Security Articles
Deep dives into cloud security, web server hardening, vulnerabilities, and encryption. Practical guides for developers who take security seriously.
Featured
RCE in React Apps: It's Not Where You Think
Browsers sandbox your React code, so RCE is impossible — right? Wrong. The remote code execution in modern React apps lives in places most developers never look: server actions, build pipelines, and the npm tree underneath your bundler.
Pen-Test Your Own Mail Server: A Mail-Layer Hardening Checklist
After you think your mail server is secure, attack it. Here's a 30-item checklist focused strictly on the mail layer — recon, TLS, relay tests, smuggling probes, and the credentials you'll never miss until you do.
Is RSA Dead? How It Works, Why It Matters, and What Comes Next
RSA secures the internet but its days may be numbered. Here it is explained from scratch with hand-verifiable math, a look at the quantum threat, and what the post-quantum future actually looks like.
Sessions vs JWTs: Choosing the Right Auth Architecture
Stateful or stateless? Cookies or tokens? The auth architecture debate has real trade-offs most tutorials gloss over. Here's a practical comparison — including the refresh token mistakes that lead to silent account takeovers.
All Articles (19)
Postfix and Dovecot Misconfigurations That Will Bite You in 2026
Most successful attacks against self-hosted mail aren't CVEs — they're config-file mistakes. Here are the eight misconfigurations that show up over and over, with the exact lines that fix each one.
25 Years of Email Server CVEs: Why the Same Bugs Keep Coming Back
Mail server vulnerabilities aren't a random walk. Look at twenty-five years of Postfix, Dovecot, Sendmail, and Exim CVEs and four bug classes account for almost everything. Here's why those classes keep recurring.
mbox vs Maildir vs Database: How Mail Actually Sits on Disk
Where your messages physically live shapes everything from backup strategy to incident response. Here's mbox at the byte level, Maildir's atomic delivery, and why the storage layer is where forensics actually happens.
SMTP, IMAP, and POP3 at the Byte Level
Email protocols are old, text-based, and quietly fascinating. Open Wireshark, run tcpdump, and watch what your mail server actually says on the wire — including the parser disagreement that made SMTP smuggling possible in 2023.
Dovecot Architecture: From Login to Maildir
Dovecot won the IMAP server wars in the 2010s for a reason — its architecture treats every login as untrusted code execution waiting to happen. Here's how it's actually structured, with the C source as the reference.
Postfix Architecture: Reading the Source to Understand the Surface
Most Postfix articles tell you what to put in main.cf. This one opens the C source, traces a message through the queue with strace, and maps the attack surface of every process in the pipeline.
So You Decided to Host Your Own Email Server (Or Update One)
Self-hosting email is one of those decisions that looks reasonable at 11 PM and terrifying at 9 AM. Before you type a single config line, here's what running your own mail in 2026 actually means.
End-to-End Encryption: What It Actually Protects (and What It Doesn't)
E2E encryption means not even the service provider can read your messages — until you link WhatsApp Web and suddenly a browser has your keys. Here's how the Signal Protocol really works and where the trust boundaries are.
Zero-Knowledge Proofs: Proving You Know a Secret Without Revealing It
Zero-knowledge proofs sound like cryptographic magic — and they kind of are. Here's how they work, where they're already deployed in production systems, and why they matter beyond blockchain.
Zero Trust Architecture: What It Actually Means Beyond the Buzzword
Every vendor sells "Zero Trust." Most of them are selling you a product, not an architecture. Here's what Zero Trust actually requires, where to start, and what you can do without a six-figure budget.
SQL Injection in 2026: Why the Oldest Attack Still Works
SQL injection is old enough to drink. It's also still in OWASP's top 10, still behind major breaches, and still in that one query your ORM didn't cover. Here's the modern defense.
Securing GitHub Actions: Your Pipeline Is an Attack Surface
SolarWinds proved that compromising a build pipeline is game over. Your GitHub Actions workflows have write access to production — are you treating them like it?
Let's Encrypt SSL Setup: Free HTTPS, But Read the Fine Print
Setting up Let's Encrypt takes 10 minutes. Keeping it working takes understanding auto-renewal, Nginx config, and the gotchas that hit you at 2am when your cert silently expires.
Stop Leaking API Keys: I've Seen This Go Wrong Too Many Times
Somebody commits an AWS key to GitHub. Bots find it in seconds. A crypto miner spins up 200 instances. The bill arrives. I've watched this happen three times. Here's how to never be that person.
Prompt Injection: The Security Problem Nobody Has Solved Yet
Your AI chatbot is one creative user away from ignoring every instruction you gave it. Prompt injection is OWASP's #1 AI risk, and there is no complete fix. Here's what to do anyway.
JWT Security Mistakes: What I Keep Seeing in Code Reviews
I review a lot of Node.js auth code. The same five JWT mistakes show up over and over. Here's what they are and what to do instead — with nuance, not just "never use localStorage."
TLS 1.3: What Actually Changed and Why You Should Care
TLS 1.3 dropped the broken crypto, cut the handshake in half, and made forward secrecy mandatory. Here's a practical upgrade guide for Nginx — and the gotchas nobody mentions.
AWS S3 Security: The Misconfiguration That Keeps Happening
I Googled a client's company name last month and found their S3 bucket indexed on page one. Here's how to make sure that never happens to you.
Node.js Rate Limiting: What Happens When You Skip It
Your Express API is one curl loop away from a $4,000 cloud bill. Here's how rate limiting actually works in Node.js — and why the defaults will bite you.