Patrick Kerrigan

Blog - posts tagged "security"

Making PHP-FPM use IAM task roles on ECS

by Patrick Kerrigan, . Tags: Aws Php Security

AWS IAM roles provide a way to supply your applications running on AWS infrastructure with the credentials they need to access other AWS resources without having to worry about managing access keys. When you have a single application per EC2 instance, everything "just works", but things get a bit more complex when you start throwing containers in the mix, especially with PHP.

Blocking OpenVPN reflection attacks

by Patrick Kerrigan, . Tags: Security Linux Networking

While reviewing the logs of my OpenVPN server recently, I noticed a series of suspicious looking entries that indicated that it was being used as part of a UDP reflection attack. Thankfully this is pretty straightforward to block using the built in functionality of OpenVPN and/or firewall software such as nftables. I'll cover both approaches here.

MFA with security keys

by Patrick Kerrigan, . Tags: Cryptography Security Web

Enabling multi-factor authentication (MFA) is one of the single most effective steps you can take to protect your online accounts against unauthorised access. Combining something you have (a device or smartcard) or something you are (biometrics) with something you know (your password) ensures that if your password falls into the hands of an attacker, whether through a security breach, malware, or brute force guessing, then they still won't be able to get access to your account.

Chrome XSS Auditor and HTML editors

by Patrick Kerrigan, . Tags: Security Web

Chrome, along with Edge, Opera and Safari, has built in support for detecting and preventing Cross Site Scripting (XSS) attacks. This works well as a safety net to protect users when websites fail to protect themselves from such attacks, but can cause issues with applications which allow users to post HTML in forms. This shows in chrome as an error page with the text "ERR_BLOCKED_BY_XSS_AUDITOR" and can be quite intimidating for users trying to perform a legitimate operation.

SVG and Content Security Policy in Edge

by Patrick Kerrigan, . Tags: Security Bugs

Recently I've been trying to make some improvements to sites that I'm ivolved with, particularly converting images to SVG format and implementing HTTP Content Security Policy (more to come on those later). While doing so I ran into a strange issue to do with how Microsoft Edge handles the combination of these two technologies which only seems to be documented in an Edge bug report.
Older posts