I’m back! I hope you’re having a great summer. So let’s go straight to this week’s interesting security-related reads:
Race conditions on the web
An interesting read about race conditions on the interweb.
Active Params
An example of automatic security gone too far, in my opinion. Allow all parameters in production that were ever used in development?
Typosquatting programming language package managers
Typosquatting gems: Don’t install coffe-script, urllib2, req7est. This guy uploaded 200+ packages with similar names as popular gems to illustrate the „typosquatting“ problem.
Why you shouldn’t share links on Facebook
Don’t message secret URLs on Facebook, e.g. Google Docs because links shared via Facebook Messenger reveals the URL in a publicly accessible API.
Making Content-Security-Policy great again
Common mistakes, bypasses and a look at CSP 3.
Autocomplete=off is ignored on non-login <input> elements in Chrome
Here’s the WontFix answer from the Chrome team.
Like this kind of articles?
Subscribe to hear about new Rails security resources first. Only helpful articles and guides. Monthly(ish) updates, no spam.