Just a lvl 27 guy from 🇫🇮 Finland. Full-stack web developer and Scrum Master by trade, but more into server-side programming, networking, and sysadmin stuff.

During the summer, I love trekking, camping, and going on long hiking adventures. Also somewhat of an avgeek and a huge Lego fanatic.

  • 0 Posts
  • 14 Comments
Joined 2 years ago
cake
Cake day: June 20th, 2023

help-circle
  • They can include runnable JavaScript too, which can cause vulnerabilities in certain contexts. One example from work some years back: We had a web app where users could upload files, and certain users could view files uploaded by others. They had the option to download the file or, if it was a file type that the browser could display (like an image or a PDF), the site would display it directly on the page.

    To prevent any XSS (scripts from user-provided files), we served all files with the CSP sandbox header, which prevents any scripts from running. However, at the time, that header broke some features of the video player on certain browsers (I think in Safari, at least), so we had to serve some file types without the header. Mistakenly, we also included image files in the exclusion, as everyone through image files couldn’t contain scripts. But the MIME type for SVG files is image/svg+xml… It was very embarrassing to have such a simple XSS vuln flagged in a security audit.



  • Providing expiration notification emails means that we have to retain millions of email addresses connected to issuance records. As an organization that values privacy, removing this requirement is important to us.

    I fully support the privacy argument (I didn’t realize it has been mandatory to give some emai address to get a cert) but why not make it optional instead?

    The reminder email from them has saved me once when originally “temporary” domain was not so temporary after all and I forgot to set up auto-renewal and monitoring for it.





  • JRaccoon@discuss.tchncs.detoSelfhosted@lemmy.worldDynamic IP - Self hosting
    link
    fedilink
    English
    arrow-up
    2
    arrow-down
    1
    ·
    9 months ago

    I’ve been using No-IP free plan for years without issues. Inputted the credentials to my routers DDNS client and then basically forgot about it. Free users need to confirm their account once a month via email but that’s just one click.

    If your domain registrar happens to have an API to update DNS entries, you could implement DDNS yourself by writing a simple automated script to check the external IP (e.g. via ipify.org) and if it’s changed from the last check then call the API to update the DNS entries.