Important work happening around HTTP Signatures in the Fediverse. Stronger key validation, better digest handling, clearer test vectors—all steps toward more secure and trustworthy ActivityPub communication.
HTTP Signature Upgrades Coming Soon
https://activitypub.blog/2025/07/03/http-signature-upgrades-coming-soon/
Tyler Sanderson, Kathryn Grayson Nanz, and Brent Stewart present on Frontend Development at Nebraska.Code().
You Should Run a Certificate Transparency Log
Enhance Your Drupal Website Security with Two-Factor Authentication (2FA)
Boost your Drupal site's security with Two-Factor Authentication (2FA). Protect your admin login from unauthorized access using time-based OTPs, SMS, or authenticator apps. Learn how to integrate and configure the best 2FA modules for Drupal and safeguard sensitive user data. Ideal for developers, site admins, and anyone serious about cybersecurity.
https://kbizsoft.com/set-up-2fa-authentication-in-drupal-10-6/
Bot or not? A short history of web bots and bot detection techniques
– from @OlegWock
ImperialViolet – AES-GCM-SIV
This isn't new, but it's interesting for me to apply it to a project right now. This is well and clearly explained in this article, in my opinion.
A strict-looking content security policy isn’t always a secure one.
During a recent engagement, we came across a policy that had all the right bits on paper including nonces, locked-down sources, and everything you'd expect.
But one missing directive "base-uri" was all it took to break it wide open.
By injecting a <base> tag, we redirected script loading to an attacker-controlled domain. XSS payload delivered. CSP bypassed.
CSPs need more than checkboxes. They need context, testing, and attention to the small stuff.
Here’s what went wrong and how to avoid it: https://www.pentestpartners.com/security-blog/csp-directives-base-ic-misconfigurations-with-big-consequences/
Rethinking Regex: Smarter detection for a modern threat landscape
Using regular expressions, or regex, was once a convenient and powerful way for web application firewalls (WAFs) to find malicious code in web requests.
https://www.scworld.com/resource/rethinking-regex-smarter-detection-for-a-modern-threat-landscape
Warum braucht eure Website Javascript, um Text mit Bildern darzustellen? Ohne #Javascript sehe ich die Fußnoten, das wars.
Das muss doch nicht sein. #WebSecurity
Web 3.0 Requires Data Integrity
New integrity-focused standards are necessary to enable the trusted AI services of tomorrow.
https://cacm.acm.org/opinion/web-3-0-requires-data-integrity/
ALERT! Over 260,000 #Joomla sites at risk due to TWO newly discovered #zeroday vulnerabilities! 
Learn how our team uncovered these critical flaws in a popular Joomla extension and how you can protect yourself. Read the full story: https://blog.blacklanternsecurity.com/p/doomla-zero-days #cybersecurity #websecurity #CVE
Hah.
Fuckbonk suspended my account.
What did I do? Set up an anonymous profile with their own account tool and installed security software on my computer to block their spyware/tracking.
Am I going to try and "fix the issue"? Nah. Waste of time.
..also note where I put the arrows. Their own images were blocked for tracking.
Funny they dont like that, aint it.
#Facebook #SocialMedia #Internet #app #security #internetsecurity #websecurity #meta
Frisches Design, neues Logo und Custom Web Applications werden jetzt noch tiefgehender getestet. Außerdem eine White-Label-Lösung für IT-Dienstleister.
Take your web security to the next level with NPMplus and CrowdSec!
Check out this step-by-step tutorial written by CrowdSec community member Zoey, which demonstrates how to set up NPMplus (the enhanced version of the standard NGINX Proxy Manager) with CrowdSec.
Follow the tutorial here 
https://crowdsec.net/blog/web-server-security-with-npmplus-and-crowdsec
Durch eine absurde Erfahrung mit der #Sparkasse suche ich nach #BullshitBingo Karten zum Thema #Security (#WebSecurity)
Bisher:
- Einmalcodes per #SMS
- Proprietäre #TOTP App statt offener Standards
- Support nur per Telefon
- Username und Passwort laut durchsagen
- Apps nach 5 Minuten von selber sperren
- Apps nach 3 Monaten ohne Login sperren, ohne Errorcode oder auffindbare Onlinehilfe ("90 Tage")
- App neu installieren, um Problem zu lösen (#TOFU)
Fällt euch noch was ein?
„Parser Differentials: When Interpretation Becomes a Vulnerability“ by @joernchen
https://0day.click/parser-diff-talk-oc25/
#yaml #json #websecurity
https://sgued.fr/blog/need-csrf-token/
You should still use CSRF tokens. SameSite is not the same definition as Cross-Origin, so SameSite=Lax does not protect from CSRF coming from a "neighbor" subdomain.
Ports that are blocked by browsers
https://www.keenformatics.com/ports-that-are-blocked-by-browsers
Cloudflare proposes cryptographic signatures and mTLS to authenticate bot traffic, moving away from spoofable headers and unreliable IPs. Aims to give site owners clearer signals on automated access.
