Create accountLogin

Recent searches

No recent searches

Search options

Only available when logged in.
mastodon.world is one of the many independent Mastodon servers you can use to participate in the fediverse.
Generic Mastodon server for anyone to use.

Administered by:

Server stats:

11K
active users

mastodon.world: AboutStatusProfiles directoryPrivacy policy

Mastodon: AboutGet the appKeyboard shortcutsView source codev4.3.7

#websecurity

4 posts4 participants0 posts today
Public
Miguel Afonso Caetano

"When Let’s Encrypt, a free certificate authority, started issuing 90 day TLS certificates for websites, it was considered a bold move that helped push the ecosystem towards shorter certificate life times. Beforehand, certificate authorities normally issued certificate lifetimes lasting a year or more. With 4.0, Certbot is now supporting Let’s Encrypt’s new capability for six day certificates through ACME profiles and dynamic renewal at:

- 1/3rd of lifetime left
- 1/2 of lifetime left, if the lifetime is shorter than 10 days"

eff.org/deeplinks/2025/04/cert

Electronic Frontier Foundation · Certbot 4.0: Long Live Short-Lived Certs!When Let’s Encrypt, a free certificate authority, started issuing 90 day TLS certificates for websites, it was considered a bold move that helped push the ecosystem towards shorter certificate life times. Beforehand, certificate authorities normally issued certificate lifetimes lasting a year or...
#CyberSecurity#WebSecurity#TLS
Public
Kiara Taylor

In this episode of DollyWay, we uncover the details of an 8-year-long WordPress malware campaign that has infected over 20,000 websites. We delve into how the hackers executed this sophisticated attack, and what website owners can do to protect their sites from similar threats. Tune in for expert insights and practical tips to secure your WordPress site.

#WordPressSecurity #CyberSecurity #MalwareAttack #DollyWayPodcast #WebSecurity #HackerThreats #CyberThreats

podcasts.apple.com/us/podcast/

DollyWay: The 8-Year WordPress Malware Campaign Infecting 20,000 Sites
Apple PodcastsDollyWay: The 8-Year WordPress Malware Campaign Infecting 20,000 SitesPodcast Episode · Daily Security Review · 03/20/2025 · 14m
Public
Miguel Afonso Caetano

"API keys are foundational elements for authentication, but relying solely on them is inherently a risky proposal.

Firstly, there’s the reality that API keys are not securely designed — they were never meant to be used as the sole form of authentication, and as such, they aren’t really built for the task. These keys can often be easily stolen, leaked, or, in some cases (especially if generated incrementally), outright guessed. An API key is suitable for tracking usage but is poor for security.

There is also the additional reality that keys in their default state lack some critical functionality. There’s not a lot of verification built-in for identity management, and what does exist offers very little in the way of granular access control.

Ultimately, solely relying on API keys is a mistake common with novice developers but frighteningly common even in advanced products.

Best Practices
Instead of relying heavily on API keys as a sole mechanism, combine those keys with additional approaches such as OAuth 2.0 or mTLS. Implement rigorous expiration and rotation policies to ensure that keys which are made public are only useful for a short amount of time. Consider more advanced approaches, such as IP whitelisting or device fingerprinting, to add another layer of security atop the API key process."

nordicapis.com/9-signs-youre-d

Nordic APIs · 9 Signs You're Doing API Security Wrong | Nordic APIs |API security anti-patterns are common. From overreliance on API keys to a lack of rate limiting to no encryption, we explore the top ones.
#API#APIs#APISecurity
Public
Miguel Afonso Caetano

"It is now time to fix it for good. A new solution has been proposed: partitioning visited link history. This approach fundamentally changes how browsers store and expose visited link data. Instead of maintaining a global list, web browsers will store visited links with a triple-key partition:

- Link URL. The destination of the visited link.
- Top-Level Site. The domain of the main browsing context.
- Frame Origin. The origin of the frame rendering the link.

A link is only styled as :visited if it was visited from the same top-level site and frame origin (...) This approach guarantees isolation and works well with the web's same-origin policy. The system records only navigations initiated by link clicks or scripts—excluding direct address bar entries or bookmark navigations.

Key benefits of this model include: strong protection against cross-site history leaks, solving for good of many known side-channel attacks, support for meaningful styling within trusted, same-context domains, conforming to established web privacy principles and data protection regulations.

This feature is already implemented in Chrome (v132, behind a #partition-visited-link-database-with-self-links flag). I am confident that in 2025 we are going to have this privacy headache solved once and for all."

blog.lukaszolejnik.com/fixing-

Security, Privacy & Tech Inquiries · Fixing web browser history leaksWeb browsing history powers helpful features like styling visited links differently, allowing users to see where they've been before. While this usability feature provides navigational benefits, it also introduces a privacy risk. The handling of visited links happened to be a silent backdoor of a kind, allowing malicious sites to
#CyberSecurity#WebSecurity#Privacy
Public
Securitum

🔒 New Pentest Chronicle! 🔒

🚨 Did you know an attacker could temporarily block access to your website by simply adding a single HTTP header?

In our latest article, "Denial of Service attack via web cache poisoning - Vulnerability Analysis", Mikołaj Pudlicki explains a practical scenario uncovered during REAL PENETRATION TEST. By inserting the X-Forwarded-Host header into HTTP requests, attackers can trigger improper caching behavior, causing legitimate users to receive cached error responses.

🔎 The article provides a clear breakdown of how this vulnerability works step-by-step, along with actionable recommendations for protecting web applications.

Read more to understand and defend against this subtle yet impactful threat:

securitum.com/denial_of_servic

#WebSecurity #CyberSecurity hashtag#DoS #SecurityTesting

www.securitum.comSecuritum - Security penetration testing.Securitum is a pure pentesting company specialising in the security of IT systems. We have experience in performing security audits (including penetration tests) - mainly for financial/e-commerce/industrial sectors. We have performed penetration tests and cyber security services for leading European banks (see references below). Due to our experience, penetration testing can be performed with broad insight, in many separate problem areas.
Public
Loki the Cat

🚫 Looks like the internet's bouncer, Cloudflare, forgot what "security" means! They're blocking 12+ niche browsers from accessing websites for 6+ weeks now. When your security service makes the web LESS accessible, you might be doing it wrong...

Bonus irony: They want browser devs to sign NDAs to discuss the problem! 🤔

#WebSecurity #BrowserWars

tech.slashdot.org/story/25/03/

tech.slashdot.orgCloudflare Accused of Blocking Niche Browsers - SlashdotLong-time Slashdot reader BenFenner writes: For the third time in recent memory, CloudFlare has blocked large swaths of niche browsers and their users from accessing web sites that CloudFlare gate-keeps. In the past these issues have been resolved quickly (within a week) and apologies issued with pr...
ExploreLive feeds
About