Is reducing the webserver stack from Caddy, NGINX and PHP-FPM to only Caddy and PHP-FPM a reduction in layered-security?

I have a situation where a webserver behind a network firewall is ran inside of Docker containers. It is setup in this order:

Caddy webserver – acts as WAF, GEOIP block, IP blacklist, HTTP Security Headers modifications, TLS termination, … Continue reading Is reducing the webserver stack from Caddy, NGINX and PHP-FPM to only Caddy and PHP-FPM a reduction in layered-security?

Given REMnux is accepting all IPs, is it possible to serve a different webpages per IP? [migrated]

Is it possible on one VM (REMnux in this case), to serve several different webpages on different IP addresses, on one interface (accept-all-ips and fakedns are activated).
Some times malware goes to different sites to grab different things… Continue reading Given REMnux is accepting all IPs, is it possible to serve a different webpages per IP? [migrated]

How to securely load user genereated Javascript code from IFrame into my website?

Before I start, I have found a few related references to this question, but they are not answered previously or are about a slightly different scenario to mine.
I have the following need. I need a way to let users write Javascript code, wh… Continue reading How to securely load user genereated Javascript code from IFrame into my website?

How to securely allow localhost to access through CORS, without exposing it to anyone’s localhost?

It is recommended to do this often in web apps:
import { NextResponse } from ‘next/server’
import type { NextRequest } from ‘next/server’

// Define allowed origins
const allowedOrigins = [
‘http://localhost:3000’,
‘http://localhost:30… Continue reading How to securely allow localhost to access through CORS, without exposing it to anyone’s localhost?

Is my TOTP key secure on a free hosting provider server with FTP and .htaccess restrictions?

I’m hosting a website on a free hosting provider server that uses PHP for OTP-based authentication. Here’s how it works:

If an unregistered IP address visits the site, it shows an "Unauthorized" message.

For registered IPs, the… Continue reading Is my TOTP key secure on a free hosting provider server with FTP and .htaccess restrictions?