#websecurity — Public Fediverse posts
Live and recent posts from across the Fediverse tagged #websecurity, aggregated by home.social.
-
🚨 CVE-2026-2347 — CRITICAL auth bypass in Akilli Commerce E-Commerce Website <4.5.001 via user-controlled key. Session hijack risk. No patch yet — restrict access, monitor sessions. https://radar.offseq.com/threat/cve-2026-2347-cwe-639-authorization-bypass-through-fe0b7401 #OffSeq #CVE20262347 #infosec #websecurity
-
🚨 CVE-2026-2347 — CRITICAL auth bypass in Akilli Commerce E-Commerce Website <4.5.001 via user-controlled key. Session hijack risk. No patch yet — restrict access, monitor sessions. https://radar.offseq.com/threat/cve-2026-2347-cwe-639-authorization-bypass-through-fe0b7401 #OffSeq #CVE20262347 #infosec #websecurity
-
🚨 CVE-2026-2347 — CRITICAL auth bypass in Akilli Commerce E-Commerce Website <4.5.001 via user-controlled key. Session hijack risk. No patch yet — restrict access, monitor sessions. https://radar.offseq.com/threat/cve-2026-2347-cwe-639-authorization-bypass-through-fe0b7401 #OffSeq #CVE20262347 #infosec #websecurity
-
🚨 CVE-2026-2347 — CRITICAL auth bypass in Akilli Commerce E-Commerce Website <4.5.001 via user-controlled key. Session hijack risk. No patch yet — restrict access, monitor sessions. https://radar.offseq.com/threat/cve-2026-2347-cwe-639-authorization-bypass-through-fe0b7401 #OffSeq #CVE20262347 #infosec #websecurity
-
FYI: Chrome on Android now lets users share approximate location with websites: Chrome for Android adds approximate location sharing, giving users a middle-ground privacy option between full location access and denial for website requests. https://ppc.land/chrome-on-android-now-lets-users-share-approximate-location-with-websites/ #Chrome #Android #Privacy #LocationSharing #WebSecurity
-
FYI: Chrome on Android now lets users share approximate location with websites: Chrome for Android adds approximate location sharing, giving users a middle-ground privacy option between full location access and denial for website requests. https://ppc.land/chrome-on-android-now-lets-users-share-approximate-location-with-websites/ #Chrome #Android #Privacy #LocationSharing #WebSecurity
-
FYI: Chrome on Android now lets users share approximate location with websites: Chrome for Android adds approximate location sharing, giving users a middle-ground privacy option between full location access and denial for website requests. https://ppc.land/chrome-on-android-now-lets-users-share-approximate-location-with-websites/ #Chrome #Android #Privacy #LocationSharing #WebSecurity
-
FYI: Chrome on Android now lets users share approximate location with websites: Chrome for Android adds approximate location sharing, giving users a middle-ground privacy option between full location access and denial for website requests. https://ppc.land/chrome-on-android-now-lets-users-share-approximate-location-with-websites/ #Chrome #Android #Privacy #LocationSharing #WebSecurity
-
The one header I didn't add yet: CSP.
For sites that render untrusted input it mitigates an active surface. For a static site it guards against rarer-but-bigger events: a compromised analytics script, a poisoned CDN, a future change that adds an input path.
Astro 6 added an integration for what it emits; iframes, external fonts, and third-party services stay manual. Will inshallah follow when the audit fits.
-
The one header I didn't add yet: CSP.
For sites that render untrusted input it mitigates an active surface. For a static site it guards against rarer-but-bigger events: a compromised analytics script, a poisoned CDN, a future change that adds an input path.
Astro 6 added an integration for what it emits; iframes, external fonts, and third-party services stay manual. Will inshallah follow when the audit fits.
-
The one header I didn't add yet: CSP.
For sites that render untrusted input it mitigates an active surface. For a static site it guards against rarer-but-bigger events: a compromised analytics script, a poisoned CDN, a future change that adds an input path.
Astro 6 added an integration for what it emits; iframes, external fonts, and third-party services stay manual. Will inshallah follow when the audit fits.
-
📆 21 May 2026, 16:00–16:10 CDT
"What Are Web Developers Doing About Security?" by @torgo at Open Source SSF Community Day, Minneapolis, MN, USA 🇺🇸The W3C SWAG community group ran a survey to see what web security features and technologies web developers are using and how they're using them. This talk will be a brief introduction to SWAG, an overview of the surprising results, and what it means for the work ahead.
https://www.w3.org/events/talks/2026/what-are-web-developers-doing-about-security/
#WebStandards #WebSecurity #OpenSSFCommunity -
📆 21 May 2026, 16:00–16:10 CDT
"What Are Web Developers Doing About Security?" by @torgo at Open Source SSF Community Day, Minneapolis, MN, USA 🇺🇸The W3C SWAG community group ran a survey to see what web security features and technologies web developers are using and how they're using them. This talk will be a brief introduction to SWAG, an overview of the surprising results, and what it means for the work ahead.
https://www.w3.org/events/talks/2026/what-are-web-developers-doing-about-security/
#WebStandards #WebSecurity #OpenSSFCommunity -
📆 21 May 2026, 16:00–16:10 CDT
"What Are Web Developers Doing About Security?" by @torgo at Open Source SSF Community Day, Minneapolis, MN, USA 🇺🇸The W3C SWAG community group ran a survey to see what web security features and technologies web developers are using and how they're using them. This talk will be a brief introduction to SWAG, an overview of the surprising results, and what it means for the work ahead.
https://www.w3.org/events/talks/2026/what-are-web-developers-doing-about-security/
#WebStandards #WebSecurity #OpenSSFCommunity -
📆 21 May 2026, 16:00–16:10 CDT
"What Are Web Developers Doing About Security?" by @torgo at Open Source SSF Community Day, Minneapolis, MN, USA 🇺🇸The W3C SWAG community group ran a survey to see what web security features and technologies web developers are using and how they're using them. This talk will be a brief introduction to SWAG, an overview of the surprising results, and what it means for the work ahead.
https://www.w3.org/events/talks/2026/what-are-web-developers-doing-about-security/
#WebStandards #WebSecurity #OpenSSFCommunity -
📆 21 May 2026, 16:00–16:10 CDT
"What Are Web Developers Doing About Security?" by @torgo at Open Source SSF Community Day, Minneapolis, MN, USA 🇺🇸The W3C SWAG community group ran a survey to see what web security features and technologies web developers are using and how they're using them. This talk will be a brief introduction to SWAG, an overview of the surprising results, and what it means for the work ahead.
https://www.w3.org/events/talks/2026/what-are-web-developers-doing-about-security/
#WebStandards #WebSecurity #OpenSSFCommunity -
Enabled HSTS with includeSubDomains and preload.
The cost is real and one-way: every current and future subdomain must serve HTTPS or become unreachable. Removal from the preload list is in browser-release hands, not yours.
Accepted because the site is HTTPS-only by intent and Caddy provisions certs for every subdomain automatically via Let's Encrypt.
-
Enabled HSTS with includeSubDomains and preload.
The cost is real and one-way: every current and future subdomain must serve HTTPS or become unreachable. Removal from the preload list is in browser-release hands, not yours.
Accepted because the site is HTTPS-only by intent and Caddy provisions certs for every subdomain automatically via Let's Encrypt.
-
Enabled HSTS with includeSubDomains and preload.
The cost is real and one-way: every current and future subdomain must serve HTTPS or become unreachable. Removal from the preload list is in browser-release hands, not yours.
Accepted because the site is HTTPS-only by intent and Caddy provisions certs for every subdomain automatically via Let's Encrypt.
-
Enabled HSTS with includeSubDomains and preload.
The cost is real and one-way: every current and future subdomain must serve HTTPS or become unreachable. Removal from the preload list is in browser-release hands, not yours.
Accepted because the site is HTTPS-only by intent and Caddy provisions certs for every subdomain automatically via Let's Encrypt.
-
🚨 CRITICAL: CVE-2026-44257 in efwGrp efw4.X (<4.08.010) enables remote, unauthenticated command execution via crafted zip uploads and path traversal. Patch to 4.08.010 ASAP. https://radar.offseq.com/threat/cve-2026-44257-cwe-77-improper-neutralization-of-s-a113f36f #OffSeq #vuln #infosec #websecurity
-
🚨 CRITICAL: CVE-2026-44257 in efwGrp efw4.X (<4.08.010) enables remote, unauthenticated command execution via crafted zip uploads and path traversal. Patch to 4.08.010 ASAP. https://radar.offseq.com/threat/cve-2026-44257-cwe-77-improper-neutralization-of-s-a113f36f #OffSeq #vuln #infosec #websecurity
-
🚨 CRITICAL: CVE-2026-44257 in efwGrp efw4.X (<4.08.010) enables remote, unauthenticated command execution via crafted zip uploads and path traversal. Patch to 4.08.010 ASAP. https://radar.offseq.com/threat/cve-2026-44257-cwe-77-improper-neutralization-of-s-a113f36f #OffSeq #vuln #infosec #websecurity
-
🚨 CRITICAL: CVE-2026-44257 in efwGrp efw4.X (<4.08.010) enables remote, unauthenticated command execution via crafted zip uploads and path traversal. Patch to 4.08.010 ASAP. https://radar.offseq.com/threat/cve-2026-44257-cwe-77-improper-neutralization-of-s-a113f36f #OffSeq #vuln #infosec #websecurity
-
Skipped Permissions-Policy on the static site.
It disables browser APIs (camera, mic, geolocation) the site doesn't use. Disabling something you're not using doesn't protect you from anything.
Embedding YouTube with fullscreen would also mean carving exceptions back in. More config for zero gain.
The scanner score drops one notch. The site is no less safe.
-
Skipped Permissions-Policy on the static site.
It disables browser APIs (camera, mic, geolocation) the site doesn't use. Disabling something you're not using doesn't protect you from anything.
Embedding YouTube with fullscreen would also mean carving exceptions back in. More config for zero gain.
The scanner score drops one notch. The site is no less safe.
-
Skipped Permissions-Policy on the static site.
It disables browser APIs (camera, mic, geolocation) the site doesn't use. Disabling something you're not using doesn't protect you from anything.
Embedding YouTube with fullscreen would also mean carving exceptions back in. More config for zero gain.
The scanner score drops one notch. The site is no less safe.
-
ICYMI: Firefox private browsing flaw let ad trackers fingerprint Tor users: Firefox IndexedDB flaw let websites fingerprint users in private sessions and through Tor New Identity resets - patched April 21 in Firefox 150 and ESR 140.10. https://ppc.land/firefox-private-browsing-flaw-let-ad-trackers-fingerprint-tor-users/ #Firefox #Privacy #WebSecurity #Tor #AdTrackers
-
ICYMI: Firefox private browsing flaw let ad trackers fingerprint Tor users: Firefox IndexedDB flaw let websites fingerprint users in private sessions and through Tor New Identity resets - patched April 21 in Firefox 150 and ESR 140.10. https://ppc.land/firefox-private-browsing-flaw-let-ad-trackers-fingerprint-tor-users/ #Firefox #Privacy #WebSecurity #Tor #AdTrackers
-
ICYMI: Firefox private browsing flaw let ad trackers fingerprint Tor users: Firefox IndexedDB flaw let websites fingerprint users in private sessions and through Tor New Identity resets - patched April 21 in Firefox 150 and ESR 140.10. https://ppc.land/firefox-private-browsing-flaw-let-ad-trackers-fingerprint-tor-users/ #Firefox #Privacy #WebSecurity #Tor #AdTrackers
-
🚨 CRITICAL: CVE-2026-6433 in Custom css-js-php <=2.0.7 enables unauthenticated PHP code execution via flawed input handling. No patch or exploit in the wild yet. Disable/remove plugin now. https://radar.offseq.com/threat/cve-2026-6433-cwe-94-improper-control-of-generatio-3ad54b4b #OffSeq #WordPress #vuln #WebSecurity
-
🚨 CRITICAL: CVE-2026-6433 in Custom css-js-php <=2.0.7 enables unauthenticated PHP code execution via flawed input handling. No patch or exploit in the wild yet. Disable/remove plugin now. https://radar.offseq.com/threat/cve-2026-6433-cwe-94-improper-control-of-generatio-3ad54b4b #OffSeq #WordPress #vuln #WebSecurity
-
🚨 CRITICAL: CVE-2026-6433 in Custom css-js-php <=2.0.7 enables unauthenticated PHP code execution via flawed input handling. No patch or exploit in the wild yet. Disable/remove plugin now. https://radar.offseq.com/threat/cve-2026-6433-cwe-94-improper-control-of-generatio-3ad54b4b #OffSeq #WordPress #vuln #WebSecurity
-
🚨 CRITICAL: CVE-2026-6433 in Custom css-js-php <=2.0.7 enables unauthenticated PHP code execution via flawed input handling. No patch or exploit in the wild yet. Disable/remove plugin now. https://radar.offseq.com/threat/cve-2026-6433-cwe-94-improper-control-of-generatio-3ad54b4b #OffSeq #WordPress #vuln #WebSecurity
-
Lets Encrypt Stopping Issuance for Potential Incident
https://letsencrypt.status.io/pages/incident/55957a99e800baa4470002da/69fe2d6698ca07050eb4b1b3
#HackerNews #LetsEncrypt #Incident #Cybersecurity #SSL #Certificates #WebSecurity
-
Lets Encrypt Stopping Issuance for Potential Incident
https://letsencrypt.status.io/pages/incident/55957a99e800baa4470002da/69fe2d6698ca07050eb4b1b3
#HackerNews #LetsEncrypt #Incident #Cybersecurity #SSL #Certificates #WebSecurity
-
Lets Encrypt Stopping Issuance for Potential Incident
https://letsencrypt.status.io/pages/incident/55957a99e800baa4470002da/69fe2d6698ca07050eb4b1b3
#HackerNews #LetsEncrypt #Incident #Cybersecurity #SSL #Certificates #WebSecurity
-
Lets Encrypt Stopping Issuance for Potential Incident
https://letsencrypt.status.io/pages/incident/55957a99e800baa4470002da/69fe2d6698ca07050eb4b1b3
#HackerNews #LetsEncrypt #Incident #Cybersecurity #SSL #Certificates #WebSecurity
-
Lets Encrypt Stopping Issuance for Potential Incident
https://letsencrypt.status.io/pages/incident/55957a99e800baa4470002da/69fe2d6698ca07050eb4b1b3
#HackerNews #LetsEncrypt #Incident #Cybersecurity #SSL #Certificates #WebSecurity
-
I wrote about the security setup for erikwalther.eu. I wanted to make sure the site handles common web threats (XSS, CSRF, SQL injection and brute-force).
The idea is defense in depth:
* Caddy handles transport security, blocks malicious payloads via CSP, and drops PHP requests at the edge.
* Gunicorn limits request sizes.
* Django & nh3 sanitize data at the application level.
* Django-axes blocks brute-force attacks natively within Django, with database-backed persistence and custom lockout pages.
* SELinux and systemd restrict filesystem and privilege access.Full write-up:
https://erikwalther.eu/erikwalthereu/hardening-my-django-portfolio/ -
I wrote about the security setup for erikwalther.eu. I wanted to make sure the site handles common web threats (XSS, CSRF, SQL injection and brute-force).
The idea is defense in depth:
* Caddy handles transport security, blocks malicious payloads via CSP, and drops PHP requests at the edge.
* Gunicorn limits request sizes.
* Django & nh3 sanitize data at the application level.
* Django-axes blocks brute-force attacks natively within Django, with database-backed persistence and custom lockout pages.
* SELinux and systemd restrict filesystem and privilege access.Full write-up:
https://erikwalther.eu/erikwalthereu/hardening-my-django-portfolio/ -
I wrote about the security setup for erikwalther.eu. I wanted to make sure the site handles common web threats (XSS, CSRF, SQL injection and brute-force).
The idea is defense in depth:
* Caddy handles transport security, blocks malicious payloads via CSP, and drops PHP requests at the edge.
* Gunicorn limits request sizes.
* Django & nh3 sanitize data at the application level.
* Django-axes blocks brute-force attacks natively within Django, with database-backed persistence and custom lockout pages.
* SELinux and systemd restrict filesystem and privilege access.Full write-up:
https://erikwalther.eu/erikwalthereu/hardening-my-django-portfolio/ -
I wrote about the security setup for erikwalther.eu. I wanted to make sure the site handles common web threats (XSS, CSRF, SQL injection and brute-force).
The idea is defense in depth:
* Caddy handles transport security, blocks malicious payloads via CSP, and drops PHP requests at the edge.
* Gunicorn limits request sizes.
* Django & nh3 sanitize data at the application level.
* Django-axes blocks brute-force attacks natively within Django, with database-backed persistence and custom lockout pages.
* SELinux and systemd restrict filesystem and privilege access.Full write-up:
https://erikwalther.eu/erikwalthereu/hardening-my-django-portfolio/ -
I wrote about the security setup for erikwalther.eu. I wanted to make sure the site handles common web threats (XSS, CSRF, SQL injection and brute-force).
The idea is defense in depth:
* Caddy handles transport security, blocks malicious payloads via CSP, and drops PHP requests at the edge.
* Gunicorn limits request sizes.
* Django & nh3 sanitize data at the application level.
* Django-axes blocks brute-force attacks natively within Django, with database-backed persistence and custom lockout pages.
* SELinux and systemd restrict filesystem and privilege access.Full write-up:
https://erikwalther.eu/erikwalthereu/hardening-my-django-portfolio/ -
Attackers Actively Exploiting Critical Vulnerability in Breeze Cache Plugin
A critical arbitrary file upload vulnerability (CVE-2026-3844, CVSS 9.8) in the Breeze Cache plugin for WordPress is being actively exploited.
Update to version 2.4.5. Review the report to ensure your site is not affected.
-
Chromium’s proposed Prompt API is sparking debate across the web.
Critics warn it could give websites deeper access to AI interactions inside the browser, raising new privacy and security concerns around prompt handling and user data.
Read more:
https://www.digitalescapetools.com/2026/05/chromium-prompt-api-debate.html -
Chromium’s proposed Prompt API is sparking debate across the web.
Critics warn it could give websites deeper access to AI interactions inside the browser, raising new privacy and security concerns around prompt handling and user data.
Read more:
https://www.digitalescapetools.com/2026/05/chromium-prompt-api-debate.html -
Chromium’s proposed Prompt API is sparking debate across the web.
Critics warn it could give websites deeper access to AI interactions inside the browser, raising new privacy and security concerns around prompt handling and user data.
Read more:
https://www.digitalescapetools.com/2026/05/chromium-prompt-api-debate.html -
Chromium’s proposed Prompt API is sparking debate across the web.
Critics warn it could give websites deeper access to AI interactions inside the browser, raising new privacy and security concerns around prompt handling and user data.
Read more:
https://www.digitalescapetools.com/2026/05/chromium-prompt-api-debate.html -
Chromium’s proposed Prompt API is sparking debate across the web.
Critics warn it could give websites deeper access to AI interactions inside the browser, raising new privacy and security concerns around prompt handling and user data.
Read more:
https://www.digitalescapetools.com/2026/05/chromium-prompt-api-debate.html