Web security reading list (summer edition) #14

I’m back! I hope you’re having a great summer. So let’s go straight to this week’s interesting security-related reads:

Race conditions on the web

An interesting read about race conditions on the interweb.


Active Params

An example of automatic security gone too far, in my opinion. Allow all parameters in production that were ever used in development?


Typosquatting programming language package managers

Typosquatting gems: Don’t install coffe-script, urllib2, req7est. This guy uploaded 200+ packages with similar names as popular gems to illustrate the „typosquatting“ problem.


Why you shouldn’t share links on Facebook

Don’t message secret URLs on Facebook, e.g. Google Docs because links shared via Facebook Messenger reveals the URL in a publicly accessible API.


Making Content-Security-Policy great again

Common mistakes, bypasses and a look at CSP 3.

Autocomplete=off is ignored on non-login <input> elements in Chrome

Here’s the WontFix answer from the Chrome team.

Like this kind of articles?

Subscribe to hear about new Rails security resources first. Only helpful articles and guides. Monthly(ish) updates, no spam.

Unsubscribe at any time. Powered by ConvertKit