Barry Frost

This is Barry Frost’s personal website.

Tagged #security

What does the NCSC think of password managers?

Spoiler: use them

Putting the helmet on – Securing your Express app

SecurityHeaders.io

Analyse your HTTP response headers. Gives recommendations and advice on security and referrer policies.

Webbkoll

This tool helps you check what data-protecting measures a site has taken to help you exercise control over your privacy.

DNSdumpster

DNSdumpster.com is a FREE domain research tool that can discover hosts related to a domain. Finding visible hosts from the attackers perspective is an important part of the security assessment process.

Building account systems

Advice on dealing with accounts and passwords when building a web app

^Lift Security

Application Security / Penetration Testing – used by Panic to audit its Panic Sync service

shouldbee/reserved-usernames

590+ usernames in this dictionary! A list of reserved usernames to prevent url collision with resource paths. This repository hosts the list in multiple formats like JSON, CSV, SQL and plain text. You can use its just download its by wget.

Reposted gRegor Morrill gRegor Morrill’s post on Twitter
Today is a good day to review your permissions on various silos. Handy links on https://indieweb.org/freemyoauth

macOS-Security-and-Privacy-Guide

This is a collection of thoughts on securing a modern Apple Mac computer using macOS (formerly OS X) 10.12 “Sierra”, as well as steps to improving online privacy.

Moving to HTTPS

Guide to how to move your site from HTTP to HTTPS

Liked Pinboard Pinboard’s post on Twitter
In which Teen Vogue tears the Guardian a new one through the simple trick of interviewing actual security experts: http://www.teenvogue.com/story/how-to-keep-messages-secure

The-Big-Username-Blacklist

This is a opinionated blacklist of words that you might not like to see used as usernames in your service.

e.g. “admin” or “help”.

Liked Jeff Waugh Jeff Waugh’s post on Twitter
Good time for a reminder: Your fingerprint is your user name, *not* your password. https://twitter.com/obra/status/821529342530318337

Let them paste passwords

Advice from the National Cyber Security Centre (terrible name, good advice) that stopping pasting passwords is a bad thing and does nothing for security.

Reposted Alastair Campbell Alastair Campbell’s post on Twitter
The UK’s digital security centre recommends *against* forced password expiry, at last someone has said it.… https://twitter.com/i/web/status/808262292521492480

sysrandom

Secure random number generation for Ruby using system RNG facilities

Security Guide for Developers

JSON Web Tokens (JWT) vs Sessions

securityheaders.io

securityheaders.io is a handy site for testing whether your website’s server is sending sensible headers. Think of it like SSL Test for a few nitty-gritty details.