Security on Commentary of Takao

OWASP ZAP in 2026: Advanced Scanning and CI/CD Integration

Tue, 09 Jun 2026 00:00:00 +0900

Beyond Basic Scanning

OWASP ZAP has evolved significantly since its early days. In 2026, it is no longer just a point-and-click proxy scanner — it is a full-featured security automation platform with a powerful API, a scriptable automation framework, and deep CI/CD integration. If you need the basics first, read our OWASP ZAP installation and setup guide. This article covers advanced workflows for teams running security tests at scale.

API Scanning with ZAP

Modern applications rely heavily on REST and GraphQL APIs. ZAP’s OpenAPI and GraphQL support allows you to scan APIs without a browser.

Designing Modern Content Security Policies for Hugo blogs

Fri, 05 Jun 2026 00:00:00 +0900

Why CSP Matters for Static Sites

Static sites built with Hugo are inherently more secure than dynamic applications, but they still execute third-party scripts for analytics, ads, and embeds. A Content Security Policy (CSP) protects your visitors from XSS, data injection, and malicious script execution by controlling which resources can load.

Setting CSP via Cloudflare Pages

Cloudflare Pages supports custom _headers files for controlling HTTP response headers:

# static/_headers
/*
 Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self'

For Hugo, place the _headers file in your static/ directory so it gets copied to the output:

Testing CSP Rules Safely with Content-Security-Policy-Report-Only

Fri, 15 May 2026 00:00:00 +0900

Deploying a Content Security Policy is one of the strongest defenses against XSS attacks. But a single misconfigured directive can silently break inline scripts, block CDN resources, or disable analytics. If you apply CSP directly via the Content-Security-Policy header and a critical script gets blocked, your production site breaks—often without an obvious error console notification.

This is where Report-Only mode saves the day.

Report-Only vs Enforced Mode

CSP supports two headers:

Comparing JWT Tokens vs Stateful Sessions in Web Security

Fri, 20 Mar 2026 00:00:00 +0900

Introduction

Authentication is the backbone of every web application. Two dominant patterns have emerged: stateless JWT (JSON Web Token) auth and stateful session-based auth. Both solve the same problem — verifying who a user is on subsequent requests — but they differ fundamentally in storage, revocation, and security properties. This article provides a detailed comparison to help you choose the right approach for your application.

JWT Structure

A JWT is a self-contained token consisting of three base64url-encoded segments separated by dots:

Domain Safety: Setting Up SPF, DKIM, and DMARC Settings

Sun, 15 Feb 2026 00:00:00 +0900

Introduction

Email authentication is essential to prevent domain spoofing, phishing, and spam folder rejection. Three DNS-based standards — SPF, DKIM, and DMARC — work together to verify that emails claiming to be from your domain are legitimate. Without these records, attackers can send forged emails on your behalf, and legitimate emails may land in recipients’ spam folders. This guide explains each standard and shows how to configure them on Cloudflare or your DNS provider.

How CORS Works and Fixing Access Block Errors

Mon, 15 Dec 2025 00:00:00 +0900

Introduction

CORS (Cross-Origin Resource Sharing) is a browser security mechanism that controls how web pages from one origin can request resources from a different origin. When a frontend at https://app.example.com tries to fetch data from https://api.example.org, the browser enforces a same-origin policy by default. CORS provides a controlled way to relax this policy through HTTP headers. This article explains the complete CORS flow, preflight requests, and how to fix common access-block errors.

Auditing NPM Dependencies: Snyk and automated patch management

Sat, 15 Nov 2025 00:00:00 +0900

The Supply Chain Problem

Modern JavaScript applications ship tens of thousands of transitive dependencies. Each one is a potential attack vector. The event-stream incident (2018), where a malicious package was injected into a popular dependency, demonstrated that vulnerabilities can come from anywhere in the tree. Relying solely on manual review is impossible at this scale.

Automated tooling is the only practical defense.

npm audit

The built-in npm audit command compares your dependency tree against a curated database of known vulnerabilities.

Mitigating CSRF: SameSite Cookie Attributes and CSRF Tokens

Mon, 25 Aug 2025 00:00:00 +0900

Introduction

Cookies are a convenient mechanism for managing user authentication state. When a session ID is stored in a cookie, the browser automatically attaches it to outgoing HTTP requests targeting the domain.

However, this automatic attachment feature is exploited by Cross-Site Request Forgery (CSRF) attacks.

Although modern browsers default to safer cookie behaviors (such as applying SameSite=Lax automatically), developers must understand CSRF defense patterns to prevent serious authentication vulnerabilities. This article reviews SameSite cookie attributes and CSRF token verification patterns.

Why and How to Adopt 'strict-dynamic' in CSP

Sun, 15 Jun 2025 00:00:00 +0900

Introduction

Implementing a Content Security Policy (CSP) is a highly effective way to mitigate Cross-Site Scripting (XSS) risks. However, configuring and maintaining the policy can become a major headache.

For websites utilizing third-party SDKs (such as Google Tag Manager, analytics beacons, payment widgets, or social sharing buttons), these scripts often dynamically load (inject) additional scripts from nested domains. This forces developers to maintain a long, fragile whitelist of external domains in the script-src directive.

Defense Principles of XSS in Web Development

Tue, 25 Feb 2025 00:00:00 +0900

Introduction

In web security, Cross-Site Scripting (XSS) stands as one of the oldest and most persistent vulnerabilities.

If malicious scripts run on a victim’s browser, they can compromise the entire session, steal session tokens (cookies), hijack accounts, or dynamically alter page content to harvest sensitive credentials.

This article reviews the fundamental defense principles required to eliminate XSS vulnerabilities in modern web applications. We will explore contextual escaping, sanitization, secure DOM manipulation, and defensive depth mechanisms.

Subresource Integrity: Protecting Your CDN Dependencies

Fri, 20 Dec 2024 00:00:00 +0900

Subresource Integrity (SRI) is a security feature that lets browsers verify that resources fetched from CDNs or third-party origins have not been tampered with. In an era of supply chain attacks — the British Airways Magecart breach, the Polyfill.io compromise, and numerous CDN incidents — SRI provides cryptographic assurance that the resource your page loads is exactly what you intended.

How SRI Works

When you add an integrity attribute to a <script> or <link rel="stylesheet"> tag, the browser computes the hash of the fetched resource and compares it to the attribute value. If they don’t match, the browser refuses to execute or apply the resource.

Secure Cookie Configuration: A Complete Web Developer Guide

Mon, 09 Dec 2024 00:00:00 +0900

Cookies remain one of the most frequently misconfigured security controls on the web. A single missing attribute can expose your application to session hijacking, CSRF, or cross-site information leakage. Modern browsers have pushed stricter defaults, but understanding each attribute and combining them correctly is essential for defense-in-depth.

The core security attributes are Secure, HttpOnly, SameSite, and the __Host- / __Secure- prefixes. Each serves a distinct purpose, and they work best when combined.

SQL Injection Prevention: Modern Database Security Guide

Tue, 01 Oct 2024 00:00:00 +0900

SQL injection remains in the OWASP Top 10 despite decades of awareness. The 2023-2024 period saw high-profile breaches in healthcare, e-commerce, and government sectors involving SQLi. While the classic ' OR 1=1 -- attack is well-known, modern variants include second-order injection, blind SQLi (time-based and boolean-based), and out-of-band exfiltration. Prevention is well-understood but poorly executed due to legacy code, ORM misuse, and insufficient testing automation.

Parameterized Queries and Prepared Statements

Prepared statements are the gold standard for SQL injection prevention. They separate SQL logic from data at the database engine level, making it impossible for user input to alter query structure.

Managing SSH Keys with Vaultwarden and Bitwarden SSH Agent

Thu, 20 Jun 2024 00:00:00 +0000

Why Store SSH Keys in a Password Manager

SSH keys are the gold standard for authenticating to remote servers, Git providers, and internal infrastructure. Yet most developers store them as plain files under ~/.ssh/ — unprotected, unsynced, and unaudited. Moving SSH keys into Vaultwarden (or Bitwarden) solves three fundamental problems:

Centralized management: All keys live in one vault, not scattered across machines.
Cross-device sync: Add a key once; it appears on every device automatically.
Audit trail: Every key access and client operation is logged by the server.

The Bitwarden SSH agent bridges the gap between a locked-down vault and the day-to-day need to use SSH keys transparently.

WebAuthn and Passkeys: Passwordless Authentication in 2024

Tue, 02 Apr 2024 00:00:00 +0900

Passwords have been the primary authentication mechanism for decades, but they come with well-documented security and usability problems. WebAuthn (Web Authentication) and the emerging passkey ecosystem promise to replace passwords with cryptographically secure, phishing-resistant authentication. As of 2024, passkey support has reached critical mass across all major platforms, making this the ideal time to implement passwordless authentication.

Understanding WebAuthn

WebAuthn is a W3C standard that enables public-key cryptography-based authentication on the web. The core flow involves two operations: registration and authentication. During registration, the server sends a cryptographic challenge to the client, the authenticator creates a new key pair, and the public key is stored on the server. During authentication, the server sends a challenge, the authenticator signs it with the private key, and the server verifies the signature against the stored public key.

Vaultwarden: Self-Hosted Password Manager Installation Guide

Fri, 15 Mar 2024 00:00:00 +0000

What is Vaultwarden?

Vaultwarden is an open-source, self-hosted implementation of the Bitwarden server API, written in Rust. It is designed to be lightweight and resource-efficient compared to the official Bitwarden server, which requires a Microsoft SQL Server database and substantial system resources. Vaultwarden supports all official Bitwarden clients — desktop, browser extensions, mobile apps, and CLI — without any modification.

By self-hosting Vaultwarden, you retain full control over your password data. No third-party service ever touches your encrypted vault. The project is mature, actively maintained, and suitable for both single-user deployments and small teams.

OAuth 2.0 and OpenID Connect: Modern Authentication Guide

Mon, 29 Jan 2024 00:00:00 +0900

OAuth 2.0 and OpenID Connect form the backbone of modern web authentication and authorization. Despite their ubiquity, these protocols are frequently misunderstood and misconfigured, leading to preventable security vulnerabilities. This guide covers the core concepts, implementation patterns, and security best practices you need to integrate authentication securely in your applications.

OAuth 2.0 Fundamentals

OAuth 2.0 is an authorization framework, not an authentication protocol. This distinction is critical: OAuth defines how a client application can obtain delegated access to protected resources, but it does not specify how to verify the user’s identity. That is where OpenID Connect comes in.

Security on Commentary of Takao

OWASP ZAP in 2026: Advanced Scanning and CI/CD Integration

Beyond Basic Scanning

API Scanning with ZAP

Designing Modern Content Security Policies for Hugo blogs

Why CSP Matters for Static Sites

Setting CSP via Cloudflare Pages

Testing CSP Rules Safely with Content-Security-Policy-Report-Only

The Broken-Widget Problem

Report-Only vs Enforced Mode

Comparing JWT Tokens vs Stateful Sessions in Web Security

Introduction

JWT Structure

Domain Safety: Setting Up SPF, DKIM, and DMARC Settings

Introduction

How CORS Works and Fixing Access Block Errors

Introduction

Auditing NPM Dependencies: Snyk and automated patch management

The Supply Chain Problem

npm audit

Mitigating CSRF: SameSite Cookie Attributes and CSRF Tokens

Introduction

Why and How to Adopt 'strict-dynamic' in CSP

Introduction

Defense Principles of XSS in Web Development

Introduction

Subresource Integrity: Protecting Your CDN Dependencies

How SRI Works

Secure Cookie Configuration: A Complete Web Developer Guide

SQL Injection Prevention: Modern Database Security Guide

Parameterized Queries and Prepared Statements

Managing SSH Keys with Vaultwarden and Bitwarden SSH Agent

Why Store SSH Keys in a Password Manager

WebAuthn and Passkeys: Passwordless Authentication in 2024

Understanding WebAuthn

Vaultwarden: Self-Hosted Password Manager Installation Guide

What is Vaultwarden?

OAuth 2.0 and OpenID Connect: Modern Authentication Guide

OAuth 2.0 Fundamentals