Author Archives: Lance

How do you prevent hackers from taking a "publicly used API key" and using it in their own script?

Posted on by

At first, for MVP, I want to basically allow API requests to only come from my domains, or from a server-side script I control.
For the server-side script, I can simply use a "secret API token" sent in the Authorization Bearer he… Continue reading How do you prevent hackers from taking a "publicly used API key" and using it in their own script?

How does a hacker get access to the root user when disabling the sandbox in puppeteer, and what does it look like?

Posted on by

You’ll see stuff like the first comment here that adding the –no-sandbox flag when launching puppeteer "is a giant security hole" (upvoted many times). Puppeteer troubleshooting docs say "running without a sandbox is strong… Continue reading How does a hacker get access to the root user when disabling the sandbox in puppeteer, and what does it look like?

How does a hacker get access to the root user when disabling the sandbox in puppeteer, and what does it look like?

Posted on by

You’ll see stuff like the first comment here that adding the –no-sandbox flag when launching puppeteer "is a giant security hole" (upvoted many times). Puppeteer troubleshooting docs say "running without a sandbox is strong… Continue reading How does a hacker get access to the root user when disabling the sandbox in puppeteer, and what does it look like?

Primary techniques to prevent against hacks when passing user input to CLI arguments?

Posted on by

What are the main kinds of hacks that can be used when passing user input from the command line, and what are the key techniques to prevent against them (like to prevent against browser XSS attacks, you typically escape the HTML before ren… Continue reading Primary techniques to prevent against hacks when passing user input to CLI arguments?

How is the npm package manager made robust security-wise, what are the keys they are using, and how do they use them?

Posted on by

I am specifically looking at the npm package metadata like from the lodash package, the relevant part which is this:
{
"shasum": "392617f69a947e40cec7848d85fcc3dd29d74bc5",
"tarball": "https://registr… Continue reading How is the npm package manager made robust security-wise, what are the keys they are using, and how do they use them?

How to guarantee that a user who signs up for your service is a real, physical, unique person? [duplicate]

Posted on by

OAuth providers like Google’s are nice but they don’t guarantee that the user on the other end hasn’t created thousands of spam accounts with different email addresses. Some financial services like P2P lending services require that the bor… Continue reading How to guarantee that a user who signs up for your service is a real, physical, unique person? [duplicate]

Can a VPN with its own DNS leak protection be paired with Cloudflare’s 1.1.1.1 DNS? [closed]

Posted on by

I’ve got a VPN that has its own DNS leak protection. A little while ago I decided to switch on the Cloudflare 1.1.1.1 DNS in my browser because I read that It can be beneficial. I thought "Well, why not? It’s free and will (probably) … Continue reading Can a VPN with its own DNS leak protection be paired with Cloudflare’s 1.1.1.1 DNS? [closed]