TIL why User emails should always be lowercased before using them as a login qualifier

1 minute read Published:

In one project at work we implemented a passwordless login where you enter your email and then prove that you own this email-account by clicking on the link we sent you. When I tried to log in with my (mistakenly uppercased) email-adress I got an email, but this was not my account… It was empty. Then it struck me. I used the entered email as a case-sensitive identifier to the account and obviously "Erdii@werise.

TIL why potentially destructive actions on a user-facing API should NOT use HTTP GET

1 minute read Published:

Imagine a commentbox, where each comment has to be approved by the moderator in his backend. If the backend used GET requests for the comment moderation, the url to moderate a post should look something like this: For example: … If some evil person posted a comment and knew their postid (lets say 12) they could try to email you a link to with a caption that says Cute cat gifs, you would click on it and BOOM the comment would be published…

TIL when to sanitize user input in a web application

1 minute read Published:

When a webapp takes user input (like a blog post or comment) and later renders that input into a HTML-Page, the webapp has to ensure that no malicious <script> tags or anything else is delivered to the viewer. How to do that is actually pretty easy… Just replace " ' < and > with their HTML-Entity-Counterparts. But when do we have to do it?? Because we want the input’s author to see the exact same thing she entered into the text field, the webapp should not sanitize the text before it gets saved into the database, but rather before it gets delivered to the viewing client.

My Example conf.d/mydomain.conf

1 minute read Published:

This is my example Nginx reverse-proxy + hardened https config (you need nginx/1.9.9): # redirect all http requests to https server { listen 80; server_name; server_name; return 301 https://$server_name$request_uri; } # define a new cache (use different names and paths for different caches! proxy_cache_path /var/nginx_cache/ levels=1:2 keys_zone=blog_cache:10m max_size=512m inactive=60m use_temp_path=off; # https server block server { listen 443 ssl http2; listen [::]:443 ssl http2; server_name; ssl_certificate /etc/letsencrypt/live/; ssl_certificate_key /etc/letsencrypt/live/mydomain.

Setting up a free letsencrypt ssl certificate with nginx

3 minute read Published:

We all know that the Five Eyes (and alot of other ugly people) collect massive amounts of metadata from public internet traffic, and you want to do something about it. Yes, you can do something, too. If we spam them with encrypted traffic, the amount of work needed to decrypt and read it will become unbearable for them. Letsencrypt offers a free way to get ssl certificates for your http(s) web-server.