Archive for the ‘en-US’ Category
[DefCon32] DEF CON 32: Measuring the Tor Network
Silvia Puglisi and Roger Dingledine, key figures in the Tor Project, delivered an insightful presentation at DEF CON 32, shedding light on the Tor network’s metrics and community-driven efforts to maintain its health. As millions rely on Tor to evade surveillance and censorship, Silvia and Roger detailed how the Tor Project collects safe metrics, detects attacks, and fosters a vibrant relay operator community. Their talk provided a window into the challenges of sustaining an anonymity network and invited attendees to contribute to its mission of preserving internet freedom.
Collecting Safe Metrics for Anonymity
Silvia opened by explaining the Tor Project’s approach to gathering metrics without compromising user anonymity. By analyzing usage patterns and relay performance, the network health team identifies unusual activity, such as potential attacks or misconfigured relays. Silvia highlighted tools like Tor Weather, which notifies operators of relay issues, and the network status API, which supports data analysis. These efforts ensure the network remains robust while prioritizing user privacy, a delicate balance in an anonymity-focused ecosystem.
Detecting and Mitigating Network Threats
Roger delved into the strategies for identifying and countering attacks on the Tor network, which supports over seven thousand volunteer-operated relays. He discussed how metrics help detect malicious relays and unusual traffic patterns, enabling rapid response to threats. Roger cited historical examples, such as the 2009 Green Party Movement in Iran, where Tor empowered activists, underscoring the network’s role in global activism. By sharing these insights, he emphasized the importance of community vigilance in maintaining network integrity.
Fostering a Diverse Relay Community
The duo highlighted the Tor Project’s efforts to grow its community of relay operators, encouraging attendees to run relays, bridges, or Snowflake proxies. Silvia detailed initiatives like the formal relay operator meetup planned for future conferences, aiming to strengthen community ties. Roger stressed that contributing to Tor supports activists worldwide, particularly those without institutional protections. Their call to action invited DEF CON attendees to join the network health team or contribute to projects like rewriting tools in Rust for better performance.
Future Challenges and Community Engagement
Concluding, Silvia and Roger outlined ongoing challenges, such as improving data visualization and scaling the network to handle increasing demand. They encouraged contributions to the Tor Project’s wiki and open-source tools, emphasizing that every relay or code contribution aids the fight for privacy and anonymity. Their interactive session at the Tor booth post-talk invited attendees to explore further, reinforcing the collaborative spirit that drives the Tor ecosystem forward.
Links:
[DevoxxFR2025] Go Without Frills: When the Standard Library Suffices
Go, the programming language designed by Google, has gained significant popularity for its simplicity, efficiency, and strong support for concurrent programming. A core philosophy of Go is its minimalist design and emphasis on a robust standard library, encouraging developers to “do a lot with a little.” Nathan Castelein, in his presentation, championed this philosophy, demonstrating how a significant portion of modern applications can be built effectively using only Go’s standard library, without resorting to numerous third-party dependencies. He explored various native packages and compared their functionalities to well-known third-party alternatives, showcasing why and how returning to the fundamentals can lead to simpler, more maintainable, and often equally performant Go applications.
The Go Standard Library: A Powerful Foundation
Nathan highlighted the richness and capability of Go’s standard library. Unlike some languages where the standard library is minimal, Go provides a comprehensive set of packages covering a wide range of functionalities, from networking and HTTP to encoding/decoding, cryptography, and testing. He emphasized that these standard packages are well-designed, thoroughly tested, and actively maintained, making them a reliable choice for building production-ready applications. Focusing on the standard library reduces the number of external dependencies, which simplifies project management, minimizes potential security vulnerabilities introduced by third-party code, and avoids the complexities of managing version conflicts. It also encourages developers to gain a deeper understanding of the language’s built-in capabilities.
Comparing Standard Packages to Third-Party Libraries
The core of Nathan’s talk involved comparing functionalities provided by standard Go packages with those offered by popular third-party libraries. He showcased examples in areas such as:
– Web Development: Demonstrating how to build web servers and handle HTTP requests using the net/http package, contrasting it with frameworks like Gin, Echo, or Fiber. He would have shown that for many common web tasks, the standard library provides sufficient features.
– Logging: Illustrating the capabilities of the log/slog package (introduced in Go 1.21) for structured logging, comparing it to libraries like Logrus or Zerolog. He would have highlighted how log/slog provides modern logging features natively.
– Testing: Exploring the testing package for writing unit and integration tests, perhaps mentioning how it can be used effectively without resorting to assertion libraries like Testify for many common assertion scenarios.
The comparison aimed to show that while third-party libraries often provide convenience or specialized features, the standard library has evolved to incorporate many commonly needed functionalities, often in a simpler and more idiomatic Go way.
The Benefits of a Minimalist Approach
Nathan articulated the benefits of embracing a “Go without frills” approach. Using the standard library more extensively leads to:
– Reduced Complexity: Fewer dependencies mean a simpler project structure and fewer moving parts to understand and manage.
– Improved Maintainability: Code relying on standard libraries is often easier to maintain over time, as the dependencies are stable and well-documented.
– Enhanced Performance: Standard library implementations are often highly optimized and integrated with the Go runtime.
– Faster Compilation: Fewer dependencies can lead to quicker build times.
– Smaller Binaries: Avoiding large third-party libraries can result in smaller executable files.
He acknowledged that there are still valid use cases for third-party libraries, especially for highly specialized tasks or when a library provides significant productivity gains. However, the key takeaway was to evaluate the necessity of adding a dependency and to leverage the powerful standard library whenever it suffices. The talk encouraged developers to revisit the fundamentals and appreciate the elegance and capability of Go’s built-in tools for building robust and efficient applications.
Links:
- Nathan Castelein: https://www.linkedin.com/in/nathan-castelein/
- Shodo Lille: https://shodo.io/
- Devoxx France LinkedIn: https://www.linkedin.com/company/devoxx-france/
- Devoxx France Bluesky: https://bsky.app/profile/devoxx.fr
- Devoxx France Website: https://www.devoxx.fr/
[DefCon32] DEF CON 32: Exploiting Cloud Provider Vulnerabilities for Initial Access
Nick Frichette, a cloud security expert, enthralled the DEF CON 32 audience with a deep dive into vulnerabilities within Amazon Web Services (AWS) that enable initial access to cloud environments. Moving beyond traditional misconfiguration exploits, Nick explored flaws in AWS services like AppSync and Amplify, demonstrating how attackers can hijack Identity and Access Management (IAM) roles. His presentation offered practical defensive strategies, empowering organizations to secure their cloud infrastructure against sophisticated attacks.
Understanding IAM Role Exploits
Nick began by explaining how IAM roles establish trust within AWS, relying on mechanisms like sts:AssumeRoleWithWebIdentity to prevent unauthorized access across accounts. He detailed a confused deputy vulnerability in AWS AppSync that allowed attackers to assume roles in other accounts, bypassing trust boundaries. Through a real-world case study, Nick illustrated how this flaw enabled unauthorized access, emphasizing the importance of understanding trust relationships in cloud environments to prevent such breaches.
Amplify Vulnerabilities and Zero-Day Risks
Delving deeper, Nick revealed a critical vulnerability in AWS Amplify that exposed customer IAM roles to takeover, granting attackers a foothold in victim accounts. His demonstration highlighted how adversaries could exploit this flaw without authentication, underscoring the severity of zero-day vulnerabilities in cloud services. Nick’s meticulous analysis of Amplify’s architecture provided insights into how such flaws arise, urging security practitioners to scrutinize service configurations for hidden risks.
Defensive Strategies for Cloud Security
Nick concluded with actionable recommendations, advocating for the use of condition keys in IAM trust policies to block cross-tenant attacks. He demonstrated how setting account-specific conditions thwarted his AppSync exploit, offering a defense-in-depth approach. Nick encouraged organizations to audit IAM roles, particularly those using web identity federation, and to test configurations rigorously before deployment. His work, available at Security Labs, equips defenders with tools to fortify AWS environments.
Links:
[DevoxxGR2025] Angular Micro-Frontends
Dimitris Kaklamanis, a lead software engineer at CodeHub, delivered an 11-minute talk at Devoxx Greece 2025, exploring how Angular micro-frontends revolutionize scalable web development.
Micro-Frontends Unveiled
Kaklamanis opened with a relatable scenario: a growing front-end monolith turning into a dependency nightmare. Micro-frontends, inspired by microservices, break the UI into smaller, independent pieces, each owned by a team. This enables parallel development, reduces risks, and enhances scalability. He outlined four principles: decentralization (team-owned UI parts), technology agnosticism (mixing frameworks like Angular, React, or Vue), resilience (isolated bugs don’t crash the app), and scalability (independent team scaling). A diagram showed teams building features in different frameworks, integrated at runtime via a shell app.
Pros and Cons
Micro-frontends offer scalability, tech flexibility, faster parallel development, resilience, and easier maintenance due to focused codebases. However, challenges include increased complexity (more coordination), performance overhead (multiple apps loading), communication issues (state sharing), and CI/CD complexity (separate pipelines). Kaklamanis highlighted Angular’s strengths: its component-based structure aligns with modularity, CLI tools manage multiple projects, and features like lazy loading and Webpack 5 module federation simplify implementation. Tools like NX streamline monorepo management, making Angular a robust choice.
Implementation in Action
Kaklamanis demonstrated a live Angular store app with independent modules (orders, products, inventory). A change in the product component didn’t affect others, showcasing isolation. He recommended clear module ownership, careful intermodule communication, performance monitoring, and minimal shared libraries. For large, multi-team projects, he urged prototyping micro-frontends, starting small and iterating for scalability.
Links
[DotJs2025] The Wind & Waves: The Formation of Framework Waves from the Epicenter
Innovation’s lore lionizes lone geniuses, yet history hums with harmonies—cumulative currents cresting into cascades. Sarah Drasner, Google’s senior director of engineering for core web, Android, iOS, and multiplatform infrastructure, charted this choreography at dotJS 2025. A Vue core emerita, Netlify VP alumna, and O’Reilly scribe, Sarah traced frameworks’ flux—from Backbone’s bones to Angular’s avalanches—positing epicenters as convergence crucibles, birthing waves that buoy the brigade.
Sarah’s seascape: computers’ chronicle, from Jacquard’s loom to Turing’s theorem—ENIAC’s expanse atop Shannon’s switches, Colossus’s knobs yielding to Atanasoff’s binaries. JS’s journey mirrors: Knockout’s observables igniting reactivity, Backbone’s MVC mutating into Ember’s ambitions, React’s components catalyzing cascades. Angular’s arc: 2010’s directive deluge, RxJS’s reactive rivers, Ivy’s incremental ignition—each epoch echoing externalities, from mobile’s mandate to PWAs’ promise.
2025’s surge: signals’ symphony across Solid, Svelte, Vue—Angular’s zoneless zeal, deferrable views. Sarah spotlighted simplifications: routing’s brevity, docs’ dynamism—sandboxes, examples emergent. Future’s froth: DevEx elevations, injection’s alacrity, forms’ finesse—frameworks as flotillas, not fortresses.
This tidal tale: waves from winds of whim and wisdom, epicenters echoing eternally.
Historic Harmonies and Heuristics
Sarah surveyed swells: Knockout’s knots to React’s rivulets, Angular’s directives damming data flows—each innovation an eddy, externalities (mobile, PWA) eddying onward.
Angular’s Avalanche and Allies
Ivy’s ignition, signals’ spread—zoneless zephyrs, defer’s dispatch. Sarah’s stewardship: docs distilled, routing refined—frameworks’ fellowship fostering flux.
Links:
[DefCon32] DEF CON 32: Mutual Authentication Is Optional
Xavier Zhang, an RFID enthusiast and physical security researcher, delivered a concise yet impactful presentation at DEF CON 32, exposing vulnerabilities in HID iClass SE readers used in physical access control systems. By demonstrating cloning, downgrading, and emulation attacks, Xavier revealed how attackers can bypass secure credentials to gain unauthorized access to facilities. His interactive demos, leveraging tools like Proxmark3 and Flipper Zero, underscored the importance of mutual authentication and provided practical mitigation strategies to enhance physical security.
Exploiting iClass SE Vulnerabilities
Xavier opened by outlining the mechanics of HID iClass SE credentials, widely used in secure facilities. He detailed four attack vectors, starting with cloning, the simplest method, which exploits predictable facility codes in poorly configured systems. By analyzing publicly available documentation from a Canadian vendor, Xavier showed how attackers can replicate credentials without physical access, highlighting the risks of enabling legacy technologies on modern readers. His insights emphasized the need for robust configuration practices to prevent trivial exploits.
Advanced Attacks and Community Contributions
Transitioning to more complex techniques, Xavier demonstrated downgrading and emulation attacks that bypass iClass SE’s secure authentication. Using tools like Proxmark3 and Flipper Zero, he showcased how vulnerabilities, such as an authentication bypass discovered by the RFID hacking community, enable unauthorized access. Xavier acknowledged contributors like Eric Betts and Kate, whose work on iClass documentation and emulation code was instrumental. His live demos illustrated the real-world implications of these exploits, urging organizations to prioritize secure credential issuance.
Links:
- None available
[OxidizeConf2024] The Basics of Profile-Guided Optimization (PGO) in Rust
Understanding PGO and Its Relevance
In the realm of high-performance software, optimizing applications for speed and efficiency is paramount. At OxidizeConf2024, Alexander Zaitsev, a seasoned developer with a background in C++ and extensive experience in compiler optimizations, delivered a comprehensive exploration of Profile-Guided Optimization (PGO) in Rust. PGO leverages runtime statistics to enhance software performance, a technique long supported by the Rustc compiler but fraught with practical challenges. Alexander shared his insights from applying PGO across diverse domains—compilers, databases, game engines, and CLI tools—offering a roadmap for developers seeking to harness its potential.
PGO operates by collecting runtime data to inform compiler optimizations, enabling tailored code generation that aligns with actual workloads. Alexander emphasized its applicability to CPU-intensive applications with complex branching, such as parsers, databases, and operating systems like OxideOS. By analyzing real-world benchmarks, he demonstrated significant performance gains, with speedups observed in open-source projects. These results, derived from practical workloads rather than synthetic tests, underscore PGO’s value in enhancing Rust applications, making it a vital tool for developers prioritizing performance.
Practical Applications and Performance Gains
Alexander’s presentation highlighted concrete examples of PGO’s impact. For instance, applying PGO to libraries like Serde resulted in notable performance improvements, with benchmarks showing reduced execution times for JSON parsing and other tasks. He showcased results from various applications, including databases and game engines, where PGO optimized critical paths, reducing latency and improving throughput. These gains were achieved by enabling PGO’s instrumentation-based approach, which collects detailed runtime profiles to guide optimizations like inlining and branch prediction.
However, Alexander cautioned that PGO’s effectiveness depends on workload representativeness. For databases, he used analytical workloads to generate profiles, ensuring optimizations aligned with typical usage patterns. This approach contrasts with manual optimization techniques, such as annotating hot paths, which Alexander argued are less adaptable to changing workloads. By automating optimization through PGO, developers can achieve consistent performance improvements without the maintenance burden of manual tweaks, a significant advantage in dynamic environments.
Navigating PGO’s Challenges and Ecosystem
While PGO offers substantial benefits, Alexander detailed several pitfalls. Common traps include profile mismatches, where training data does not reflect production workloads, leading to suboptimal optimizations. He also highlighted issues with link-time optimization (LTO), which, while complementary to PGO, is not universally adopted. To mitigate these, Alexander recommended starting with release mode optimizations (level three) and enabling LTO before applying PGO. For advanced users, sampling-based PGO or continuous profiling, as practiced by Google, can further enhance results.
The Rust ecosystem’s PGO support is evolving, with tools like cargo-pgo and community contributions improving accessibility. Alexander pointed to his “Awesome PGO” repository as a comprehensive resource, offering benchmarks and guidance across ecosystems, including C++. He also noted ongoing efforts to integrate machine learning into PGO workflows, citing tools like LLVM’s BOLT and Intel’s Thin Layout Optimizer. These advancements signal a bright future for PGO in Rust, though challenges like build system integration and community tooling maturity remain.
Links:
[DevoxxUK2025] Cracking the Code Review
Paco van Beckhoven, a senior software engineer at Hexagon’s HXDR division, delivered a comprehensive session at DevoxxUK2025 on improving code reviews to enhance code quality and team collaboration. Drawing from his experience with a cloud-based platform for 3D scans, Paco outlined strategies to streamline pull requests, provide constructive feedback, and leverage automated tools. Highlighting the staggering $316 billion cost of fixing bugs in 2013, he emphasized code reviews as a critical defense against defects. His practical tactics, from crafting concise pull requests to automating style checks, aim to reduce friction, foster learning, and elevate software quality, making code reviews a collaborative and productive process.
Streamlining Pull Requests
Paco stressed the importance of concise, well-documented pull requests to facilitate reviews. He advocated for descriptive titles, inspired by conventional commits, that include ticket numbers and context, such as “Fix null pointer in payment service.” Descriptions should outline the change, link related tickets or PRs, and explain design decisions to preempt reviewer questions. Templates with checklists ensure consistency, reminding developers to update documentation or verify tests. Paco also recommended self-reviewing PRs after a break to catch errors like unused code or typos, adding comments to clarify intent and reduce reviewer effort, ultimately speeding up the process.
Effective Feedback and Collaboration
Delivering constructive feedback is key to effective code reviews, Paco noted. He advised reviewers to start with the PR’s description and existing comments to understand context before diving into code. Reviews should prioritize design and functionality over minor style issues, ensuring tests are thoroughly checked for completeness. To foster collaboration, Paco suggested using “we” instead of “you” in comments to emphasize teamwork, posing questions rather than statements, and providing specific, actionable suggestions. Highlighting positive aspects, especially for junior developers, boosts confidence and encourages participation, creating a supportive review culture.
Leveraging Automated Tools
To reduce noise from trivial issues like code style, Paco showcased tools like Error Prone, OpenRewrite, Spotless, Checkstyle, and ArchUnit. Error Prone catches common mistakes and suggests fixes, while OpenRewrite automates migrations, such as JUnit 4 to 5. Spotless enforces consistent formatting across languages like Java and SQL, and Checkstyle ensures adherence to coding standards. ArchUnit enforces architectural rules, like preventing direct controller-to-persistence calls. Paco advised introducing these tools incrementally, involving the team in rule selection, and centralizing configurations in a parent POM to maintain consistency and minimize manual review efforts.
Links:
Guarding the Web: Understanding and Mitigating Modern Application Security Risks: XSS • CSRF • Clickjacking • CORS • SSRF
Modern web applications operate in a hostile environment. Attackers exploit input handling, browser trust, and server connectivity to inject code (XSS), trigger unauthorized actions (CSRF), trick users into clicking hidden UI (clickjacking), abuse permissive cross-origin policy (CORS), or make the server itself fetch sensitive resources (SSRF). This article explains the mechanics of each threat and provides concrete, production-grade mitigation patterns you can adopt today.
Cross-Site Scripting (XSS): When Untrusted Input Becomes Code
Threat model: User-provided data is rendered into a page without correct encoding or policy restrictions, allowing script execution in the victim’s browser.
Typical Exploits
Stored XSS (comments, profiles):
<script>fetch('/api/session/steal', {credentials:'include'})</script>Reflected XSS (search query):
GET /search?q=<script>alert(1)</script>DOM-based XSS (dangerous sinks):
// Anti-pattern: innerHTML with untrusted input
const result = new URLSearchParams(location.search).get('msg');
document.getElementById('banner').innerHTML = result; // XSS sinkHigh-Confidence Mitigations
- Contextual Output Encoding: Encode before insertion, based on context (HTML, attribute, URL, JS, CSS).
- Prefer Safe APIs: Use
textContent/setAttributeoverinnerHTML; avoideval/Function constructors. - Framework Defaults: Modern templating (e.g., React, Angular) auto-escapes. Avoid escape bypasses (e.g.,
dangerouslySetInnerHTML) unless you sanitize with robust libraries. - Content Security Policy (CSP): Block inline scripts and restrict sources; use nonces.
CSP Example (Nonce-Based)
Content-Security-Policy: default-src 'none';
script-src 'self' 'nonce-r4nd0mNonce';
style-src 'self';
img-src 'self' data:;
connect-src 'self';
base-uri 'self';
frame-ancestors 'self';
form-action 'self';Server/Framework Snippets
Express.js: encode + CSP headers
app.use((req, res, next) => {
res.set('Content-Security-Policy',
"default-src 'none'; script-src 'self'; style-src 'self'; img-src 'self' data:; connect-src 'self'; base-uri 'self'; frame-ancestors 'self'");
res.set('X-Content-Type-Options', 'nosniff');
next();
});Do sanitize if you must render HTML: Use a vetted sanitizer (e.g., DOMPurify on the client, OWASP Java HTML Sanitizer on the server) with an allowlist.
Cross-Site Request Forgery (CSRF): Abusing Session Trust
Threat model: A logged-in user’s browser sends a forged state-changing request (e.g., money transfer) to a trusted site because cookies are automatically included.
Exploit Example
<form action="https://bank.example/transfer" method="POST">
<input type="hidden" name="to" value="attacker">
<input type="hidden" name="amount" value="1000">
</form>
<script>document.forms[0].submit();</script>Mitigations That Work Together
- Synchronizer (Anti-CSRF) Tokens: Embed a per-session/per-request token in each state-changing form or AJAX request; verify server-side.
- SameSite Cookies: Set session cookies to
SameSite=LaxorStrictandSecureto block cross-site inclusion. - Method & Content Checks: Require POST/PUT/DELETE with
Content-Type: application/json; reject unexpected content types. - Origin/Referer Validation: For sensitive endpoints, verify
Origin(preferred) orReferer. - Re-authentication / Step-Up: For high-value actions, require a second factor or password confirmation.
Example (Express + CSRF Token)
// Pseudocode with csurf-like middleware
app.post('/transfer', requireAuth, verifyCsrfToken, (req, res) => {
// process transfer
});SPA + API note: Prefer token-based auth (Authorization header) to avoid ambient cookies. If you must use cookies, combine SameSite with CSRF tokens.
Clickjacking: UI Redress and Hidden Frames
Threat model: An attacker overlays your site in an invisible <iframe> and tricks users into clicking sensitive controls.
Exploit Sketch
<iframe src="https://target.example/approve" style="opacity:0;position:absolute;top:0;left:0;width:100%;height:100%"></iframe>Mitigations
- X-Frame-Options (XFO):
DENYorSAMEORIGIN. (Legacy but still widely respected.) - CSP frame-ancestors: Modern, fine-grained embedding control.
- UI Hardening: Re-prompt for confirmation on dangerous actions; disable one-click irreversible changes.
Header Examples
X-Frame-Options: DENY
Content-Security-Policy: frame-ancestors 'self'Server Config
Nginx:
add_header X-Frame-Options "DENY" always;
add_header Content-Security-Policy "frame-ancestors 'self'" always;Apache:
Header always set X-Frame-Options "DENY"
Header always set Content-Security-Policy "frame-ancestors 'self'"CORS: Safe Cross-Origin Requests Without Overexposure
Threat model: Overly permissive CORS allows arbitrary origins to read sensitive API responses or send authenticated requests.
Dangerous Patterns
Access-Control-Allow-Origin: *combined withAccess-Control-Allow-Credentials: true(browsers will ignore, but this signals confusion and often pairs with other mistakes).- Reflecting the request
Originwholesale without an allowlist. - Forgetting
Vary: Origin, causing caches/CDNs to serve one origin’s CORS response to all.
Safe Configuration
Access-Control-Allow-Origin: https://app.example
Access-Control-Allow-Credentials: true
Access-Control-Allow-Methods: GET, POST, PUT, DELETE
Access-Control-Allow-Headers: Authorization, Content-Type
Access-Control-Expose-Headers: ETag, X-Request-Id
Vary: OriginImplementation Tip
// Pseudocode: strict allowlist
const allowed = new Set(['https://app.example', 'https://admin.example']);
const origin = req.headers.origin;
if (allowed.has(origin)) {
res.setHeader('Access-Control-Allow-Origin', origin);
res.setHeader('Vary', 'Origin');
}Principle: CORS is not an auth mechanism—treat it as a read-permission gate. Apply per-endpoint scoping; don’t turn it on globally.
Server-Side Request Forgery (SSRF): Turning Your Server Into a Proxy
Threat model: The application fetches remote resources based on user input (URLs), allowing attackers to reach internal networks or cloud metadata endpoints.
Exploit Examples
- Cloud metadata theft:
http://169.254.169.254/latest/meta-data/(AWS) /http://metadata.google.internal//http://169.254.169.254/metadata/instance(Azure; IMDSv2/headers required). - Reaching services on
localhostor RFC1918 IPs (e.g., Redis, internal dashboards). - Schema abuse:
file://,gopher://, orftp://if unsupported schemas aren’t blocked. - Open redirect chains or DNS rebinding that convert a safe-looking hostname into an internal IP at resolution time.
Defense-in-Depth
- Strict Allowlists: Only permit fetching from specific hosts/paths; reject everything else.
- URL & IP Validation: Parse the URL; resolve DNS; block private and link-local ranges; re-validate after redirects.
- Egress Proxy with ACL: Force all outbound HTTP(S) through a proxy that enforces destination policies and logs requests.
- Cloud Hardening: Require IMDSv2 (AWS); block server access to metadata endpoints unless strictly needed.
- Timeouts & Size Limits: Short connect/read timeouts and response byte caps to prevent internal scanning and DoS.
Hardening Snippet (Pseudocode)
function safeFetch(userUrl) {
const url = new URL(userUrl);
// allowlist scheme
if (!['https:'].includes(url.protocol)) throw new Error('Blocked scheme');
// DNS resolve and block private IPs
const ip = resolveToIP(url.hostname);
if (isPrivate(ip) || isLinkLocal(ip) || isLoopback(ip)) throw new Error('Blocked destination');
// enforce egress proxy
return proxyHttpGet(url, { timeoutMs: 2000, maxBytes: 1_000_000, followRedirects: 3, revalidateIPOnRedirect: true });
}Header note: SSRF is best mitigated by network policy and URL validation; “headers” alone can’t prevent SSRF, but you may set request policies (e.g., disallow redirects, strip sensitive headers) and enforce gateway rules.
Complementary Security Headers
- Strict-Transport-Security:
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload - X-Content-Type-Options:
nosniffto block MIME type sniffing. - Referrer-Policy: e.g.,
strict-origin-when-cross-origin. - Permissions-Policy: Restrict powerful APIs (camera, geolocation, etc.).
- Cross-Origin-Opener-Policy / Resource-Policy / Embedder-Policy: Strengthen isolation where feasible.
Operational Controls & SDLC Integration
- Threat Modeling: Map trust boundaries (browser ⇄ app ⇄ services ⇄ internet) and identify high-risk data flows.
- Static/Dynamic Testing: SAST, DAST, and dependency scanning in CI; add security unit tests for templating and request flows.
- Observability: Log security-relevant events (CSP violations via
report-to, WAF blocks, CSRF failures, SSRF proxy denies) and alert. - WAF/Gateway Policies: Enforce header baselines, block known bad payloads, and constrain egress with explicit ACLs.
- Secrets Hygiene: Short-lived tokens, mTLS for service-to-service, and key rotation.
- Least Privilege by Default: Scope CORS per endpoint, narrow IAM roles, network segmentation.
Deployment Checklist
- ✅ XSS: Contextual encoding, CSP with nonces, sanitizer for any HTML rendering.
- ✅ CSRF: Anti-CSRF tokens,
SameSite+Securecookies, Origin checks, step-up auth on critical actions. - ✅ Clickjacking:
X-Frame-Options: DENYandCSP frame-ancestors 'self'. - ✅ CORS: Explicit allowlist, credentials only when necessary,
Vary: Origin, scoped to sensitive endpoints. - ✅ SSRF: Allowlist destinations, block internal ranges, egress proxy with ACL, timeouts/size caps, re-validate after redirects.
- ✅ Headers: HSTS, XCTO, Referrer-Policy, Permissions-Policy in place.
- ✅ Ops: Logging/alerting on policy violations; SAST/DAST integrated; WAF rules tuned to app.
[KotlinConf2025] Dependencies and Kotlin Native
The world of dependency management is often taken for granted in the JVM ecosystem. However, when venturing into the realm of Kotlin Native, the familiar comforts of JAR files and class loaders fade, giving way to a more intricate and challenging landscape. In his insightful talk, Tadeas Kriz, a senior Kotlin developer at Touchlab, demystified this complex topic, offering a detailed comparison between JVM and native dependency handling and providing practical solutions for common issues.
Tadeas began by drawing a clear distinction between the two worlds. The JVM handles the heavy lifting of linking and loading dependencies at runtime, a process that is largely transparent to the developer. In contrast, Kotlin Native produces a standalone binary, which means the developer must contend with the nuances of native linking and compilation. This fundamental difference introduces a new set of challenges, particularly for those accustomed to the JVM’s seamless “it just works” experience.
He delved into the specifics of native platforms, examining dependency management tools like CocoaPods and Swift Package Manager used on Apple platforms. By comparing their strengths and weaknesses, Tadeas provided valuable context for how Kotlin Multiplatform fits into this ecosystem. He underscored the importance of understanding the native build process, a step that is often abstracted away but is crucial for troubleshooting the cryptic errors that can arise when integrating dependencies. He emphasized that static linking is often the most reliable approach in Kotlin Native, offering a more predictable and robust solution.
A significant portion of the talk was dedicated to practical workarounds and tools to overcome these challenges. Tadeas introduced a key concept: cinterop bindings, which are used to interact with C libraries from Kotlin Native code. He explained how to handle dynamic and static libraries and provided guidance on navigating the complexities of header file inclusion and symbol visibility. He also highlighted the utility of specific tools and practices, such as meticulously heeding build warnings, as they often contain clues to underlying issues.
Tadeas also brought attention to Skie, an open-source tool he co-authored, which addresses a key pain point for developers: the quality of the Kotlin Multiplatform API exposed to Swift. He explained that Skie enhances the generated Swift API, making it more idiomatic and easier for iOS developers to work with. He positioned it as a valuable solution for teams looking to improve their development workflow and collaboration while waiting for future features like Swift export. His talk provided a comprehensive guide, arming developers with the knowledge and tools needed to navigate the complexities of dependencies in the Kotlin Native world with greater confidence and efficiency.