A concise blog.

 Pardon the digression. Flashcards and spaced repetition are great ways to learn, and I created a React study group on idorecall.com , the site I use to make my learning flashcards. Geeky?  Yes, but it's useful  and if we work together we'll get  results  faster. Software is a tool, not an end in itself. http://idr.link/si6nyakk/i_TOM

Hello fellow programmers!  I’m trying something new today!  I made a YouTube video about exponent notation and Number.toString().  These are useful to de-clutter your code and to quickly change the base of a number. I hope you enjoy it, and tell me what you think about it. Links https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Numbers_and_dates#exponentiation https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Number/toString

Photo from Negativespace . This is a follow-on post to my post on clickjacking attacks . I found this article from Auth0 ( https://auth0.com/blog/cross-site-request-forgery-csrf/ ) while reading the one on clickjacking.  As before, it's worth reading.  Here's a summary. What CSRF attacks are CSRF, aka "c-surf", is an acronym fro Cross-Site Request Forgery.  The attack is where a malicious site uses another site's active session cookie to do something in the place of the user.  E.g. if you're logged in to your bank and go to a site in another browser tab, the other site could use the bank site's active session cookie to transfer money. How to prevent them User Log out of websites, especially sensitive ones. Back end The article and OWASP do a good job of explaining the details, so I'll link to them here and give an overview. https://auth0.com/blog/cross-site-request-forgery-csrf/ https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_

The title pretty much sums it up:  docker scan imagename:tag e.g. docker scan node:12.15.0-alpine is a new command that can be used to scan for container vulnerabilities in Docker Desktop. Here's a blog post:  https://www.docker.com/blog/secure-from-the-start-shift-vulnerability-scanning-left-in-docker-desktop/ . . . and the docs: https://docs.docker.com/engine/scan/ Here are two examples, where node:12.15.0-alpine has vulnerabilities that node:14.15.0-alpine3.11 does not. 

I recently read an article from JavaScript Weekly (part of the  Cooper Press  series I subscribe to), and it included a good rundown on clickjacking attacks: https://auth0.com/blog/preventing-clickjacking-attacks/ It's a good article and worth reading.  Here's a summary. What clickjacking attacks are Malicious sites put hidden iframes over a decoy site.  When a user tries to click on something on the decoy site, he or she actually clicks on something in the hidden iframe.  The assumption is that the action taken by the hidden iframe is malicious. How to prevent them Front end There are some workarounds, but these are mostly ineffective. Back end Note: if you're using Node.js and Express, the helmet  library does 1 and 2 by default. If both  X-Frame-Options  and  Content-Security-Policy  are set,  the CSP setting prevails . Set the X-Frame-Options header to SAMEORIGIN (helmet's default) or DENY.  This is a widely-recognized standard, but it isn't an official standar

I live 20 minutes from a trail in my city, and I've been intending to hike it for more years than I care to admit. Two weeks ago I made the time to do it. Never again will I wait that long.  Still, part of me feels successful for making it happen.  The moral is this: you only lose if you quit. #getItDone