Hacker News with Generative AI: Web Security

Write your passwords down (2010) (jgc.org)
Here's my advice on password security based on the collected opinions of others:1. Write them down and keep them in your wallet because you are good at securing your wallet. (ref)2. Use different passwords on every web site because if you don't one site hacked = all your accounts hacked. (ref)3. Use passwords of at least 12 characters. (ref)4. Use mixed-case, numbers and special characters.

Security, Passwords, Web Security, Humor, Advice

10 points by Tomte 4 days ago | 0 comments

How the ClientAuth Crackdown Is Pushing Finance Toward X9 PKI (digicert.com)
Browser vendors are drawing a clear line in the sand: As of June 15, 2026, public TLS server certificates must no longer include the Client Authentication EKU.

Security, Finance, Cryptography, Web Security

6 points by Sami_Lehtinen 7 days ago | 0 comments

OWASP Top for Large Language Model Applications (owasp.org)
The OWASP Top 10 for Large Language Model Applications Project aims to educate developers, designers, architects, managers, and organizations about the potential security risks when deploying and managing Large Language Models (LLMs) and Generative AI applications.

Security, Generative AI, Web Security, Software Development

18 points by weinzierl 7 days ago | 1 comments

Ending TLS Client Authentication Certificate Support in 2026 (letsencrypt.org)
Let’s Encrypt will no longer include the “TLS Client Authentication” Extended Key Usage (EKU) in our certificates beginning in 2026.

Security, Certificates, TLS, Cryptography, Web Security

4 points by Dunedan 9 days ago | 4 comments

Bypassing a web application firewall with autocomplete (jessie.cafe)
A few months ago, I was looking at a popular New Zealand website. I came across their search feature, and found that when I interacted with the search box, it queried this endpoint to fetch the search results

Web Security, Web Development, Security Flaws

38 points by runxiyu 22 days ago | 1 comments

Chrome Origin Trial: Device Bound Session Credentials (chrome.com)
Device Bound Session Credentials (DBSC) is a new web capability designed to protect user sessions from cookie theft and session hijacking. This feature is now available for testing as an Origin Trial in Chrome 135.

Web Security, Chrome, Origin Trials

85 points by pabs3 22 days ago | 80 comments

Still Standing (4chan.org)
On the afternoon of April 14th, a hacker using a UK IP address exploited an out-of-date software package on one of 4chan’s servers, via a bogus PDF upload.

Cybersecurity, Hacking, Web Security, 4chan

5 points by tmarice 27 days ago | 0 comments

Free Course on Security Headers, for Developers (semgrep.dev)
Learn about security headers from Scott Helme and Tanya Janca, two enthusiastic web security experts, who will sing the praises of these helpful browser protections!

Security, Web Development, Courses, Web Security

12 points by shehackspurple 29 days ago | 3 comments

New SSL/TLS certs to each live no longer than 47 days by 2029 (theregister.com)
CA/Browser Forum – a central body of web browser makers, security certificate issuers, and friends – has voted to cut the maximum lifespan of new SSL/TLS certs to just 47 days by March 15, 2029.

Security, Cybersecurity, SSL/TLS, Web Security, Browser Security

5 points by mroche 39 days ago | 0 comments

Anubis Works (xeiaso.net)
You are seeing this because the administrator of this website has set up Anubis to protect the server against the scourge of AI companies aggressively scraping websites.

Web Security, Artificial Intelligence, Data Scraping

319 points by evacchi 41 days ago | 208 comments

No-JavaScript Fingerprinting (noscriptfingerprint.com)
Fingerprinting is a way of identifying browsers without the use of cookies or data storage.

Privacy, Web Security, Browser Security, Tracking

18 points by moebrowne 43 days ago | 8 comments

AI Data Poisoning (schneier.com)
Cloudflare has a new feature—available to free users as well—that uses AI to generate random pages to feed to AI web crawlers:

Artificial Intelligence, Security, Web Security, Cloudflare

7 points by pongogogo 58 days ago | 1 comments

Next.js and the corrupt middleware: the authorizing artifact (zhero-web-sec.github.io)
Recently, Yasser Allam, known by the pseudonym inzo_, and I, decided to team up for some research. We discussed potential targets and chose to begin by focusing on Next.js (130K stars on github, currently downloaded + 9,4 million times per week), a framework I know quite well and with which I already have fond memories, as evidenced by my previous work. Therefore, the “we” throughout this paper will naturally refer to the two of us.

Web Security, Next.js, Research

94 points by ash 61 days ago | 36 comments

Cloudflare builds AI to lead AI scraper bots into horrible maze of junk content (theregister.com)
Cloudflare has created a bot-busting AI to make life hell for AI crawlers.

Artificial Intelligence, Web Security, Bots

21 points by gpi 63 days ago | 7 comments

Privacy and the :visited selector (mozilla.org)
Before about 2010, the CSS :visited selector allowed websites to uncover a user's browsing history and figure out what sites the user had visited. This was done through window.getComputedStyle and other techniques. This process was quick to execute, and made it possible not only to determine where the user had been on the web, but could also be used to guess a lot of information about the user's identity.

Privacy, Web Security, CSS, Browsing History

14 points by s4i 73 days ago | 0 comments

Why do we have both CSRF protection and CORS? (smagin.fyi)
Hello, Internet. I thought about cross-site requests and realised we have both CSRF protection and CORS and it doesn’t make sense from the first glance. It does generally, but I need a thousand words to make it so.

Web Security

264 points by smagin 82 days ago | 132 comments

Certificate Transparency in Firefox (transparency.dev)
Certificate Transparency (CT) has been one of the biggest advancements in web security, keeping users safe from threats such as certificate fraud and man-in-the-middle attacks. While CT has been around for over 11 years, enforcement has varied across browsers.

Web Security, Browsers, Certificate Transparency

184 points by tracymiranda 87 days ago | 111 comments

OWASP Non-Human Identities Top 10 (owasp.org)
We're thrilled to introduce the OWASP Non-Human Identities Top 10 for 2025!

Cybersecurity, Web Security, OWASP, Non-Human Identities

157 points by raskelll 108 days ago | 33 comments

Caddy module to block IPs and prevent AIs from training on your website (github.com/JasonLovesDoggo)
The Caddy Defender plugin is a middleware for Caddy that allows you to block or manipulate requests based on the client's IP address. It is particularly useful for preventing unwanted traffic or polluting AI training data by returning garbage responses.

Web Security, AI, Web Development, Caddy

6 points by thunderbong 120 days ago | 1 comments

DoubleClickjacking: A New type of web hacking technique (paulosyibelo.com)
“Clickjacking” attacks have been around for over a decade, enabling malicious websites to trick users into clicking hidden or disguised buttons they never intended to click.

Web Security, Hacking, Cybersecurity

237 points by shinzub 130 days ago | 100 comments

Magic Links Have Rough Edges, but Passkeys Can Smooth Them Over (rmondello.com)
Independent media venture 404 Media recently published a post titled, “We Don’t Want Your Password”. The piece is a cogent explanation of the problems with password-based accounts online followed by a defense of the website’s login strategy, magic links, in the face of feedback about them being inconvenient and difficult to use.

Web Security, User Experience, Passwords, Authentication, Magic Links

50 points by mooreds 138 days ago | 57 comments

SHA-256, ECDH, Ecdsa and RSA Not Approved by ASD in Australia for 2030 (medium.com)
I am a bit shocked … SHA-256, RSA, ECDSA and ECDH will not be approved for use in Australia by 2030. Basically, these four methods are used for virtually every Web connection that we create, and where ECDH is used for the key exchange, ECDSA or RSA is used to authenticate the remote server, and SHA-256 is used for the integrity of the data sent. The removal of SHA-256 definitely goes against current recommendations.

Cryptography, Security, Australia, Web Security, Standards

10 points by gnabgib 157 days ago | 2 comments

Manifest V3 fails to prevent data theft and malware exploitation (techradar.com)

Web Security, Browser Extensions, Software Security, Malware

14 points by josephcsible 193 days ago | 0 comments

Web Locks API (mozilla.org)
The Web Locks API allows scripts running in one tab or worker to asynchronously acquire a lock, hold it while work is performed, then release it. While held, no other script executing in the same origin can acquire the same lock, which allows a web app running in multiple tabs or workers to coordinate work and the use of resources.

Web Development, APIs, JavaScript, Web Security, Browser Features

218 points by mooreds 194 days ago | 104 comments

Ancient Monkey: Pwning a 17-Year-Old Version of SpiderMonkey (pspaul.de)
Last year, @swapgs and I found a fun bug in the popular enterprise VPN solution Zscaler.

Security, Web Security, Vulnerabilities

93 points by todsacerdoti 206 days ago | 6 comments

Show HN: KyberLock – Crystals-Kyber Post-Quantum Cryptography in the Browser (kyberlock.com)

Cryptography, Web Security, Post-Quantum Cryptography, JavaScript

3 points by leonardoeloy 217 days ago | 0 comments

New passkey specifications will let users import and export them (9to5mac.com)
Passkeys were introduced two years ago, and they replace traditional passwords with more secure authentication using a security key or biometrics. To make the technology even better, the FIDO Alliance published on Monday new specifications for passkeys, which ensure a way to let users import and export them.

Security, Passwords, Authentication, Web Security

5 points by alwillis 221 days ago | 2 comments

Coming soon: Securely import and export passkeys (1password.com)
Passkeys are superior to passwords in almost every way. They’re simpler to use because there’s nothing to memorize, type out, or paste in. They’re also always strong and come with multi-factor authentication built right in. In short, passkeys are awesome.

Security, Passwords, Authentication, Web Security

8 points by samcat116 221 days ago | 0 comments

CS 253 Web Security (web.stanford.edu)
This course is a comprehensive overview of web security. The goal is to build an understanding of the most common web attacks and their countermeasures. Given the pervasive insecurity of the modern web landscape, there is a pressing need for programmers and system designers to improve their understanding of web security issues.

Web Security, Computer Science, Education

58 points by udev4096 222 days ago | 0 comments

How to Hack the Breakthrough Prize (Ft. Session Confusion) (varun.ch)
In 2023, I discovered a critical vulnerability in the Breakthrough Challenge website. After over one year since it was patched, I am disclosing the bug for the sake of transparency. I believe this class of vulnerability, which I am introducing as 'Session Confusion', is often overlooked.

Security, Web Security, Bug Bounty, Transparency

29 points by varun_ch 240 days ago | 8 comments