»HTTP/1.1 Must Die – It's time to acknowledge HTTP/1.1 is insecure«

Admittedly, I know pers. not how seriously you have to take this but I am only developing web servers set to HTTP/2.0, because HTTP/3 is not yet extensively supported.

https://http1mustdie.com

Semrush ist eines der bekanntesten SEO-Analyse-Tools auf dem Markt. Es durchsucht Websites regelmäßig mit seinem Bot (SemrushBot), um Daten wie Keywords, Backlinks, Rankings und vieles mehr von deiner Website zu erfassen und zu analysieren. Hier sind 5 effektive, schnell umzusetzende Methoden, wie du Semrush von deiner Website aussperren kannst.

https://teufelswerk.net/semrushbot-blockieren-so-schuetzt-du-jede-website-egal-ob-wordpress-joomla-typo3-oder-statisch/

KIMissbrauch

Cloudflare wirft dem KI-Anbieter ##Perplexity vor, sich mit undeklarierten Crawlern Zugang zu gesperrten Websites zu verschaffen.

Trotz robots.txt-Verboten und IP-Blockaden soll Perplexity mit wechselnden User-Agents und IPs Inhalte verdeckt auslesen.

Das wäre eine Verletzung etablierter Webstandards und Missachtung von Website-Präferenzen.

https://blog.cloudflare.com/perplexity-is-using-stealth-undeclared-crawlers-to-evade-website-no-crawl-directives/

Ist euch auch in den Logfiles der User-Agent "Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/118.0" aufgefallen? Von 25 Servern bei einem deutschen Provider kommen tausende solche Anfragen herein. Alle ziemlich sinnlos. Immer werden allen Resourcen der jeweiligen Webseite geladen.

Das läuft schon seit Monaten. Belastet den Server nicht wirklich, ist aber letztlich eine Verschwendung. Eine gute Erklärung habe ich nicht. Ein KI-Bot?

Dass sich (KI-)Bots im Open-Data-Portal tummeln, ist nichts Neues. Doch heute ist mir ein besonders merkwürdiger Fall begegnet, über den ich berichten möchte.

https://open-north.de/blog/2025-07-28_wilder_bot/

OpenAI’s ChatGPT Agent casually clicks through “I am not a robot” verification test - Maybe they should change the button to say, "I am a robot"?
... - https://arstechnica.com/information-technology/2025/07/openais-chatgpt-agent-casually-clicks-through-i-am-not-a-robot-verification-test/ #computer-usingagent #aidevelopmenttools #computerusemodel #machinelearning #authentication #websecurity #aibehavior #aisecurity #cloudflare #agenticai #aiagents #captcha #chatgpt #biz⁢ #openai #ai

New Open-Source Tool Spotlight

PrivateBin is a minimalist, open-source pastebin alternative where data is encrypted in the browser before uploading. The server never sees plaintext, ensuring full confidentiality. Ideal for sharing sensitive info securely. #WebSecurity #Encryption

Project link on #GitHub https://github.com/PrivateBin/PrivateBin

#Infosec #Cybersecurity #Software #Technology #News #CTF #Cybersecuritycareer #hacking #redteam #blueteam #purpleteam #tips #opensource #cloudsecurity

—
P.S. Found this helpful? Tap Follow for more cybersecurity tips and insights! I share weekly content for professionals and people who want to get into cyber. Happy hacking

Baby steps, giant steps... slowly working towards my Orange belt in pwn.college. Finally completed Web Security with XSS & CSRF today, and now I only have the most interesting modules left: Reverse Engineering and Binary Exploitation (plus the combined exercise after that).

Important work happening around HTTP Signatures in the Fediverse. Stronger key validation, better digest handling, clearer test vectors—all steps toward more secure and trustworthy ActivityPub communication.
HTTP Signature Upgrades Coming Soon

https://activitypub.blog/2025/07/03/http-signature-upgrades-coming-soon/

Tyler Sanderson, Kathryn Grayson Nanz, and Brent Stewart present on Frontend Development at Nebraska.Code().

https://nebraskacode.amegala.com/

You Should Run a Certificate Transparency Log

https://words.filippo.io/run-sunlight/

Anubis – Open-Source Web AI Firewall Utility

https://github.com/TecharoHQ/anubis

Enhance Your Drupal Website Security with Two-Factor Authentication (2FA)
Boost your Drupal site's security with Two-Factor Authentication (2FA). Protect your admin login from unauthorized access using time-based OTPs, SMS, or authenticator apps. Learn how to integrate and configure the best 2FA modules for Drupal and safeguard sensitive user data. Ideal for developers, site admins, and anyone serious about cybersecurity.

https://kbizsoft.com/set-up-2fa-authentication-in-drupal-10-6/

A strict-looking content security policy isn’t always a secure one.

During a recent engagement, we came across a policy that had all the right bits on paper including nonces, locked-down sources, and everything you'd expect.

But one missing directive "base-uri" was all it took to break it wide open.

By injecting a <base> tag, we redirected script loading to an attacker-controlled domain. XSS payload delivered. CSP bypassed.

CSPs need more than checkboxes. They need context, testing, and attention to the small stuff.

Here’s what went wrong and how to avoid it: https://www.pentestpartners.com/security-blog/csp-directives-base-ic-misconfigurations-with-big-consequences/

ALERT! Over 260,000 #Joomla sites at risk due to TWO newly discovered #zeroday vulnerabilities! Learn how our team uncovered these critical flaws in a popular Joomla extension and how you can protect yourself. Read the full story: https://blog.blacklanternsecurity.com/p/doomla-zero-days #cybersecurity #websecurity #CVE

Hah.
Fuckbonk suspended my account.

What did I do? Set up an anonymous profile with their own account tool and installed security software on my computer to block their spyware/tracking.

Am I going to try and "fix the issue"? Nah. Waste of time.

..also note where I put the arrows. Their own images were blocked for tracking.

Funny they dont like that, aint it.
#Facebook #SocialMedia #Internet #app #security #internetsecurity #websecurity #meta

Frisches Design, neues Logo und Custom Web Applications werden jetzt noch tiefgehender getestet. Außerdem eine White-Label-Lösung für IT-Dienstleister.

https://www.hackerattack.de

Take your web security to the next level with NPMplus and CrowdSec!

Check out this step-by-step tutorial written by CrowdSec community member Zoey, which demonstrates how to set up NPMplus (the enhanced version of the standard NGINX Proxy Manager) with CrowdSec.

Follow the tutorial here https://crowdsec.net/blog/web-server-security-with-npmplus-and-crowdsec

Durch eine absurde Erfahrung mit der #Sparkasse suche ich nach #BullshitBingo Karten zum Thema #Security (#WebSecurity)

Bisher:
- Einmalcodes per #SMS
- Proprietäre #TOTP App statt offener Standards
- Support nur per Telefon
- Username und Passwort laut durchsagen
- Apps nach 5 Minuten von selber sperren
- Apps nach 3 Monaten ohne Login sperren, ohne Errorcode oder auffindbare Onlinehilfe ("90 Tage")
- App neu installieren, um Problem zu lösen (#TOFU)

Fällt euch noch was ein?