-
TIL: HSTS is not Pinning, Pinning is the Problematic One!
It has been years that I mistaking HSTS as HPKP 🤦— it’s not! HSTS is a way to make sure your website should ONLY be loaded in HTTPS. HPKP is the ancient internet standard for securing your webapps. What’s pinning/HPKP? Certificate Pinning or often called HTTP Public Key Pinning is a mechanism to tell your…
-
TIL: `REMOTE_USER` HTTP Header
While proposing Firefly III to support OAuth login, my proposal got rejected because they already support REMOTE_USER from RFC3875. This is very interesting, because I never thought we can utilize authentication via proxy. I’m aware of Authentik’s Proxy Provider, but never thought that there’s standard for this. Especially when you provide the upstream with just…