone’s Browser Without Them Even Visiting a Website374
arc, the-browser-company, browsers, vulnerabilities
10 AI Dangers and Risks and How to Manage Them (rin)373
ai, privacy, sustainability, legal
Web Security: Shaping the Secure Web (set/w3c)372
web, w3c
5 Wasm Use Cases for Frontend Development (ele/des)371
guest-posts, webassembly, performance
What Is Incident Response?370
incident-response, overviews
Migrating From Netlify to Cloudflare for AI Bot Protection (sia)369
migrating, netlify, cloudflare, ai
The Great npm Garbage Patch368
dependencies, npm, spam
Frontend Security Checklist (tre)367
checklists, react
Automated Ways to Security Audit Your Website366
auditing, automation, tooling
Secure Node.js Applications From Supply Chain Attacks365
nodejs, best-practices, dependencies
The Cloud Run Security Gap You Didn’t Know You Had (and How to Fix It)364
google, gcp
The Pitfalls of In-App Browsers (fro)363
browsers, mobile, privacy, user-experience
Supply Chain Security in npm—We Can Be Optimistic About the Future362
npm, dependencies, provenance
Script Integrity (chr/fro)361
embed-code, javascript
Introducing the MDN HTTP Observatory (mdn)360
introductions, mdn, mozilla, http
Tuesday, July 2, 2024 Security Releases (nod)359
release-notes, nodejs
WebAuthn: Enhancing Security With Minimal Effort (tbe)358
authentication, webauthn
RegreSSHion: Remote Unauthenticated Code Execution Vulnerability in OpenSSH Server357
ssh, vulnerabilities
Polyfill Supply Chain Attack Embeds Malware in JavaScript CDN Assets356
malware, vulnerabilities
Catching Compromised Cookies355
cookies, testing
Backdoor Slipped Into Multiple WordPress Plugins in Ongoing Supply-Chain Attack (dan/ars)354
wordpress, plugins
The Hacking of Culture and the Creation of Socio-Technical Debt (sch)353
culture
OAuth Authentication (rya)352
authentication, authorization, oauth
Researchers Uncover npm Registry Vulnerability to Cache Poisoning and DoS Attacks (sar/soc)351
npm, dependencies, vulnerabilities, caching
What Is Mixed Content? (fre)350
http
The Ultimate Guide to Iframes (log)349
guides, iframes, html, javascript
How a Single Vulnerability Can Bring Down the JavaScript Ecosystem348
javascript, npm, dependencies, caching, vulnerabilities
JavaScript Security: Simple Practices to Secure Your Frontend347
javascript, dependencies, csp
Manifesto for a Humane Web (mic)346
websites, manifestos, web, principles, accessibility, dei, sustainability, user-experience
Securing Client-Side JavaScript (ada)345
javascript, graceful-degradation
Poor Express Authentication Patterns in Node.js and How to Avoid Them344
express, nodejs, authentication
Passkeys: A Shattered Dream (fir)343
authentication, passkeys
Using Legitimate GitHub URLs for Malware (sch)342
malware, github
When Security and Accessibility Clash: Why Are Banking Applications So Inaccessible? (nic)341
accessibility
Open Source Security (OpenSSF) and OpenJS Foundations Issue Alert for Social Engineering Takeovers of Open Source Projects (ope)340
foss, openjs
Wednesday, April 10, 2024 Security Releases (raf/nod)339
release-notes, nodejs
Node.js Secure Coding: Mitigate and Weaponize Code Injection Vulnerabilities338
books, nodejs, vulnerabilities
The Free Software Commons (jen)337
foss, community
The V8 Sandbox336
v8
Wednesday, April 3, 2024 Security Releases (nod)335
release-notes, nodejs
Using JSON Web Tokens With Node.js334
json-web-tokens, nodejs, authentication
Building a Digital Fortress: How to Strengthen DNS Against DDoS Attacks?333
dns
In-App Browsers Are Still a Privacy, Security, and Choice Problem (tho/the)332
browsers, mobile, privacy
How Does Single Sign-On (SSO) Work? (mil)331
authentication
CORS Finally Explained—Simply330
csrf, cors, concepts
How npm Install Scripts Can Be Weaponized: A Real-World Example of a Harmful npm Package (eth)329
npm, dependencies, examples
Preventing SQL Injection Attacks in Node.js328
nodejs, databases, sql
Frontend Application Security: Tips and Tricks327
web-apps, xss, csrf, authentication, dependencies, csp, validation, tips-and-tricks
Wednesday, February 14, 2024 Security Releases (raf+/nod)326
release-notes, nodejs
How to Boost WordPress Security and Protect Your SEO Ranking325
how-tos, wordpress, seo
Malicious npm Package Masquerades as Noblox.js, Targeting Roblox Users for Data Theft (sar/soc)324
npm, dependencies
Practice Safe DSD With “setHTMLUnsafe” (It’s Complicated) (jar/van)323
html, dom, shadow-dom, apis
Tuesday, February 6, 2024 Security Releases (raf/nod)322
release-notes, nodejs
JWT vs. Session Authentication321
authentication, json-web-tokens, comparisons
GitHub, npm Registry Abused to Host SSH Key-Stealing Malware320
github, npm, malware, foss
Navigating JavaScript Security: Recompiling Firefox to Bypass Anti-Debugger Techniques (gli)319
javascript, debugging, firefox, mozilla, browsers
Deceptive Deprecation: The Truth About npm Deprecated Packages318
deprecation, npm, dependencies, research
Safely Accessing the DOM With Angular SSR317
dom, javascript, angular, server-side-rendering
Node.js Security Progress Report—Progress on Permission Model, Fuzzer, and Connections With Community (ope)316
nodejs
I Hate CORS315
videos, cors
Secure Your Code: Auto-Fix Vulnerabilities With Dependabot (GitHub Tutorial)314
videos, dependencies, dependabot
Building Multiple Progressive Web Apps on the Same Domain313
videos, web-apps, progressive-web-apps, architecture
Session-Based vs. Token-Based Authentication: Which Is Better?312
authentication, json-web-tokens, comparisons
10 Best Practices for Secure Code Review of Node.js Code311
best-practices, code-reviews, nodejs
Security Headers Using “<meta>” (sap/mat)310
csp, html
Blind CSS Exfiltration: Exfiltrate Unknown Web Pages309
css
Mastering Cryptography Fundamentals With Node’s “crypto” Module308
cryptography, nodejs
Secure Code Review Tips to Defend Against Vulnerable Node.js Code307
nodejs, code-reviews
Understanding CORS306
cors
What the !#@% Is a Passkey? (eff)305
passkeys
Secret Scanning Scans Public npm Packages304
github, npm, dependencies
Local HTTPS for Next.js 13.5 (ami)303
testing, http, nextjs
Understanding XSS Attacks302
xss
A Comprehensive Guide to the Dangers of Regular Expressions in JavaScript (phi)301
guides, javascript, regex
Best Practices for Securing Node.js Applications in Production300
best-practices, nodejs
SSH Keys Stolen by Stream of Malicious PyPI and npm Packages (ble)299
ssh, dependencies, npm
npm Provenance General Availability298
github, npm, provenance
The WebP 0-Day297
webp, google, apple
Open Source Trends to Look for in 2024296
foss, trends, outlooks, ai
Securing Your Node.js Apps by Analyzing Real-World Command Injection Examples295
nodejs, history, examples
How to Implement SSL/TLS Pinning in Node.js294
how-tos, ssl, tls, nodejs
A More Intelligent and Secure Web (ple/w3c)293
videos, w3c, standards, web, web-platform
Demystifying CORS: Understanding How Cross-Origin Resource Sharing Works292
cors, javascript
Towards HTTPS by Default (jde)291
browsers, google, chrome, http, tls
Sophisticated, Highly-Targeted Attacks Continue to Plague npm290
npm
An Update on Chrome Security Updates—Shipping Security Fixes to You Faster289
browsers, google, chrome
Tuesday, August 8, 2023 Security Releases (raf/nod)288
release-notes, nodejs
SECURITY.md: Should I Have It? (mry/ecl)287
documentation
Publishing With npm Provenance From Private Source Repositories Is No Longer Supported286
github, npm, provenance, foss
Social Engineering Campaign Targeting Tech Employees Spreading Through npm Malware (soc)285
malware, npm
Securing the Web Forward: Addressing Developer Concerns in Web Security (tor/w3c)284
web, surveys
User Input Sanitization and Validation: Securing Your App283
sanitization, validation, conformance
Encoding: A Brief History and Its Role in Cybersecurity282
encoding, unicode, history
Node.js Security Progress Report—17 Reports Closed (ope)281
nodejs
The Importance of Verifying Webhook Signatures280
webhooks
The Massive Bug at the Heart of the npm Ecosystem279
npm, dependencies, bugs
All You Need to Know About CORS and CORS Errors278
cors, errors
Understanding Authorization Before Authentication: Enhancing Web API Security277
authorization, authentication, apis, comparisons
An Introduction to Command Injection Vulnerabilities in Node.js and JavaScript276
introductions, vulnerabilities, nodejs, javascript
Django: A Security Improvement Coming to “format_html()” (ada)275
django, html
Tuesday, June 20, 2023 Security Releases (raf/nod)274
release-notes, nodejs
security.txt Now Mandatory for Dutch Government Websites273
legal
File Upload Security and Malware Protection (aus)272
malware, file-handling, edge-computing
Security Implications of HTTP Response Headers271
http, http-headers
The Case Against Automatic Dependency Updates (ben)270
dependencies, automation, ci-cd, maintenance
Automating Dependency Updates: The Big Debate269
dependencies, automation, ci-cd
Introducing npm Package Provenance268
introductions, github, npm, provenance, foss
Generating Provenance Statements267
npm, provenance
8 Best Tools for Cryptography and Encryption (sta)266
link-lists, tooling, comparisons, cryptography, encryption, privacy
Dissecting npm Malware: Five Packages and Their Evil Install Scripts265
npm, malware
Passkeys: What the Heck and Why? (css)264
passkeys
Senior Engineering Strategies for Advanced React and TypeScript (tec)263
strategies, react, typescript, architecture, testing, performance, accessibility, maintenance
Cryptographically Protecting Your SPA262
single-page-apps, cryptography
Tips for Handling Dependabot, CodeQL, and Secret Scanning Alerts261
alerting, dependabot, tips-and-tricks
Without Accessibility, There Is No Privacy or Security (lev)260
accessibility, privacy
How to Password-Protect a Static HTML Page With No JS (ede)259
how-tos, css, fonts
SSL Certificates Explained258
videos, certificates, ssl, protocols
Quick Tip: How to Hash a Password in PHP257
how-tos, php, passwords, tips-and-tricks
Sandboxing JavaScript Code256
javascript
Unlocking Security Updates for Transitive Dependencies With npm255
npm, dependencies, maintenance
7 Required Steps to Secure Your Iframes Security254
iframes, xss, html, http-headers, csp
Conditional API Responses for JavaScript vs. HTML Forms (aus)253
javascript, html, forms, comparisons
Why Do We Need Authorization and Authentication?252
authorization, authentication
The Top 10 Security Vulnerabilities for Web Applications251
vulnerabilities, web-apps
Leaked a Secret? Check Your GitHub Alerts… for Free250
github
DOM Clobbering (fre/mat)249
dom
New npm Features for Secure Publishing and Safe Consumption248
npm, dependencies
Using SRI to Protect From Malicious JavaScript (mat)247
javascript
WordPress Versions 3.7–4.0 No Longer Get Security Updates (sar)246
wordpress
“Not Secure” Warning for IE Mode245
browsers, microsoft, edge, internet-explorer
Node.js Security Best Practices (nod)244
nodejs, best-practices
npm Security: Preventing Supply Chain Attacks243
npm, dependencies
Secure JavaScript URL Validation242
javascript, validation, urls
Create a Passkey for Passwordless Logins (age)241
authentication, passkeys
Designing a Secure API240
software-design, apis
Phylum Detects Active Typosquatting Campaign Targeting npm Developers239
npm, dependencies
Security (htt)238
web-almanac, studies, research, metrics
Continue Using .env Files as Usual237
environments
Quick Reminder: HTML5 “required” and “pattern” Are Not a Security Feature (cod)236
html, forms
Stop Using .env Files Now235
environments
Debunking Myths About HTTPS234
http, myths
Secure Your Node.js App With JSON Web Tokens (app)233
nodejs, json-web-tokens
Dependabot Unlocks Transitive Dependencies for npm Projects232
dependencies, npm, dependabot
JavaScript Bugs Aplenty in Node.js Ecosystem—Found Automatically231
studies, research, nodejs, javascript, dependencies, quality, bugs
Introducing Even More Security Enhancements to npm230
introductions, npm
Top 5 npm Vulnerability Scanners229
npm, vulnerabilities, tooling
What Is Passwordless Authentication and How to Implement It228
authentication, passwords
GA4 Is Being Blocked by Content Security Policy227
csp, metrics, google
Please Remove That .git Folder226
git
Should I Have Separate GitHub Accounts for Personal and Professional Projects?225
discussions, github, career
Understanding CSRF Attacks (zel)224
csrf
npm Security Update: Attack Campaign Using Stolen OAuth Tokens223
oauth, version-control, npm, github
Snyk Finds 200+ Malicious npm Packages, Including Cobalt Strike Dependency Confusion Attacks222
javascript, npm, dependencies
Unexpectedly HTTPS?221
http
How to Respond to Growing Supply Chain Security Risks?220
how-tos, dependencies, nodejs, npm
The Web Is for Everyone: Our Vision for the Evolution of the Web (moz)219
web, outlooks, privacy, accessibility, performance, user-experience
Using HTTPS in Your Development Environment218
http, environments
How to Prevent SQL Injection Attacks in Node.js217
how-tos, nodejs, databases, sql
Can You Get Pwned With CSS?216
css
How to Fix Your Security Vulnerabilities With npm Override215
how-tos, vulnerabilities, npm, dependencies
Never, Ever, Ever Use Pixelation for Redacting Text214
content, images, obfuscation
Accessibly Insecure213
accessibility
Lessons Learned From Publishing a Content Security Policy212
lessons, csp
Ain’t No Party Like a Third Party (ada/css)211
dependencies, embed-code
Security (htt)210
web-almanac, studies, research, metrics
GitHub’s Commitment to npm Ecosystem Security209
github, npm
Understanding and Implementing OAuth2 in Node.js (hon)208
nodejs, authorization, oauth
How to Win at CORS (jaf)207
how-tos, cors, html, http
The Options for Password-Revealing Inputs (chr/css)206
html, css, passwords, usability
npm Security Best Practices (owa)205
npm, best-practices
Encoding Data for POST Requests (jaf)204
javascript, encoding
NPM Global Audit203
packages, npm, quality, auditing
Understanding and Preventing Common Security Vulnerabilities202
vulnerabilities
Open Source Insights201
websites, foss, dependencies, licensing
I Learned to Love the Same-Origin Policy (eee/css)200
cors
Is Edge Computing Secure? Here Are 4 Security Risks to Be Aware Of199
edge-computing
TLS and mTLS Demystified198
tls, protocols
Best Practices for Inclusive Textual Websites197
performance, accessibility, best-practices
Clickjacking Attacks and How to Prevent Them196
how-tos
How to Safely Use GitHub Actions in Organizations (nza)195
how-tos, github-actions
What Is mTLS and How Does It Work?194
Mutual TLS: Stuff You Should Know193
tls, protocols
Don’t Try to Sanitize Input—Escape Output192
sanitization, escaping
Encrypting DNS Query Bad for Performance? (erw)191
performance, dns, http, encryption
Apple Joins FIDO Alliance, Commits to Getting Rid of Passwords (zdn)190
apple, fido, passwords, authentication
How to Automatically Update Your JavaScript Dependencies (spa/clo)189
how-tos, javascript, dependencies, automation, processes
What SSL Is, and Which Certificate Type Is Right for You188
ssl, certificates, privacy, concepts
Usability and Security; Better Together (24w)187
usability, user-experience
Server-Side Includes (SSI) Injection (owa)186
ssi
How Internet Security Works: TLS, SSL, and CA (osd)185
tls, ssl, protocols, certificates
Security and Privacy for Our Times (luk/w3c)184
privacy, web-platform
Web Feature Developers Told to Dial Up Attention on Privacy and Security (rip/tec)183
w3c, privacy, web-platform
CSS Security Vulnerabilities (chr/css)182
css, privacy, vulnerabilities
Understanding Subresource Integrity (dre/sma)181
hashing, embed-code
W3C Strategic Highlights: Web for All (Security, Privacy, Identity) (w3c)180
w3c, privacy, authentication
Guide to Web Authentication179
websites, authentication, webauthn, javascript
It’s Beginning to Look a Lot Like XSSmas (24w)178
vulnerabilities, csrf, xss
Protecting Your Site With Feature Policy (rac/sma)177
http-headers, http
AWS Security Guide: 7 Best Practices to Avoid Security Risks (wom)176
guides, aws, best-practices
WebAuthn, FIDO2 Infuse Browsers, Platforms With Strong Authentication (dar)175
w3c, fido, authentication, webauthn, browsers
In Your Face, Passwords: Big Three Browsers All Adopt Authentication API174
authentication, webauthn, apis, edge, microsoft, chrome, google, firefox, mozilla, browsers
HTTPS Is Easy (tro)173
websites, http
WordPress Security as a Process (sma)172
wordpress, processes
Making Your Website Faster and Safer With Cloudflare171
performance, caching, cloudflare
Validating Dependencies in the Project With npm-check and depcheck170
dependencies, maintenance, auditing, tooling, npm
Third Party CSS Is Not Safe (jaf)169
html, css, embed-code
Attackers Can Steal Sensitive Data by Abusing CSS—CSS Exfil Vulnerability168
css, csp
Building Secure JavaScript Applications167
javascript, xss, csrf, json-web-tokens, passwords
Creating Secure Password Resets With JSON Web Tokens (sma)166
passwords, json-web-tokens, nodejs
The Complete Guide to Switching From HTTP to HTTPS (sma)165
guides, http
Rate Limiting With nginx164
servers, nginx, rate-limiting
How (Not) to Control Your CDN (mno)163
content-delivery, caching, http
How to Secure WordPress With SSL162
how-tos, wordpress, ssl
Encrypting IP Addresses (ber)161
ip, network, privacy, encryption
How to Secure Your Web App With HTTP Headers (sma)160
how-tos, web-apps, http, http-headers, csp
Just Another HTTPS Nudge (chr/css)159
http
On EME in HTML5 (tim/w3c)158
eme, drm, html, legal, standards, w3c
Using SSH Securely (ann)157
ssh
More Than 300 Federal Gov Websites Fail to Meet Domain Encryption Deadline156
http, tls, protocols, encryption
Content Security Policy Level 2 (mik+/w3c)155
standards, csp
A Checklist for Website Reviews (hcr)154
checklists, performance, browsers, seo, accessibility
Content Security Policy, Your Future Best Friend (sma)153
csp, link-lists
A Refined Content Security Policy (web)152
html, csp, webkit, safari, apple, browsers
The Performance Benefits of “rel=noopener” (jaf)151
html, links, performance
Web Platform Security Boundaries (ann)150
web-platform
Subresource Integrity (dev+/w3c)149
hashing, html, standards
npm Fails to Restrict the Actions of Malicious npm Packages148
npm, vulnerabilities
W3C Looks to Secure the Web (sdt)147
w3c, authentication
Distribution Packages Considered Insecure146
dependencies, unix-like
The Current State of Web Security (An Interview With Anselm Hannemann) (hel+/css)145
interviews, http, ssl, tls, encryption, cloudflare, lets-encrypt
Eliminating Known Vulnerabilities With Snyk (sma)144
vulnerabilities, tooling
10 Web Predictions for 2016 (cra)143
web, outlooks, site-generators, browsers, css, mobile, performance, webassembly, seo
HSTS and “Let’s Encrypt” (tka)142
http, http-headers, ssl, lets-encrypt
Indexing HTTPS Pages by Default141
google, search, http
An in-Depth Look at CORS140
cors, javascript, php
Why Passwordless Authentication Works (cra)139
authentication, passwords
Introduction to TLS and SSL (ope)138
introductions, tls, ssl, protocols, certificates
A Simple Developer Error Is Exposing Private Information on Thousands of Websites (owe)137
version-control, git, mistakes, vulnerabilities
More Tips to Further Secure WordPress (eli)136
wordpress, tips-and-tricks, plugins
Improving Web Security With the Content Security Policy135
csp, http
Deprecating HTTP134
http, protocols, deprecation
Mozilla Wants to Deprecate Non-Secure HTTP, Will Make Proposals to W3C “Soon” (epr/ven)133
mozilla, http, deprecation
Want Fancy Firefox Features? Secure Your Website (sts/cne)132
firefox, mozilla, browsers, http
WordPress Front End Security: CSRF and Nonces (css)131
wordpress, csrf
Introduction to WordPress Front End Security: Escaping the Things (css)130
introductions, wordpress, escaping
What Are the Security Risks of HTML5 Apps?129
web-apps, sanitization
Moving to HTTPS on WordPress (chr/css)128
wordpress, http
Same-Origin Policy (ann)127
cors, web-platform
Securing the Web (w3c)126
web-platform
What I’d Tell My Younger Self About Learning Development as a Web Designer125
learning, programming, javascript, databases, servers, preprocessors, version-control, performance, career
HTTPS as a Ranking Signal (met)124
google, search, http, seo
mXSS (gaz)123
xss, html
It’s Time to Encrypt the Entire Internet (kli/wir)122
web, http, ssl, encryption
3 Tips to Find Hacking on Your Site, and Ways to Prevent and Fix It121
search, google, tips-and-tricks
Cross-Origin Resource Sharing (ann/w3c)120
cors, standards
Despite Automatic Updates, Old Browsers Are Still a Problem (edb/zdn)119
browsers, web-platform, chrome, google, firefox, mozilla, internet-explorer, microsoft, safari, apple
Cross-Origin Resource Sharing on Track to Become a W3C Recommendation (sdt)118
w3c, cors, standards
Bid to Kill CAPTCHA Security Test Gains Momentum117
captcha, accessibility
We Should All Have Something to Hide116
privacy
Mobile Website Security115
mobile, hosting, policies
WordPress Security Tips114
wordpress, tips-and-tricks
Brad Hill: “HTML5 Security Realities” (chr/css)113
slides, xss, html
Bulletproof Your Drupal Website112
drupal
Top 10 PHP Security Vulnerabilities111
php, vulnerabilities
A Front End Engineer’s Manifesto (zac)110
websites, manifestos, user-experience, progressive-enhancement, simplicity, foss, accessibility, community, learning
A JavaScript Security Flaw109
javascript
The Secure Programmer’s Pledge108
manifestos
An Introduction to Content Security Policy (mik)107
introductions, csp
Rate Limiting With Apache and mod_security (joh)106
servers, apache, rate-limiting
Cross-Site Scripting Attacks (XSS)105
xss, examples
How to Secure Your WordPress Website (sma)104
how-tos, wordpress, link-lists
Using CORS103
cors
Some Notes on the Recent XML Encryption Attack (w3c)102
xml, encryption
XML Encryption Flaw Leaves Web Services Vulnerable (eur)101
web-services, xml, encryption
Notes From Writing HTML5 Media (bur)100
html, multimedia
HTTPS Is More Secure, So Why Isn’t the Web Using It? (ars)99
http, protocols, web
Web Cryptography: Salted Hash and Other Tasty Dishes (ali)98
cryptography
What Are the JSON Security Concerns in Web Development? (sim)97
json
What Is Cross Site Scripting or XSS? (chr/css)96
xss, javascript, concepts
Web Developers Accountable for HTML 5 Security95
html
HTML5 Raises New Security Issues94
html, browsers
10 Useful WordPress Security Tweaks (sma)93
wordpress
Web Security: Are You Part of the Problem? (cod/sma)92
vulnerabilities, php, javascript
Full Frontal ’09: Chris Heilmann on JavaScript Security (mic/aja)91
javascript
Cookies and Security (nza)90
cookies, xss, csrf
Finally Something to Get a Few More Users Off of IE 6? (dal/aja)89
internet-explorer, microsoft, browsers
The Internet Is Closing to Innovation (zit/new)88
web
You Could Be Getting Clickjacked (tec)87
vulnerabilities, frames, w3c
Video and Audio Tags and Cross Origin Access (dal/aja)86
html, multimedia
Dumb Security Tips: Think Before You Follow Online Guides (tan)85
tips-and-tricks
Alerting Webmasters to Webserver Vulnerabilities84
google
Simon Willison, @Media Ajax (mic/aja)83
ajax, xss, csrf, javascript, json
Frame-Busting Gadgets (mic)82
frames, iframes
Evil GIFs: Hiding Java in Your Image (dal/aja)81
gif, images, java
What’s in a “window.name”? (cod/aja)80
javascript
Internet Explorer 8 Promises Better Standards Compliance… and a Whole Lot More (est/cio)79
internet-explorer, microsoft, browsers, standards
Ajaxian Roundup for January 2008: JavaScript Turtles and IE 8 (dal/aja)78
javascript, prototypejs, dojo, extjs, jquery, gwt, yui, dwr, gears, flash, air, json, browsers, standards, css, design, comet, ajaxian, link-lists
Book Recommendation: “AJAX Security” by Hoffman and Sullivan77
books, ajax, javascript
Ajaxian Roundup for December 2007: It’s the End of the Year as We Know It (dal/aja)76
browsers, javascript, prototypejs, extjs, yui, jquery, microsoft, dwr, performance, gwt, comet, css, mobile, ajaxian, link-lists
Cross Site Scripting Joy (tri)75
xss
Making JavaScript Safe With No Script (dal/aja)74
javascript
Obscurity, Security, and Captcha (zac)73
captcha, accessibility
Automated Security Scanners Choke on AJAX (rey/aja)72
ajax, javascript
Quick Security Checklist for Webmasters71
checklists
How to Protect a JSON or JavaScript Service70
how-tos, json, javascript
Securing Your JSON69
json, javascript, arrays
CSRF Protection Idea (dal/aja)68
csrf
JavaScript Security Experiments (mar)67
javascript, experiments
Security vs. Usability (nza)66
usability
Prepare for Attack—Making Your Web Applications More Secure65
web-apps, sql, xss, examples
JSON vs. XML: Browser Security Model (car)64
browsers, json, xml, comparisons
The Dangers of Cross-Domain AJAX With Flash (shi)63
ajax, javascript, flash
DOM vs. Web (mno)62
http, dom
AJAX: Is Your Application Secure Enough?61
ajax, javascript, web-apps
AJAX, XHR, JavaScript, and Cross Domain Security Story60
ajax, javascript
Top 7 PHP Security Blunders59
php, databases, sql
How to Make “XMLHttpRequest” Calls to Another Server in Your Domain58
how-tos, javascript
IE Frame Bug (dal/aja)57
internet-explorer, microsoft, browsers, frames
Validate Your Input!56
validation
JavaScript Security55
javascript
File Upload Security (lac)54
html, file-handling