Best practices and tips to secure your infrastructure.
Heap-based buffer overflow in ngx_http_dav_module crashes workers or lets attackers manipulate file paths outside the document root.
Incident-response guide for CVE-2026-27654. Covers affected configuration matrix, detection checklist, immediate mitigations (disable COPY/MOVE, switch alias to root), patch and upgrade path, validation commands, and post-fix monitoring for WebDAV deployments.
Upstream TLS trust-boundary bypass lets attackers inject HTTP responses through NGINX reverse proxies.
Practical incident-response and hardening guide for CVE-2026-1642. Covers exposure assessment, emergency configuration actions, patch and upgrade guidance, validation commands, post-incident monitoring, and long-term upstream TLS trust-boundary defenses.
Modern TLS best practices: TLS 1.3, HSTS, OCSP stapling, secure ciphers, and HTTPS performance tuning.
A practical guide to configuring HTTPS in 2026. Covers the recommended TLS baseline — TLS 1.3, HSTS, OCSP stapling, cipher selection, forced HTTPS redirect, and cert renewal automation — plus performance tuning with HTTP/2, HTTP/3, clean cert chains, and session resumption.
A practical SSH hardening playbook: key-only auth, Fail2ban, rate limiting, MFA options, and safe rollback steps.
A step-by-step SSH hardening checklist for Ubuntu and Debian servers. Covers key-only authentication, user restrictions, brute-force mitigation, Fail2ban, firewall allow-listing, auth log monitoring, MFA, and safe rollback procedures.
A critical unauthenticated backup download flaw in Nginx UI leaks credentials, private keys, and configs.
Actionable response checklist for CVE-2026-27944 (CVSS 9.8) — the Nginx UI flaw that lets unauthenticated attackers download and decrypt full server backups. Covers exposure assessment, emergency containment, upgrade path, credential rotation, and long-term hardening.
Secrets, CI hardening, rollback safety — practical controls you can ship this week.
A practical guide to hardening CI/CD pipelines without a dedicated platform team. Covers secret handling, OIDC federation, branch protection, least-privilege tokens, dependency scanning, signed artifacts, staged rollouts, and rollback drills.
Rate limiting, signed URLs, and storage hygiene — practical defenses for image-generation infrastructure.
A practical guide to securing AI image generation platforms against hotlinking, prompt abuse, upload abuse, storage bloat, and token leakage — with concrete Nginx configs, Python snippets, and monitoring rules.
TLS 1.3, HSTS, OCSP stapling, and HTTP/3 — every directive explained and verified.
A practical checklist for hardening Nginx TLS in 2026. Covers protocol enforcement, OCSP stapling, HTTP/3, session security, and security headers — with config snippets and verification commands for each item.
An AI agent with full access to your terminal deserves serious scrutiny.
OpenClaw runs on your machine with your permissions and can execute arbitrary shell commands. We break down the real security risks and how to protect yourself — or avoid them entirely.
When AI writes your code, who checks for vulnerabilities?
The rise of AI-assisted programming has made development faster than ever, but the trend of "vibe coding" — accepting AI-generated code without review — introduces serious security risks.
State of the art secure web deployment
An overview of a secure web deployment with Let's Encrypt and Nginx. How to set up a valid HTTPS connection, harden it and get top security ratings.