2·
10 days agoGood example. It’s true that an even a GET request not designed to mutate data might still fail to validate input, allowing a SQL injection attack or other attack that escalates to the privileges that the running app has.
- 7 Posts
- 51 Comments
Joined 1 year ago
Cake day: June 17th, 2023
You are not logged in. If you use a Fediverse account that is able to follow users, you can follow this user.
3·10 days agoThis has to be the cheapest coiled split-keyboard cable option. Creative !
Immich has a whole set of end-to-end automated tests to ensure they don’t accidentally make public any URLs they went to be private:
https://github.com/immich-app/immich/tree/main/e2e/src/api/specs
As a popular open source project, that would be e glaring security hole.
Using this proxy puts the trust in a far less popular project with fewer eyeballs on it, and introduces new risks that the author’s Github account is hacked or there’s vulnerability in he supply chain of this docker container.
It’s also not true that you “never need to touch it again” . It’s based on Node whose security update expire every two years. New image should be built at least every two years to keep to update with the latest Node security updates, which have often been in their HTTP/HTTPS protocol implementations, so they affect a range of Node apps directly exposed to the internet.
Yes, there are broken uses of the HTTP protocol verbs where filtering to GET won’t work.
A simpler way to protect a private service with a reverse proxy is to only forward HTTP GET requests and only for specific paths.
It’s extremely difficult to attack a service with only GET requests.
The security of which URLS are accessible without authentication would be up to immich.
Although, If I have my own Amazon referral link in my blog post and they replace the referral code in their feed, I would not be happy about that.
They could be injecting their own ads or affiliate links into the content.
For example, if a post links to Amazon.
I have not looked at the source code.
41·18 days agoThe story hypes this to be a bit more than this is.
Framework sent a laptop to the lead Mint dev. He’s going to try make sure it works well with Mint, but it already does.
The more low key framing straight on the Mint blog is here:
They cannot see phone numbers of contacts, no.
They already are.
1Password’s security model guards against this. Even if they are breached, your passwords cannot be decrypted.
You are more likely to screw up your own backups and hosting security than they are.
How did the friends like it?
Are you able to pop off the keycaps and see what’s going on underneath the sticking key?
Looks like a supervillain keyboard. Very creative.
This looks similar to the Corne V4, which supports 4 additional interior keys.
Now that you’ve been using this for awhile, how is your typing speed? Or is your preference for it more about comfort and enjoyment?
After starting with an Ergodox, I’ve been using a 42-key Corne keyboard for the last few years.
I love it. My current board is the Boardsource Unicorne.
I’m experimenting the cocot46plus as a “unibody Corne with trackball” for cases when an all-in-one keyboard and pointing device might be more useful, but plan to keep using a Corne a daily driver.
I pair it with MT3 keycaps and Cherry MX2A Browns.
After some practice, my typing speed increased to about 85 wpm on the board vs 65 wpm on my more traditional Happy Keyboard Lite 2 60% keyboard.
I use the markstos layout
Considering the database itself is relatively small, PostgreSQL could end up largely caching it in memory, so even hosting the DB on an HDD might not feel much slower.
At one time there were browser extensions that allowed you to comment on any web page and allowed other extension users to see your comments.
The comments were hosted through the extension and not on the pages themselves.
Something like that would be possible but I don’t know anyone offering it now. I presume no one wants to moderate that.