Tech is political: The people under attack in Palestine 🇵🇸, Iran 🇮🇷, and Lebanon 🇱🇧 are people like us. They’re our brothers and sisters, too. Read up on their history, scrutinize what you’re told, and demand that they be respected and included. Hide

Frontend Dogma

“security” News Archive

Definition, related topics, and tag feed

Definition · Supertopics: user-experience · Subtopics: authentication, authorization, certificates, cors, cryptography, csp, csrf, hashing, malware, privacy, provenance, randomness, rate-limiting, sanitization, ssh, ssl, tls, validation, vulnerabilities, xss (non-exhaustive) · “security” RSS feed (per email)

Entry (Sources) and Additional TopicsDate#
Anthropic’s Fable and the State of AI (sch)561
ai, anthropic, foss
Blocking Install Scripts Is Not a Silver Bullet (uli/nod)560
npm
Reuse Less Software559
dependencies, processes
Wednesday, June 17, 2026 Security Releases (nod)558
release-notes, nodejs
Upcoming Breaking Changes for npm v12557
npm
npm Tooling Bug Incorrectly Marks One-Character Packages as Security Holders (sar/soc)556
npm, bugs
The Website Specification (joo)555
websites, documentation, fundamentals, seo, accessibility, ai-agents, performance, privacy, resilience, internationalization
The VibeSec Reckoning (mfo)554
ai, vibe-coding
Megalodon: Mass GitHub Repo Backdooring via CI Workflows553
github, ci-cd
GitHub Internal Repositories Breached via Malicious Nx Console VS Code Extension (the)552
github, vs-code, microsoft
GitHub Hacked—Internal Source Code Repositories Compromised via Employee Device551
github
Mini Shai Hulud: Compromised @antv npm Packages Enable CI/CD Credential Theft550
npm, dependencies, ci-cd
Mini Shai-Hulud Strikes Again: 317 npm Packages Compromised549
npm, dependencies
“The Worst Leak That I’ve Witnessed”: US Cybersecurity Agency Leaves Its Digital Keys Out in Public on GitHub (giz)548
passwords, github
A Worm Just Ate Its Way Through the npm Registry… (fir)547
videos, npm, dependencies, tanstack
Hardening TanStack After the npm Compromise (cru+/tan)546
tanstack
Hackers Abuse Google Ads and Claude.ai Shared Chats to Distribute macOS Malware545
apple, unix-like, google, claude, anthropic, ai
Weekend at Bernie’s (and)544
dependencies, foss, metrics
Behind the Scenes Hardening Firefox With Claude Mythos Preview (fre+/moz)543
firefox, mozilla, browsers, claude, anthropic, ai
Trustworthy JavaScript for the Open Web (moz)542
javascript, open-web, firefox, mozilla, browsers
The Zero-Days Are Numbered (moz)541
firefox, mozilla, browsers, ai, anthropic
Vercel April 2026 Security Incident540
vercel
AI Will Never Be Ethical or Safe (j9t)539
ai, ethics
No One Owes You Supply-Chain Security (pur)538
dependencies, rust
Someone Bought 30 WordPress Plugins and Planted a Backdoor in All of Them537
wordpress, plugins
Anthropic Debuts Preview of Powerful New AI Model Mythos in New Cybersecurity Initiative (tec)536
anthropic, ai
Adversarial AI: Understanding the Threats to Modern AI Systems (jet)535
ai, concepts
Attackers Are Hunting High-Impact Node.js Maintainers in a Coordinated Social Engineering Campaign (sar/soc)534
nodejs, foss
Post Mortem: Axios npm Supply Chain Compromise533
axios, npm
The Hidden Blast Radius of the Axios Compromise (ahm/soc)532
dependencies, npm, axios
Minimum Release Age Is an Underrated Supply Chain Defense (dan)531
dependencies, npm, bun, pnpm, yarn, deno, renovate, dependabot, axios
Prevent Claude Code From Accessing .env (jad)530
claude, anthropic, ai, environments
Axios Compromised on npm—Malicious Versions Drop Remote Access Trojan529
npm, dependencies, axios
Node.js Brotli UAF (mai)528
nodejs, permissions, brotli, compression, claude, ai
Malicious PyPI Package—LiteLLM Supply Chain Compromise527
dependencies, vulnerabilities
Developing a Minimally HashDoS Resistant, Yet Quickly Reversible Integer Hash for V8 (joy/nod)526
nodejs, hashing
Tuesday, March 24, 2026 Security Releases (nod)525
release-notes, nodejs
Supply-Chain Attack Using Invisible Code Hits GitHub and Other Repositories (dan/ars)524
github, dependencies
OWASP’s Top 10 Ways to Attack LLMs: AI Vulnerabilities Exposed523
videos, vulnerabilities, ai, owasp
A GitHub Issue Title Compromised 4,000 Developer Machines522
github, ai
How to Steal npm Publish Tokens by Opening GitHub Issues (nec)521
npm, github, ai
MCP Servers and the Return of the Service Account Problem (aem)520
servers, mcp, ai
Security Advisory: Addressing Recent Vulnerabilities in Angular (ang)519
angular
An Exploit… in CSS?! (css)518
css
Goodbye “innerHTML”, Hello “setHTML”: Stronger XSS Protection in Firefox 148 (moz)517
javascript, methods, xss, firefox, mozilla, browsers
Europe Is Ready to Ditch US Tech for Private Alternatives (pro)516
tooling, privacy, metrics
WebSocket Penetration Testing: A Complete Guide to CSWSH515
guides, websockets, testing
Node.js Path Traversal: Prevention and Security Guide (loi)514
guides, nodejs
Cryptography Usage in Web Standards (w3c)513
standards, cryptography
OpenJS Foundation Security Program: Annual Report 2025 (ope)512
openjs
A Security Checklist for Your React and Next.js Apps511
react, nextjs
How to Implement Rate Limiting in nginx (naw/one)510
how-tos, servers, nginx, rate-limiting
Securing npm Is Table Stakes (nza+/cha)509
podcasts, interviews, npm, ai
Security (vik+/htt)508
web-almanac, studies, research, metrics, tls, certificates, cookies, csp, http-headers, apis, sanitization, configuration
Node.js January 2026 Security Release: What Changed and Why It Matters (nod)507
nodejs
Tuesday, January 13, 2026 Security Releases (nod)506
release-notes, nodejs
Mitigating Denial-of-Service Vulnerability From Unrecoverable Stack Space Exhaustion for React, Next.js, and APM Users (mco+/nod)505
nodejs, vulnerabilities, react, nextjs, tooling, monitoring, performance
npm to Implement Staged Publishing After Turbulent Shift Off Classic Tokens (sar/soc)504
npm, dependencies, github
Security Basics for Vibe-Coders (owe/pro)503
fundamentals, vibe-coding, ai
Testing Methods: Accessible Authentication (Enhanced) (dec)502
accessibility, testing, wcag, authentication
Testing Methods: Accessible Authentication (Minimum) (dec)501
accessibility, testing, wcag, authentication
Denial of Service and Source Code Exposure in React Server Components (rea)500
react, components
Thursday, December 18, 2025 Security Releases (nod)499
release-notes, nodejs
How We’re Protecting Our Newsroom From npm Supply Chain Attacks (rya/pnp)498
npm, dependencies, case-studies
No More Tokens—Locking Down npm Publish Workflows (zac)497
npm, dependencies, github, processes
[Next.js] Security Advisory: CVE-2025-66478 (seb)496
nextjs
Critical Security Vulnerability in React Server Components (rea)495
react, components
Decreasing [Let’s Encrypt] Certificate Lifetimes to 45 Days (mat/let)494
http, certificates, lets-encrypt
Taking Down Next.js Servers for 0.0001 Cents a Pop493
servers, nextjs, vulnerabilities
The Shai-Hulud 2.0 npm Worm: Analysis, and What You Need to Know492
npm, dependencies
GitLab Discovers Widespread npm Supply Chain Attack (git)491
npm, dependencies, gitlab, github, aws, gcp, azure
Automated npm Secret Rotation in GitHub Actions (mhe)490
npm, automation, github-actions
What Developers Really Mean by “Bad Code” (jet)489
maintainability, scalability, consistency, quality
Introducing the OWASP Top 10:2025 (she+/owa)488
introductions, owasp, vulnerabilities
Removing XSLT for a More Secure Browser (dro)487
chromium, chrome, google, browsers, xsl, web-platform
Will npm’s New Security Steps Stop Attacks? (rev)486
npm, github, maintenance, foss
HTTPS by Default (jde+)485
http, chrome, google, browsers
Agentic AI and Security (ksi/mfo)484
ai, architecture
Octoverse: A New Developer Joins GitHub Every Second as AI Leads TypeScript to #1483
github, metrics, productivity, ai, foss, programming
Glassworm: First Self-Propagating Worm Using Invisible Code Hits OpenVSX Marketplace482
code-editors, vs-code, microsoft
Improving the Trustworthiness of JavaScript on the Web481
javascript, web-apps
Past Time for Passkeys (nor)480
videos, passkeys, passwords, authentication
Secure Coding in JavaScript479
javascript, frameworks
My Conclusions After Using Signed Exchanges on My Website for 2 Years (paw)478
signed-exchanges, performance
Lazy-Loading as a Security Measure477
lazy-loading, angular, react
Backend Concepts Every Experienced Developers Must Know476
concepts, network, concurrency, apis, databases, caching, scalability, observability, architecture
Fixing Safari Mixed Content Issues With Vite and mkcert475
safari, apple, browsers, vite, tooling
How Deno Protects Against npm Exploits (den)474
deno, npm
Strengthening npm Security: Important Changes to Authentication and Token Management473
npm
How Hackers Use AI to Find Vulnerabilities Faster472
ai
CAPTCHA, When Security Takes Precedence Over Accessibility471
captcha, accessibility
Our Plan for a More Secure npm Supply Chain (xco)470
npm, dependencies, foss
npm Security Best Practices469
npm, provenance, best-practices
This May Be the Worst One (the)468
videos, npm, dependencies
Ongoing Supply Chain Attack Targets CrowdStrike npm Packages (pvd+/soc)467
npm, dependencies
ctrl/tinycolor and 40+ npm Packages Compromised466
npm, dependencies
How Maintainer Burnout Is Causing a Kubernetes Security Disaster465
kubernetes, maintenance, foss, economics
Oh No, Not Again… a Meditation on npm Supply Chain Attacks (tan)464
npm, dependencies, microsoft
Anatomy of a Billion-Download npm Supply-Chain Attack463
npm, dependencies
npm Author Qix Compromised via Phishing Email in Major Supply Chain Attack (bur+/soc)462
npm, dependencies
CORS Explained: Stop Struggling With Cross-Origin Errors461
cors, http-headers, http
How OpenJS-Hosted Projects Benefit From Security Support (ope)460
openjs, hosting, foss
Why You Absolutely Need to Have Automated Dependency Management in Place (j9t)459
dependencies, maintainability, maintenance, automation, tooling
What Your Website’s Style Says About You—and How Hackers Can Use It Against You (err)458
css, javascript
Hardening Node.js Apps in Production: 8 Layers of Practical Security457
nodejs, best-practices
eslint-config-prettier Compromised: How npm Package With 30 Million Downloads Spread Malware456
prettier, eslint, npm, malware
npm Phishing Email Targets Developers With Typosquatted Domain (sar/soc)455
npm
AI Agents Are Creating a New Security Nightmare for Enterprises and Startups454
ai, apis
Tuesday, July 15, 2025 Security Releases (nod)453
release-notes, nodejs
Contagious Interview Campaign Escalates With 67 Malicious npm Packages and New Malware Loader (soc)452
npm, dependencies
Dependabot Supports Configuration of a Minimum Package Age451
dependabot, configuration
MCP Security Vulnerabilities and Attack Vectors450
mcp, ai
A New Era of Code Quality449
quality
JWTs Are Not Session Tokens, Stop Using Them Like One448
json-web-tokens, authentication
Design Patterns for Securing LLM Agents Against Prompt Injections (sim)447
studies, research, ai, prompting, software-design-patterns
The Growing Risk of Malicious Browser Extensions (soc)446
browser-extensions
Escaping “<” and “>” in Attributes—How It Helps Protect Against Mutation XSS (sec)445
html, attributes, xss, escaping, chrome, google, browsers
HTML Spec Change: Escaping “<” and “>” in Attributes (sec)444
html, attributes, escaping, xss
Beware of End-of-Life Node.js Versions—Upgrade or Seek Post-EOL Support (mco/nod)443
nodejs, maintenance
How to Access Local MCP Servers Through a Secure Tunnel442
how-tos, mcp, ai, servers, network
Docker Launches Hardened Images, Intensifying Secure Container Market441
docker
Modernizing Security440
modernization, processes
Securing Your Node.js App From Command Injection439
nodejs
Passkeys for Normal People (tro)438
authentication, passkeys, examples, concepts
npm Targeted by Malware Campaign Mimicking Familiar Library Names (soc)437
npm, malware, dependencies, link-lists
What Is an Encryption Backdoor? (int)436
encryption, vulnerabilities, concepts
Cybersecurity Leaders Are Staying in the Shadows (ste)435
community, culture
Principles for Coding Securely With LLMs (sea)434
ai, principles
Threat Actors Misuse Node.js to Deliver Malware and Other Malicious Payloads433
nodejs, malware
TLS Certificate Lifetimes Will Officially Reduce to 47 Days432
tls, certificates
LLMs Can’t Stop Making Up Software Dependencies and Sabotaging Everything (tho/the)431
ai, dependencies, slop
Secure a Vue App With OpenID Connect and the BFF Pattern (due)430
vuejs, authentication, backend-for-frontend
Teaching Code in the AI Era: Why Fundamentals Still Matter (ali)429
training, ai, programming, vibe-coding, scalability, performance, quality, testing, documentation
Stop Using Jenkins in 2025 (oso)428
jenkins, github-actions, ci-cd
Node.js Test CI Security Incident (nod)427
nodejs, retrospectives
Website Hijack Campaign Now Impacting 150,000 Sites (gad)426
Malware Found on npm Infecting Local Package With Reverse Shell (rev)425
npm, dependencies
Five Things Vibe Coders Should Know (From a Software Engineer)424
vibe-coding, sanitization, rate-limiting
GitHub Suffers a Cascading Supply Chain Attack Compromising CI/CD Secrets (inf)423
github, ci-cd
How to Prevent WordPress SQL Injection Attacks (sma)422
how-tos, wordpress, sql, databases
Lazarus Strikes npm Again With New Wave of Malicious Packages (soc)421
npm, dependencies
Updates on CVE for End-of-Life Versions (raf/nod)420
nodejs
What Is the OWASP Top 10 and How Can Your Team Benchmark Security? (jet)419
owasp, vulnerabilities, qodana, jetbrains
How to Protect Your Web Applications From XSS (tor/w3c)418
how-tos, web-apps, xss
In Tech, What Matters and What Is Dangerous (ham)417
community, foss, open-web
Secure UX: Building Cybersecurity and Privacy Into the UX Lifecycle (uxm)416
user-experience, processes
The Fallacy of Balance: Challenging the Notion of Security and Accessibility as Opposing Objectives (deq)415
videos, accessibility
It Is No Longer Safe to Move Our Governments and Societies to US Clouds (ber)414
cloud-computing, privacy, legal
How OWASP Helps You Secure Your Full-Stack Web Applications (eri/sma)413
owasp, monitoring, authentication, vulnerabilities, configuration, csrf, cryptography, authorization
10 Common Web Development Mistakes to Avoid Right Now412
mistakes, mobile, performance, accessibility, seo, navigation, analytics, testing
Tightening Every Bolt (bag)411
videos, processes, code-reviews, testing
On Generative AI Security (sch)410
ai, lessons, microsoft
Understanding CORS Errors in Signed Exchanges (paw)409
cors, errors, signed-exchanges
Keep Your Node.js Apps Secure With “npx is-my-node-vulnerable” (tre)408
packages, npm, nodejs
How I Open-Sourced My Secret Access Tokens From GitHub, Slack, and npm—and Who Actually Cares407
github, slack, npm
Node.js EOL Versions CVE Dubbed the “Worst CVE of the Year” by Security Experts (sar/soc)406
nodejs, documentation
Tuesday, January 21, 2025 Security Releases (raf/nod)405
release-notes, nodejs
APIs Are Quickly Becoming the Latest Security Battleground (and Nightmare)404
apis
CDN-First Is No Longer a Performance Feature (osv)403
content-delivery, performance, caching, embed-code, privacy
The Cyber-Cleanse: Take Back Your Digital Footprint (cyb)402
privacy
15 Principles for Secure Programming (rak)401
principles, validation, testing
Important Topics for Frontend Developers to Master in 2025400
learning, javascript, typescript, css, frameworks, git, apis, testing, performance, ci-cd, websockets
How to Automate OWASP Security Reviews in Your Pull Requests? (cod)399
how-tos, owasp, automation, code-reviews, coderabbit
Developer Guide: How to Implement Passkeys398
guides, how-tos, authentication, passkeys
5 Technical Trends to Help Web Developers Stand Out in 2025397
trends, career, javascript, ai, low-and-no-code
Avoid Hotlinking Images With “Cross-Origin-Resource-Policy”396
images
Content Security Policy Level 3 (mik/w3c)395
standards, csp
Security (htt)394
web-almanac, studies, research, metrics
JavaScript Import Attributes (ES2025) (tre)393
javascript
Exploring Internet Traffic Shifts and Cyber Attacks During the 2024 US Election392
traffic
Cross-Site WebSocket Hijacking: Understanding and Exploiting CSWSH (pen)391
websockets
Securing Your Express REST API With Passport.js390
nodejs, express, json-web-tokens, apis, rest, tooling
SecretLint—a Linter for Preventing Committing Credentials (tre)389
tooling, linting
The Importance of UX in Cybersecurity (uxm)388
user-experience, usability
Understanding “npm audit” and Fixing Vulnerabilities387
npm, vulnerabilities, nodejs
Top 4 Web Vulnerabilities With Example and Mitigation386
vulnerabilities, sql, databases, xss, csrf
How to Implement Content Security Policy (CSP) Headers for Astro (tre)385
how-tos, http, http-headers, csp, astro, vercel, cloudflare
Why Code Security Matters—Even in Hardened Environments384
vulnerabilities, file-handling, nodejs
Database 101: SSL/TLS for Beginners383
introductions, databases, ssl, tls, authentication
Cloudflare Study: 39% of Companies Losing Control of Their IT and Security Environment (tre)382
studies, research, engineering-management
NIST Recommends Some Common-Sense Password Rules (sch)381
passwords, guidelines
I Finally Understand OAuth380
authorization, oauth, processes
Fake GitHub Site Targeting Developers (jul/san)379
github
Hacking Cars in JavaScript (Running Replay Attacks in the Browser With the HackRF) (dev)378
javascript
Gaining Access to Anyone’s Browser Without Them Even Visiting a Website377
arc, the-browser-company, browsers, vulnerabilities
10 AI Dangers and Risks and How to Manage Them (rin)376
ai, privacy, sustainability, legal
Web Security: Shaping the Secure Web (set/w3c)375
web, w3c
5 Wasm Use Cases for Frontend Development (ele/des)374
guest-posts, webassembly, performance
What Is Incident Response?373
incident-response, overviews
Migrating From Netlify to Cloudflare for AI Bot Protection (sia)372
migrating, netlify, cloudflare, ai
The Great npm Garbage Patch371
dependencies, npm, spam
Frontend Security Checklist (tre)370
checklists, react
Automated Ways to Security Audit Your Website369
auditing, automation, tooling
Secure Node.js Applications From Supply Chain Attacks368
nodejs, best-practices, dependencies
The Cloud Run Security Gap You Didn’t Know You Had (and How to Fix It)367
google, gcp
The Pitfalls of In-App Browsers (fro)366
browsers, mobile, privacy, user-experience
Supply Chain Security in npm—We Can Be Optimistic About the Future365
npm, dependencies, provenance
Script Integrity (chr/fro)364
embed-code, javascript
Introducing the MDN HTTP Observatory (mdn)363
introductions, mdn, mozilla, http
Tuesday, July 2, 2024 Security Releases (nod)362
release-notes, nodejs
WebAuthn: Enhancing Security With Minimal Effort (tbe)361
authentication, webauthn
RegreSSHion: Remote Unauthenticated Code Execution Vulnerability in OpenSSH Server360
ssh, vulnerabilities
Polyfill Supply Chain Attack Embeds Malware in JavaScript CDN Assets359
malware, vulnerabilities
Catching Compromised Cookies (sla)358
cookies, testing
Backdoor Slipped Into Multiple WordPress Plugins in Ongoing Supply-Chain Attack (dan/ars)357
wordpress, plugins
The Hacking of Culture and the Creation of Socio-Technical Debt (sch)356
culture
OAuth Authentication (rya)355
authentication, authorization, oauth
Researchers Uncover npm Registry Vulnerability to Cache Poisoning and DoS Attacks (sar/soc)354
npm, dependencies, vulnerabilities, caching
What Is Mixed Content? (fre)353
http
The Ultimate Guide to Iframes (log)352
guides, iframes, html, javascript
How a Single Vulnerability Can Bring Down the JavaScript Ecosystem351
javascript, npm, dependencies, caching, vulnerabilities
JavaScript Security: Simple Practices to Secure Your Frontend350
javascript, dependencies, csp
Manifesto for a Humane Web (mic)349
websites, manifestos, web, principles, accessibility, dei, sustainability, user-experience
Securing Client-Side JavaScript (ada)348
javascript, graceful-degradation
Poor Express Authentication Patterns in Node.js and How to Avoid Them347
express, nodejs, authentication
Passkeys: A Shattered Dream (fir)346
authentication, passkeys
Using Legitimate GitHub URLs for Malware (sch)345
malware, github
When Security and Accessibility Clash: Why Are Banking Applications So Inaccessible? (nic)344
accessibility
Open Source Security (OpenSSF) and OpenJS Foundations Issue Alert for Social Engineering Takeovers of Open Source Projects (ope)343
foss, openjs
Wednesday, April 10, 2024 Security Releases (raf/nod)342
release-notes, nodejs
Node.js Secure Coding: Mitigate and Weaponize Code Injection Vulnerabilities341
books, nodejs, vulnerabilities
The Free Software Commons (jen)340
foss, community
The V8 Sandbox339
v8
Wednesday, April 3, 2024 Security Releases (nod)338
release-notes, nodejs
Using JSON Web Tokens With Node.js337
json-web-tokens, nodejs, authentication
Building a Digital Fortress: How to Strengthen DNS Against DDoS Attacks?336
dns
In-App Browsers Are Still a Privacy, Security, and Choice Problem (tho/the)335
browsers, mobile, privacy
How Does Single Sign-On (SSO) Work? (mil)334
authentication
CORS Finally Explained—Simply333
csrf, cors, concepts
How npm Install Scripts Can Be Weaponized: A Real-World Example of a Harmful npm Package (eth)332
npm, dependencies, examples
Preventing SQL Injection Attacks in Node.js331
nodejs, databases, sql
Frontend Application Security: Tips and Tricks330
web-apps, xss, csrf, authentication, dependencies, csp, validation, tips-and-tricks
Wednesday, February 14, 2024 Security Releases (raf+/nod)329
release-notes, nodejs
How to Boost WordPress Security and Protect Your SEO Ranking328
how-tos, wordpress, seo
Malicious npm Package Masquerades as Noblox.js, Targeting Roblox Users for Data Theft (sar/soc)327
npm, dependencies
Practice Safe DSD With “setHTMLUnsafe” (It’s Complicated) (jar/van)326
html, dom, shadow-dom, apis
Tuesday, February 6, 2024 Security Releases (raf/nod)325
release-notes, nodejs
JWT vs. Session Authentication324
authentication, json-web-tokens, comparisons
GitHub, npm Registry Abused to Host SSH Key-Stealing Malware323
github, npm, malware, foss
Navigating JavaScript Security: Recompiling Firefox to Bypass Anti-Debugger Techniques (gli)322
javascript, debugging, firefox, mozilla, browsers
Deceptive Deprecation: The Truth About npm Deprecated Packages321
deprecation, npm, dependencies, research
Safely Accessing the DOM With Angular SSR320
dom, javascript, angular, server-side-rendering
Node.js Security Progress Report—Progress on Permission Model, Fuzzer, and Connections With Community (ope)319
nodejs
I Hate CORS318
videos, cors
Secure Your Code: Auto-Fix Vulnerabilities With Dependabot (GitHub Tutorial)317
videos, dependencies, dependabot
Building Multiple Progressive Web Apps on the Same Domain316
videos, web-apps, progressive-web-apps, architecture
Session-Based vs. Token-Based Authentication: Which Is Better?315
authentication, json-web-tokens, comparisons
10 Best Practices for Secure Code Review of Node.js Code314
best-practices, code-reviews, nodejs
Security Headers Using “<meta>” (sap/mat)313
csp, html
Blind CSS Exfiltration: Exfiltrate Unknown Web Pages312
css
Mastering Cryptography Fundamentals With Node’s “crypto” Module311
cryptography, nodejs
Secure Code Review Tips to Defend Against Vulnerable Node.js Code310
nodejs, code-reviews
Understanding CORS309
cors
What the !#@% Is a Passkey? (eff)308
passkeys
Secret Scanning Scans Public npm Packages307
github, npm, dependencies
Local HTTPS for Next.js 13.5 (ami)306
testing, http, nextjs
Understanding XSS Attacks305
xss
A Comprehensive Guide to the Dangers of Regular Expressions in JavaScript (phi)304
guides, javascript, regex
SSH Keys Stolen by Stream of Malicious PyPI and npm Packages (ble)303
ssh, dependencies, npm
Best Practices for Securing Node.js Applications in Production302
best-practices, nodejs
npm Provenance General Availability301
github, npm, provenance
The WebP 0-Day300
webp, google, apple
Open Source Trends to Look for in 2024299
foss, trends, outlooks, ai
Securing Your Node.js Apps by Analyzing Real-World Command Injection Examples298
nodejs, history, examples
How to Implement SSL/TLS Pinning in Node.js297
how-tos, ssl, tls, nodejs
A More Intelligent and Secure Web (ple/w3c)296
videos, w3c, standards, web, web-platform
Demystifying CORS: Understanding How Cross-Origin Resource Sharing Works295
cors, javascript
Towards HTTPS by Default (jde)294
browsers, google, chrome, http, tls
Sophisticated, Highly-Targeted Attacks Continue to Plague npm293
npm
An Update on Chrome Security Updates—Shipping Security Fixes to You Faster292
browsers, google, chrome
Tuesday, August 8, 2023 Security Releases (raf/nod)291
release-notes, nodejs
SECURITY.md: Should I Have It? (mry/ecl)290
documentation
Publishing With npm Provenance From Private Source Repositories Is No Longer Supported289
github, npm, provenance, foss
Social Engineering Campaign Targeting Tech Employees Spreading Through npm Malware (soc)288
malware, npm
Securing the Web Forward: Addressing Developer Concerns in Web Security (tor/w3c)287
web, surveys
User Input Sanitization and Validation: Securing Your App286
sanitization, validation, conformance
Encoding: A Brief History and Its Role in Cybersecurity285
encoding, unicode, history
Node.js Security Progress Report—17 Reports Closed (ope)284
nodejs
The Importance of Verifying Webhook Signatures283
webhooks
The Massive Bug at the Heart of the npm Ecosystem282
npm, dependencies, bugs
All You Need to Know About CORS and CORS Errors281
cors, errors
Understanding Authorization Before Authentication: Enhancing Web API Security280
authorization, authentication, apis, comparisons
An Introduction to Command Injection Vulnerabilities in Node.js and JavaScript279
introductions, vulnerabilities, nodejs, javascript
Django: A Security Improvement Coming to “format_html()” (ada)278
django, html
Tuesday, June 20, 2023 Security Releases (raf/nod)277
release-notes, nodejs
security.txt Now Mandatory for Dutch Government Websites276
legal
File Upload Security and Malware Protection (aus)275
malware, file-handling, edge-computing
Security Implications of HTTP Response Headers274
http, http-headers
The Case Against Automatic Dependency Updates (ben)273
dependencies, automation, ci-cd, maintenance
Automating Dependency Updates: The Big Debate272
dependencies, automation, ci-cd
Introducing npm Package Provenance271
introductions, github, npm, provenance, foss
Generating Provenance Statements270
npm, provenance
8 Best Tools for Cryptography and Encryption (sta)269
link-lists, tooling, comparisons, cryptography, encryption, privacy
Dissecting npm Malware: Five Packages and Their Evil Install Scripts268
npm, malware
Passkeys: What the Heck and Why? (css)267
passkeys
Senior Engineering Strategies for Advanced React and TypeScript (tec)266
strategies, react, typescript, architecture, testing, performance, accessibility, maintenance
Cryptographically Protecting Your SPA265
single-page-apps, cryptography
Tips for Handling Dependabot, CodeQL, and Secret Scanning Alerts264
alerting, dependabot, tips-and-tricks
Without Accessibility, There Is No Privacy or Security (lev)263
accessibility, privacy
How to Password-Protect a Static HTML Page With No JS (ede)262
how-tos, css, fonts
SSL Certificates Explained261
videos, certificates, ssl, protocols
Quick Tip: How to Hash a Password in PHP260
how-tos, php, passwords, tips-and-tricks
Sandboxing JavaScript Code259
javascript
Avoiding the Success Trap: Toward Policy for Open-Source Software as Infrastructure (atl)258
foss, infrastructure, policies, concepts
Unlocking Security Updates for Transitive Dependencies With npm257
npm, dependencies, maintenance
7 Required Steps to Secure Your Iframes Security256
iframes, xss, html, http-headers, csp
Conditional API Responses for JavaScript vs. HTML Forms (aus)255
javascript, html, forms, comparisons
Why Do We Need Authorization and Authentication?254
authorization, authentication
The Top 10 Security Vulnerabilities for Web Applications253
vulnerabilities, web-apps
Leaked a Secret? Check Your GitHub Alerts… for Free252
github
DOM Clobbering (fre/mat)251
dom
New npm Features for Secure Publishing and Safe Consumption250
npm, dependencies
Using SRI to Protect From Malicious JavaScript (mat)249
javascript
WordPress Versions 3.7–4.0 No Longer Get Security Updates (sar)248
wordpress
“Not Secure” Warning for IE Mode247
browsers, microsoft, edge, internet-explorer
Node.js Security Best Practices (nod)246
nodejs, best-practices
npm Security: Preventing Supply Chain Attacks245
npm, dependencies
Secure JavaScript URL Validation244
javascript, validation, urls
Create a Passkey for Passwordless Logins (age)243
authentication, passkeys
Designing a Secure API242
software-design, apis
Phylum Detects Active Typosquatting Campaign Targeting npm Developers241
npm, dependencies
Security (htt)240
web-almanac, studies, research, metrics
Continue Using .env Files as Usual239
environments
Quick Reminder: HTML5 “required” and “pattern” Are Not a Security Feature (cod)238
html, forms
Stop Using .env Files Now237
environments
Debunking Myths About HTTPS236
http, myths
Secure Your Node.js App With JSON Web Tokens (app)235
nodejs, json-web-tokens
Dependabot Unlocks Transitive Dependencies for npm Projects234
dependencies, npm, dependabot
JavaScript Bugs Aplenty in Node.js Ecosystem—Found Automatically233
studies, research, nodejs, javascript, dependencies, quality, bugs
Introducing Even More Security Enhancements to npm232
introductions, npm
Top 5 npm Vulnerability Scanners231
npm, vulnerabilities, tooling
What Is Passwordless Authentication and How to Implement It230
authentication, passwords
GA4 Is Being Blocked by Content Security Policy229
csp, metrics, google
Please Remove That .git Folder228
git
Should I Have Separate GitHub Accounts for Personal and Professional Projects?227
discussions, github, career
Understanding CSRF Attacks (zel)226
csrf
npm Security Update: Attack Campaign Using Stolen OAuth Tokens225
oauth, version-control, npm, github
Snyk Finds 200+ Malicious npm Packages, Including Cobalt Strike Dependency Confusion Attacks224
javascript, npm, dependencies
Unexpectedly HTTPS?223
http
How to Respond to Growing Supply Chain Security Risks?222
how-tos, dependencies, nodejs, npm
The Web Is for Everyone: Our Vision for the Evolution of the Web (moz)221
web, outlooks, privacy, accessibility, performance, user-experience
Using HTTPS in Your Development Environment220
http, environments
How to Prevent SQL Injection Attacks in Node.js219
how-tos, nodejs, databases, sql
Can You Get Pwned With CSS?218
css
How to Fix Your Security Vulnerabilities With npm Override217
how-tos, vulnerabilities, npm, dependencies
Never, Ever, Ever Use Pixelation for Redacting Text216
content, images, obfuscation
Accessibly Insecure215
accessibility
Lessons Learned From Publishing a Content Security Policy214
lessons, csp
Ain’t No Party Like a Third Party (ada/css)213
dependencies, embed-code
Security (htt)212
web-almanac, studies, research, metrics
GitHub’s Commitment to npm Ecosystem Security211
github, npm
Understanding and Implementing OAuth2 in Node.js (hon)210
nodejs, authorization, oauth
How to Win at CORS (jaf)209
how-tos, cors, html, http
The Options for Password-Revealing Inputs (chr/css)208
html, css, passwords, usability
npm Security Best Practices (owa)207
npm, best-practices
Encoding Data for POST Requests (jaf)206
javascript, encoding
NPM Global Audit205
packages, npm, quality, auditing
Understanding and Preventing Common Security Vulnerabilities204
vulnerabilities
Open Source Insights203
websites, foss, dependencies, licensing
I Learned to Love the Same-Origin Policy (eee/css)202
cors
Is Edge Computing Secure? Here Are 4 Security Risks to Be Aware Of201
edge-computing
TLS and mTLS Demystified200
tls, protocols
Best Practices for Inclusive Textual Websites199
performance, accessibility, best-practices
Clickjacking Attacks and How to Prevent Them198
how-tos
How to Safely Use GitHub Actions in Organizations (nza)197
how-tos, github-actions
What Is mTLS and How Does It Work?196
Mutual TLS: Stuff You Should Know195
tls, protocols
Don’t Try to Sanitize Input—Escape Output194
sanitization, escaping
Encrypting DNS Query Bad for Performance? (erw)193
performance, dns, http, encryption
Apple Joins FIDO Alliance, Commits to Getting Rid of Passwords (zdn)192
apple, fido, passwords, authentication
How to Automatically Update Your JavaScript Dependencies (spa/clo)191
how-tos, javascript, dependencies, automation, processes
What SSL Is, and Which Certificate Type Is Right for You190
ssl, certificates, privacy, concepts
Usability and Security; Better Together (24w)189
usability, user-experience
Server-Side Includes (SSI) Injection (owa)188
ssi
How Internet Security Works: TLS, SSL, and CA (osd)187
tls, ssl, protocols, certificates
Security and Privacy for Our Times (luk/w3c)186
privacy, web-platform
Web Feature Developers Told to Dial Up Attention on Privacy and Security (rip/tec)185
w3c, privacy, web-platform
CSS Security Vulnerabilities (chr/css)184
css, privacy, vulnerabilities
Understanding Subresource Integrity (dre/sma)183
hashing, embed-code
W3C Strategic Highlights: Web for All (Security, Privacy, Identity) (w3c)182
w3c, privacy, authentication
Guide to Web Authentication181
websites, authentication, webauthn, javascript
It’s Beginning to Look a Lot Like XSSmas (24w)180
vulnerabilities, csrf, xss
Protecting Your Site With Feature Policy (rac/sma)179
http-headers, http
AWS Security Guide: 7 Best Practices to Avoid Security Risks (wom)178
guides, aws, best-practices
WebAuthn, FIDO2 Infuse Browsers, Platforms With Strong Authentication (dar)177
w3c, fido, authentication, webauthn, browsers
In Your Face, Passwords: Big Three Browsers All Adopt Authentication API176
authentication, webauthn, apis, edge, microsoft, chrome, google, firefox, mozilla, browsers
HTTPS Is Easy (tro)175
websites, http
WordPress Security as a Process (sma)174
wordpress, processes
Making Your Website Faster and Safer With Cloudflare173
performance, caching, cloudflare
Validating Dependencies in the Project With npm-check and depcheck172
dependencies, maintenance, auditing, tooling, npm
Third Party CSS Is Not Safe (jaf)171
html, css, embed-code
Attackers Can Steal Sensitive Data by Abusing CSS—CSS Exfil Vulnerability170
css, csp
Building Secure JavaScript Applications169
javascript, xss, csrf, json-web-tokens, passwords
Creating Secure Password Resets With JSON Web Tokens (sma)168
passwords, json-web-tokens, nodejs
The Complete Guide to Switching From HTTP to HTTPS (sma)167
guides, http
Rate Limiting With nginx166
servers, nginx, rate-limiting
How (Not) to Control Your CDN (mno)165
content-delivery, caching, http
How to Secure WordPress With SSL164
how-tos, wordpress, ssl
Encrypting IP Addresses (ber)163
ip, network, privacy, encryption
How to Secure Your Web App With HTTP Headers (sma)162
how-tos, web-apps, http, http-headers, csp
Just Another HTTPS Nudge (chr/css)161
http
On EME in HTML5 (tim/w3c)160
eme, drm, html, legal, standards, w3c
Using SSH Securely (ann)159
ssh
More Than 300 Federal Gov Websites Fail to Meet Domain Encryption Deadline158
http, tls, protocols, encryption
Content Security Policy Level 2 (mik+/w3c)157
standards, csp
A Checklist for Website Reviews (hcr)156
checklists, performance, browsers, seo, accessibility
Content Security Policy, Your Future Best Friend (sma)155
csp, link-lists
A Refined Content Security Policy (web)154
html, csp, webkit, safari, apple, browsers
The Performance Benefits of “rel=noopener” (jaf)153
html, links, performance
Web Platform Security Boundaries (ann)152
web-platform
Subresource Integrity (dev+/w3c)151
hashing, html, standards
npm Fails to Restrict the Actions of Malicious npm Packages150
npm, vulnerabilities
W3C Looks to Secure the Web (sdt)149
w3c, authentication
Distribution Packages Considered Insecure148
dependencies, unix-like
The Current State of Web Security (An Interview With Anselm Hannemann) (hel+/css)147
interviews, http, ssl, tls, encryption, cloudflare, lets-encrypt
Eliminating Known Vulnerabilities With Snyk (sma)146
vulnerabilities, tooling
10 Web Predictions for 2016 (cra)145
web, outlooks, site-generators, browsers, css, mobile, performance, webassembly, seo
HSTS and “Let’s Encrypt” (tka)144
http, http-headers, ssl, lets-encrypt
Indexing HTTPS Pages by Default143
google, search, http
An in-Depth Look at CORS142
cors, javascript, php
Why Passwordless Authentication Works (cra)141
authentication, passwords
Introduction to TLS and SSL (ope)140
introductions, tls, ssl, protocols, certificates
A Simple Developer Error Is Exposing Private Information on Thousands of Websites (owe)139
version-control, git, mistakes, vulnerabilities
More Tips to Further Secure WordPress (eli)138
wordpress, tips-and-tricks, plugins
Improving Web Security With the Content Security Policy137
csp, http
Deprecating HTTP136
http, protocols, deprecation
Mozilla Wants to Deprecate Non-Secure HTTP, Will Make Proposals to W3C “Soon” (epr/ven)135
mozilla, http, deprecation
Want Fancy Firefox Features? Secure Your Website (sts/cne)134
firefox, mozilla, browsers, http
WordPress Front End Security: CSRF and Nonces (css)133
wordpress, csrf
Introduction to WordPress Front End Security: Escaping the Things (css)132
introductions, wordpress, escaping
What Are the Security Risks of HTML5 Apps?131
web-apps, sanitization
Moving to HTTPS on WordPress (chr/css)130
wordpress, http
Same-Origin Policy (ann)129
cors, web-platform
Securing the Web (w3c)128
web-platform
What I’d Tell My Younger Self About Learning Development as a Web Designer127
learning, programming, javascript, databases, servers, preprocessors, version-control, performance, career
HTTPS as a Ranking Signal (met)126
google, search, http, seo
mXSS (gaz)125
xss, html
It’s Time to Encrypt the Entire Internet (kli/wir)124
web, http, ssl, encryption
3 Tips to Find Hacking on Your Site, and Ways to Prevent and Fix It123
search, google, tips-and-tricks
Cross-Origin Resource Sharing (ann/w3c)122
cors, standards
Despite Automatic Updates, Old Browsers Are Still a Problem (edb/zdn)121
browsers, web-platform, chrome, google, firefox, mozilla, internet-explorer, microsoft, safari, apple
Cross-Origin Resource Sharing on Track to Become a W3C Recommendation (sdt)120
w3c, cors, standards
Bid to Kill CAPTCHA Security Test Gains Momentum119
captcha, accessibility
We Should All Have Something to Hide118
privacy
Mobile Website Security117
mobile, hosting, policies
WordPress Security Tips116
wordpress, tips-and-tricks
Brad Hill: “HTML5 Security Realities” (chr/css)115
slides, xss, html
Bulletproof Your Drupal Website114
drupal
Top 10 PHP Security Vulnerabilities113
php, vulnerabilities
A Front End Engineer’s Manifesto (zac)112
websites, manifestos, user-experience, progressive-enhancement, simplicity, foss, accessibility, community, learning
A JavaScript Security Flaw111
javascript
The Secure Programmer’s Pledge110
manifestos
An Introduction to Content Security Policy (mik)109
introductions, csp
Rate Limiting With Apache and mod_security (joh)108
servers, apache, rate-limiting
Cross-Site Scripting Attacks (XSS)107
xss, examples
How to Secure Your WordPress Website (sma)106
how-tos, wordpress, link-lists
Using CORS105
cors
Some Notes on the Recent XML Encryption Attack (w3c)104
xml, encryption
XML Encryption Flaw Leaves Web Services Vulnerable (eur)103
web-services, xml, encryption
Notes From Writing HTML5 Media (bur)102
html, multimedia
HTTPS Is More Secure, So Why Isn’t the Web Using It? (ars)101
http, protocols, web
Web Cryptography: Salted Hash and Other Tasty Dishes (ali)100
cryptography
What Are the JSON Security Concerns in Web Development? (sim)99
json
What Is Cross Site Scripting or XSS? (chr/css)98
xss, javascript, concepts
Web Developers Accountable for HTML 5 Security97
html
HTML5 Raises New Security Issues96
html, browsers
10 Useful WordPress Security Tweaks (sma)95
wordpress
Web Security: Are You Part of the Problem? (cod/sma)94
vulnerabilities, php, javascript
Full Frontal ’09: Chris Heilmann on JavaScript Security (mic/aja)93
javascript
Cookies and Security (nza)92
cookies, xss, csrf
A Critical Vulnerability in IE8 (jed)91
internet-explorer, microsoft, browsers, vulnerabilities
Finally Something to Get a Few More Users Off of IE 6? (dal/aja)90
internet-explorer, microsoft, browsers
The Internet Is Closing to Innovation (zit/new)89
web
You Could Be Getting Clickjacked (tec)88
vulnerabilities, frames, w3c
Video and Audio Tags and Cross Origin Access (dal/aja)87
html, multimedia
Dumb Security Tips: Think Before You Follow Online Guides (tan)86
tips-and-tricks
Alerting Webmasters to Webserver Vulnerabilities85
google
Simon Willison, @Media Ajax (mic/aja)84
ajax, xss, csrf, javascript, json
Frame-Busting Gadgets (mic)83
frames, iframes
Evil GIFs: Hiding Java in Your Image (dal/aja)82
gif, images, java
What’s in a “window.name”? (cod/aja)81
javascript
Internet Explorer 8 Promises Better Standards Compliance… and a Whole Lot More (est/cio)80
internet-explorer, microsoft, browsers, standards
Ajaxian Roundup for January 2008: JavaScript Turtles and IE 8 (dal/aja)79
javascript, prototypejs, dojo, extjs, jquery, gwt, yui, dwr, gears, flash, air, json, browsers, standards, css, design, comet, ajaxian, link-lists
Book Recommendation: “AJAX Security” by Hoffman and Sullivan78
books, ajax, javascript
Ajaxian Roundup for December 2007: It’s the End of the Year as We Know It (dal/aja)77
browsers, javascript, prototypejs, extjs, yui, jquery, microsoft, dwr, performance, gwt, comet, css, mobile, ajaxian, link-lists
Cross Site Scripting Joy (tri)76
xss
Making JavaScript Safe With No Script (dal/aja)75
javascript
Obscurity, Security, and Captcha (zac)74
captcha, accessibility
Automated Security Scanners Choke on AJAX (rey/aja)73
ajax, javascript
Quick Security Checklist for Webmasters72
checklists
How to Protect a JSON or JavaScript Service71
how-tos, json, javascript
Securing Your JSON70
json, javascript, arrays
“phpinfo()” XSS Vulnerability (jed)69
php, xss, vulnerabilities
CSRF Protection Idea (dal/aja)68
csrf
JavaScript Security Experiments (mar)67
javascript, experiments
Security vs. Usability (nza)66
usability
Prepare for Attack—Making Your Web Applications More Secure65
web-apps, sql, xss, examples
JSON vs. XML: Browser Security Model (car)64
browsers, json, xml, comparisons
The Dangers of Cross-Domain AJAX With Flash (shi)63
ajax, javascript, flash
DOM vs. Web (mno)62
http, dom