Photo of Barry Frost

This is Barry Frost’s personal website.

Tagged #security
Reposted Photo of gRegor Morrill gRegor Morrill’s post on Twitter
Today is a good day to review your permissions on various silos. Handy links on https://indieweb.org/freemyoauth

macOS-Security-and-Privacy-Guide

This is a collection of thoughts on securing a modern Apple Mac computer using macOS (formerly OS X) 10.12 “Sierra”, as well as steps to improving online privacy.

Moving to HTTPS

Guide to how to move your site from HTTP to HTTPs

Liked Photo of Pinboard Pinboard’s post on Twitter
In which Teen Vogue tears the Guardian a new one through the simple trick of interviewing actual security experts: http://www.teenvogue.com/story/how-to-keep-messages-secure

The-Big-Username-Blacklist

This is a opinionated blacklist of words that you might not like to see used as usernames in your service.

e.g. “admin” or “help”.

Liked Photo of Jeff Waugh Jeff Waugh’s post on Twitter
Good time for a reminder: Your fingerprint is your user name, *not* your password. https://twitter.com/obra/status/821529342530318337

Let them paste passwords

Advice from the National Cyber Security Centre (terrible name, good advice) that stopping pasting passwords is a bad thing and does nothing for security.

Reposted Photo of Alastair Campbell Alastair Campbell’s post on Twitter
The UK’s digital security centre recommends *against* forced password expiry, at last someone has said it.… https://twitter.com/i/web/status/808262292521492480

sysrandom

Secure random number generation for Ruby using system RNG facilities

Security Guide for Developers

JSON Web Tokens (JWT) vs Sessions

securityheaders.io

securityheaders.io is a handy site for testing whether your website’s server is sending sensible headers. Think of it like SSL Test for a few nitty-gritty details.

CCSRCH

PAN / Credit Card Scanner

Password guidance: executive summary - GOV.UK

In reply to https://kylewm.com post on kylewm.com
Since getting into #indieweb stuff, I’ve seen way more sites go down because of an expired HTTPS cert than expired domain registration.

Thanks for the reminder. My single-domain certificate was about to expire so I’ve upgraded to a new Comodo wildcard one ready for some secure subdomain projects. It would be great if this auto-renewed but I think I need to manually renew it unfortunately.

Signing in to Medium by email

Medium have adopted the passwordless login pattern: they will send you a one-time expiring link via email instead of requiring a password. Twitter and Facebook authentication remains and an SMS option is apparently in development.

Showing Passwords on Log-In Screens

Why you should do so (by @lukew)

How to Deploy HTTPS Correctly

Moving the web to HTTPS (and other global geo-political crises)

SecurityMetrics

PCI and security scans