In many applications it's important to react to failed logins and other security-critical events, for example to log the failed login attempt to a file or to display a captcha after repeated failures. Spring-based applications come with a simple mechanism to access this kind of information using Application Events.
In my article on unattended upgrades I described how to set up an Ubuntu system to install security upgrades automatically. This is convenient for small setups, but in an enterprise environment you typically want to perform some QA before applying the change. A better solution is to have your monitoring …
There's more to migrating a complex site to HTTPS than just enabling TLS in your web server or reverse proxy. All links to embedded resources like style sheets, images, or scripts need to be served via HTTPS and potentially have to be rewritten. In a well-designed site that's not an …
A couple of days ago, Wordpress.com announced that they are now supporting TLS for custom domains (which is how this blog is hosted). There are many reasons for not hosting a blog yourself even if you have the necessary skills, like not having to deal with security updates and …
I have followed the HTTP/2 specification process closely and I like how the new protocol improves web performance and makes old workarounds obsolete. One drawback of deploying HTTP/2 is that most browser vendors only implement it on top of TLS. Since I've seen a lot of broken TLS …
As a developer, I've used lots of web services and also implemented plenty myself. I've seen services with IP-based security provided by network firewalls, services protected by standard HTTP Authentication, TLS with client and server certificates and custom mechanisms using API keys. Recently, OAuth 2.0 has been added to …
With more and more of my personal data being hosted in the cloud, I felt that I needed to take security more seriously. Since passwords are the weakest link in most systems, I was looking for a better solution. While I'm able to generate sufficiently secure passwords, there are only …
When operating servers, you're responsible for keeping them up to date with the latest security fixes. Ubuntu comes with a mechanism that installs updates automatically so you don't have to worry about it. Obviously, this is meant for personal servers operated by hobbyists where convenience is more important than availability …
Web browsing on a public Wifi network is a security risk as it's quite simple to capture network traffic. Even if you only connect to SSL-protected sites, people can still find out which web sites you're accessing. Fortunately, there is a quick way to protect your privacy - all you need …