loading
$ nti build --optimize-images
fetchthumbs
renderpage
waiting for assets
Tag
#web articles
Articles related to this tag. If you’re new, start with the newest posts.
Loading thumbs
securitywebops
·4 min read
Next.js CSP rollout: how to ship Report-Only without breaking auth/analytics (checklist)
A practical CSP rollout plan for Next.js: start in Report-Only, collect violation reports, tighten allowlists, migrate scripts toward nonces/hashes, then enforce with a rollback plan.
Read more→
Loading thumbs
securitywebops
·4 min read
Next.js security headers checklist: what to ship first (HSTS, CSP Report-Only, COOP/COEP)
A practical checklist for security headers in Next.js. Start with low-breakage headers, add HSTS only when HTTPS is guaranteed, stage CSP in Report-Only, and apply COOP/COEP/CORP only on routes that need cross-origin isolation.
Read more→
Loading thumbs
securityopsweb
·3 min read
Dependabot policy checklist: weekly batching, grouping, and safe update gates
A practical Dependabot operating policy: scope (npm + Actions), weekly batching, grouping, safe defaults for auto-merge, and CI gates that prevent update PRs from becoming incidents.
Read more→
Loading thumbs
securityopsweb
·3 min read
GitHub Actions security hardening checklist: permissions, SHA pinning, and PR event traps
A practical checklist to harden GitHub Actions as part of your software supply chain. Focus on least-privilege permissions, pinning third-party Actions by SHA, safe handling of fork PRs, and deployment gates.
Read more→
Loading thumbs
securitywebops
·3 min read
npm supply chain defense checklist: how to block risky dependency changes in CI
A practical checklist to reduce npm supply chain risk by treating dependency diffs as security events. Focus on new dependencies, install scripts, lockfile discipline, and incident first moves.
Read more→
Loading thumbs
securitywebai
·4 min read
IDOR prevention checklist (authorization): what to review in 30 minutes
A practical, ops-style authorization checklist to prevent IDOR (broken object-level access control). Focus on where IDs enter, how reads/writes are scoped, consistent deny behavior, and one regression test that prevents reintroducing the bug.
Read more→
Loading thumbs
securitywebai
·4 min read
IDOR in AI-built web apps (authorization): how to catch it before you ship
AI-assisted development ships fast, and that makes authorization regressions common. This practical guide shows how to detect and fix IDOR (broken object-level authorization) with a repeatable review, tests, and rollout-safe patterns.
Read more→
Loading thumbs
websecuritynextjs
·3 min read
Next.js security update playbook: how to patch and roll back safely (small teams)
A practical playbook for Next.js security updates: decide urgency, upgrade with small diffs, let CI fail fast, verify key flows on preview, deploy with a rollback plan, and rotate secrets when exposure is plausible.
Read more→
Loading thumbs
websecuritynextjs
·3 min read
Next.js CVE-2025-66478 response: what to verify, what to patch, and the fast checklist
A practical incident response checklist for CVE-2025-66478 in Next.js: confirm exposure, upgrade to patched versions, verify key flows, and rotate secrets when plausible. Written for small teams that need a repeatable process.
Read more→