Stories with Tag Security Best Practices

• Most IT companies fail to serve security.txt for RFC 9116 in 2025

  permalink

  Posted: 2025-03-02 22:33:21

  Verbose tl;dr

  Despite being a simple, beneficial, and standardized way for security researchers to report vulnerabilities, adoption of security.txt files (as defined by RFC 9116) remains disappointingly low. A 2025 study by Hartwork found that the vast majority of IT companies, including many prominent names, still do not provide a security.txt file on their websites. This lack of adoption hinders responsible vulnerability disclosure and potentially leaves these organizations more susceptible to exploitation, as researchers lack clear reporting channels. The study emphasizes the continued need for greater awareness and adoption of this straightforward security best practice.

  In a blog post titled "Most IT companies fail to serve security.txt for RFC 9116 in 2025," published on hartwork.org, the author laments the surprisingly low adoption rate of the security.txt standard, a simple yet effective method for improving vulnerability disclosure processes. RFC 9116, which formally specifies this standard, outlines how organizations should provide a plaintext file named security.txt at a well-known location (/.well-known/security.txt) on their website. This file contains essential contact information for security researchers and ethical hackers to report potential vulnerabilities. Despite being a straightforward and beneficial practice, the author's research indicates a dismal adoption rate even among prominent IT companies.

  The blog post details the author's methodology, which involved scanning the top 100 publicly traded IT companies listed on the NASDAQ stock exchange. They checked for the presence of a valid security.txt file at the standardized location. The results revealed a disappointingly low adoption rate, with a significant majority of these companies failing to implement this basic security measure. This lack of adoption hinders responsible vulnerability disclosure, potentially leaving these organizations more susceptible to exploitation.

  The author emphasizes the simplicity and importance of implementing security.txt. It requires minimal effort to create and deploy the file, yet it provides a clear and standardized communication channel for security researchers. This facilitates the responsible reporting of vulnerabilities, allowing companies to address potential security flaws before they can be exploited by malicious actors. The low adoption rate, therefore, represents a missed opportunity for these companies to enhance their security posture and protect themselves from potential attacks.

  The blog post concludes with a renewed call to action, urging organizations to embrace the security.txt standard. By implementing this simple measure, companies can significantly improve their vulnerability management processes, foster better relationships with the security research community, and ultimately strengthen their overall security. The author stresses that the minimal effort required to deploy a security.txt file is far outweighed by the potential benefits in terms of improved security and reduced risk. The continued lack of widespread adoption, even years after the standardization through RFC 9116, is presented as a concerning trend within the cybersecurity landscape.

  • security.txt
  • RFC 9116
  • Cybersecurity
  • IT Security
  • vulnerability disclosure
  • responsible disclosure
  • Website Security
  • Security Best Practices
  • internet security
  • information security

  Summary of Comments ( 1 )
  https://news.ycombinator.com/item?id=43235972

  Verbose tl;dr

  Hacker News users generally agreed with the premise that security.txt adoption is disappointingly low, with several expressing frustration at the security industry's failure to implement basic best practices. Some commenters pointed out that even security-focused companies often lack a security.txt file, highlighting a general apathy or ignorance towards the standard. Others discussed the potential downsides of security.txt, such as increased exposure to automated vulnerability scanning and the possibility of it becoming a target for social engineering attacks. A few suggested that the lack of adoption might stem from the perceived lack of clear benefits or fear of legal repercussions for disclosed vulnerabilities. The overall sentiment reflects a concern for the slow uptake of a seemingly simple yet beneficial security measure.

  The Hacker News post titled "Most IT companies fail to serve security.txt for RFC 9116 in 2025" generated a moderate number of comments discussing the adoption (or lack thereof) of the security.txt standard. Several commenters expressed a general sentiment of disappointment and frustration with the slow uptake of such a simple, yet beneficial, security practice.

  One compelling line of discussion revolved around the practical challenges and perceived lack of incentives for companies to implement security.txt. Some argued that security researchers often find vulnerabilities through means other than those advertised in a security.txt file, therefore diminishing its perceived value for companies. Others countered this point by highlighting the importance of providing a clear and official channel for reporting vulnerabilities, regardless of how they are discovered. This, they argued, can help streamline the vulnerability disclosure process and prevent researchers from resorting to less secure or less desirable methods of contact.

  Another commenter pointed out that the absence of security.txt often leads to wasted time and effort for security researchers who have to resort to searching for contact information through various channels, potentially leading to delayed vulnerability disclosures. This reinforces the argument that security.txt benefits both the reporting party and the receiving organization.

  The issue of discoverability also arose, with some commenters questioning how effective security.txt is if search engines aren't indexing it reliably. This raised concerns about the practical utility of the standard if it's not easily findable by those who need it.

  Finally, a few comments touched upon the potential legal implications of not having a security.txt file, suggesting that in the future, its absence might be considered negligent, especially in regulated industries. This adds another layer of incentive for companies to adopt the standard, moving beyond best practice and towards a potential legal requirement.

  While no single comment was overwhelmingly compelling in isolation, the collective discussion painted a picture of a security standard struggling with adoption despite its simplicity and potential benefits. The comments highlighted the tension between the perceived effort required for implementation and the potential benefits, as well as the need for improved discoverability and potential future legal implications that might drive wider adoption.

• Why do we have both CSRF protection and CORS?

  permalink

  Posted: 2025-03-02 15:32:46

  Verbose tl;dr

  CSRF and CORS address distinct web security risks and therefore both are necessary. CSRF (Cross-Site Request Forgery) protects against malicious sites tricking a user's browser into making unintended requests to a trusted site where the user is already authenticated. This is achieved through tokens that verify the request originated from the trusted site itself. CORS (Cross-Origin Resource Sharing), on the other hand, dictates which external sites are permitted to access resources from a particular server, focusing on protecting the server itself from unauthorized access by scripts running on other origins. While they both deal with cross-site interactions, CSRF prevents malicious exploitation of a user's existing session, while CORS restricts access to the server's resources in the first place.

  The blog post "Why do we have both CSRF protection and CORS?" explores the distinct roles of Cross-Site Request Forgery (CSRF) protection and Cross-Origin Resource Sharing (CORS) in web security, explaining why both mechanisms are necessary despite appearing to address similar issues. The author emphasizes that while both deal with cross-site requests, they protect against different types of attacks and operate under different assumptions.

  CSRF protection is primarily concerned with preventing malicious websites from leveraging a user's existing authenticated session on a target website. It assumes that the user is already logged in and that the attacker's site can trick the user's browser into sending requests to the target site without the user's explicit intent. The core vulnerability lies in the fact that browsers automatically include cookies (including session cookies) with requests to the same origin, even if those requests are initiated from a different origin. CSRF tokens, generated by the server and embedded in forms or request headers, act as a proof of intent, verifying that the request originated from the genuine website and not a malicious actor.

  Conversely, CORS focuses on restricting which origins are allowed to make cross-origin requests to a specific server. It's a browser-enforced mechanism that intercepts requests originating from a different origin than the target server and checks whether the server explicitly permits such requests via specific HTTP headers (like Access-Control-Allow-Origin). CORS's primary goal is to prevent malicious websites from directly reading the responses of cross-origin requests, safeguarding sensitive data that might be returned by the server. Without CORS, a malicious script could make requests to a different domain while operating within the context of the user's browser, potentially gaining access to private information if the browser's same-origin policy wasn't enforced.

  The author highlights a critical distinction: CORS doesn't prevent the request itself from reaching the server; it merely prevents the malicious script from accessing the response. This is where CSRF protection becomes crucial. A malicious site can still send a POST request to a vulnerable server, even with CORS in place, potentially modifying data or performing unwanted actions if the server lacks proper CSRF protection. Therefore, both mechanisms are essential. CORS protects against unauthorized reading of responses, while CSRF protection prevents unauthorized modification of state through forged requests. They work in tandem to create a more secure web environment. The author concludes by noting that while they may seem redundant at first glance, understanding the distinct threats they address reveals the necessity of both mechanisms.

  • Web Security
  • CSRF
  • CORS
  • Cross-Site Request Forgery
  • Cross-Origin Resource Sharing
  • HTTP
  • Web Development
  • Security Best Practices
  • Browser Security
  • Website Security

  Summary of Comments ( 64 )
  https://news.ycombinator.com/item?id=43231411

  Verbose tl;dr

  Hacker News users discussed the nuances of CSRF and CORS, pointing out that while they both address security concerns related to cross-origin requests, they protect against different threats. Several commenters emphasized that CORS primarily protects the server from unauthorized access by other origins, controlled by the server itself. CSRF, on the other hand, protects users from malicious sites exploiting their existing authenticated sessions on another site, controlled by the user's browser. One commenter offered a clear analogy: CORS is like a bouncer at a club deciding who can enter, while CSRF protection is like checking someone's ID to make sure they're not using a stolen membership card. The discussion also touched upon the practical differences in implementation, like preflight requests in CORS and the use of tokens in CSRF prevention. Some comments questioned the clarity of the original blog post's title, suggesting it might confuse the two distinct mechanisms.

  The Hacker News post titled "Why do we have both CSRF protection and CORS?" generated a robust discussion with numerous comments exploring the nuances and interplay between these two security mechanisms. The central theme revolves around the distinct, yet complementary, roles CSRF protection and CORS play in securing web applications.

  Several commenters emphasize that while both mechanisms address security concerns related to cross-origin requests, they target different attack vectors. CORS, they explain, is primarily browser-enforced and focuses on protecting the server from unauthorized access by scripts running in a different origin. It acts as a gatekeeper, allowing the server to specify which origins are permitted to make requests and what types of requests are allowed. This helps prevent malicious websites from directly accessing resources on a different domain without explicit server authorization.

  CSRF protection, on the other hand, is focused on protecting the user from unknowingly making requests to a trusted site while authenticated. Commenters highlight how CSRF attacks exploit the browser's automatic inclusion of cookies and other authentication details in cross-origin requests. By tricking a user into interacting with a malicious website, an attacker can leverage the user's existing session to perform unwanted actions on the trusted site. CSRF tokens, as explained in the comments, act as a secret, unpredictable value included with each request that the server can verify to ensure the request originated from a legitimate source, not a malicious third-party site.

  A key point of discussion revolves around how CORS alone does not prevent CSRF attacks. Commenters explain scenarios where a malicious website, even if blocked by CORS from reading the response from a cross-origin request, can still send the request. This means a CSRF attack can still be executed, potentially modifying data or performing actions on the targeted website without the user's knowledge, even if the attacker cannot directly see the results.

  Some comments delve into the specific mechanics of how CSRF tokens work, explaining how they are typically generated on the server, embedded in forms or included as custom headers, and validated upon submission. They also touch upon different methods of implementing CSRF protection, such as double submit cookies and the Synchronizer Token Pattern.

  Several commenters provide practical examples to illustrate the differences between CSRF and CORS, using scenarios involving banking transactions, social media interactions, and other web applications. These examples help clarify the distinct vulnerabilities each mechanism addresses and why both are necessary for comprehensive security.

  Finally, some commenters discuss the limitations of both CSRF protection and CORS and highlight the importance of employing multiple layers of security. They mention other security best practices, such as proper input validation and output encoding, as essential components of a robust security strategy. The general consensus is that while CSRF and CORS are vital tools, they are not silver bullets, and a comprehensive approach to web security is crucial.

• Okta Bcrypt incident lessons for designing better APIs

  permalink

  Posted: 2025-02-05 21:10:25

  Verbose tl;dr

  The Okta bcrypt incident highlights crucial API design flaws that allowed attackers to bypass account lockout mechanisms. By accepting hashed passwords directly, Okta's API inadvertently circumvented its own security measures. This emphasizes the danger of exposing low-level cryptographic primitives in APIs, as it creates attack vectors that developers might not anticipate. The post advocates for abstracting away such complexities, forcing users to interact with higher-level authentication flows that enforce intended security policies, like lockout mechanisms and rate limiting. This abstraction simplifies security reasoning and reduces the potential for bypasses by ensuring all authentication attempts are subject to consistent security controls, regardless of how the password is presented.

  The blog post "Okta Bcrypt incident lessons for designing better APIs" dissects a security incident involving Okta's authentication system and extracts valuable lessons for API design, focusing on mitigating similar vulnerabilities. The core issue stemmed from Okta's implementation of bcrypt, a password-hashing algorithm, within their API. Specifically, the API allowed developers to update user passwords without requiring the existing password. While seemingly convenient, this design choice introduced a critical security flaw. An attacker could exploit this vulnerability by obtaining a user's ID and then using the API to change the associated password without knowing the original password. This effectively locked the legitimate user out of their account while granting the attacker access.

  The author argues that this incident highlights a crucial principle of API design: APIs should enforce the same security constraints as the user interface. Just because an action is technically possible within a system doesn't mean it should be exposed through an API without appropriate safeguards. In this case, the user interface likely required the existing password for a password change operation, reflecting a sensible security practice. However, this constraint wasn't mirrored in the API, creating a discrepancy that attackers could exploit.

  The post further elaborates on how proper API design could have prevented this vulnerability. One proposed solution involves introducing a dedicated API endpoint specifically for password resets. This endpoint could incorporate robust security measures, such as requiring multi-factor authentication or sending a confirmation link to the user's email address, mitigating the risk of unauthorized password changes. Another approach discussed is the use of dedicated API keys with granular permissions. By restricting the capabilities of each API key, developers can limit the potential damage from compromised keys. Even if an API key were compromised, it wouldn't grant access to sensitive operations like changing passwords without the old password if such permissions weren't granted to the key initially.

  The author stresses that APIs are effectively an extension of the user interface and should be treated with the same level of security scrutiny. Ignoring this principle can lead to vulnerabilities that are easily exploitable by malicious actors. The Okta bcrypt incident serves as a cautionary tale, demonstrating the importance of careful API design and the need to align API functionality with established security best practices. The key takeaway is that convenience in an API should never come at the expense of security, and designers must prioritize robust security measures from the outset to prevent potentially devastating breaches.

  • API Security
  • API Design
  • Bcrypt
  • Okta
  • Authentication
  • Hashing Algorithms
  • Password Security
  • Cryptography
  • Security Best Practices
  • Incident Response
  • software engineering
  • Web Development

  Summary of Comments ( 136 )
  https://news.ycombinator.com/item?id=42955176

  Verbose tl;dr

  Several commenters on Hacker News praised the original post for its clear explanation of the Okta bcrypt incident and the proposed solutions. Some highlighted the importance of designing APIs that enforce correct usage and prevent accidental misuse, particularly with security-sensitive operations like password hashing. The discussion touched on the tradeoffs between API simplicity and robustness, with some arguing for more opinionated APIs that guide developers towards best practices. Others shared similar experiences with poorly designed APIs leading to security vulnerabilities. A few commenters also questioned Okta's specific implementation choices and debated the merits of different hashing algorithms. Overall, the comments reflected a general agreement with the author's points about the need for more thoughtful API design to prevent similar incidents in the future.

  The Hacker News post titled "Okta Bcrypt incident lessons for designing better APIs" (https://news.ycombinator.com/item?id=42955176) has generated several comments discussing the linked blog post's analysis of the Okta security incident and its implications for API design.

  Several commenters focus on the core issue highlighted in the blog post: the dangerous combination of idempotency and asynchronous operations. One commenter elaborates on this, explaining how retry mechanisms, intended for robustness, can exacerbate vulnerabilities when combined with operations that shouldn't be repeated. They use the analogy of accidentally double-charging a credit card due to a retry. Another commenter points out the inherent difficulty in designing truly idempotent APIs, especially in distributed systems, suggesting that acknowledging the potential for duplicates and designing systems to handle them gracefully is crucial.

  Another thread of discussion revolves around the specifics of the Okta incident and the blog post's analysis. One commenter questions the fairness of criticizing Okta's API design, arguing that the root cause was a misconfiguration rather than a fundamental flaw in the API itself. Others counter this by highlighting that the API design made the misconfiguration possible and its consequences more severe. They argue that a well-designed API should minimize the potential for such misconfigurations and their impact.

  Several commenters offer alternative approaches or best practices for designing APIs to avoid similar issues. One suggestion is to use unique request identifiers to prevent duplicate processing. Another proposes incorporating explicit confirmation steps for sensitive operations, moving away from purely idempotent designs. The use of message queues and other asynchronous communication patterns is also discussed, with commenters highlighting the trade-offs between performance and safety.

  The discussion also touches on the broader implications of the incident for security and API design. One commenter notes the importance of considering the "human element" in security, recognizing that even well-designed systems can be vulnerable to human error. Another emphasizes the need for thorough testing and validation of API designs, especially in security-sensitive contexts. Finally, some commenters express appreciation for the blog post's insightful analysis and the valuable lessons it offers for API developers.