Is Access-Control-Allow-Origin: * insecure?

12 November 2019, Tamás Sallai
CORS headers come into play when a client makes a cross-origin request. In that case, the server must indicate that it allows the cross-origin operation otherwise the browser will reject the request. The two important points are that the target server must allow the operation and the client’s browser enforces it.

Seamless S3 encryption does not imply better security

05 November 2019, Tamás Sallai
Especially in small companies, I see an excessive emphasis on encryption. Semi-technical people, usually mid-management, ask the question “Is the data encrypted?” and draw conclusions from a simple “yes”. Granted, secure systems usually employ some form of encryption so a “no” answer would suggest that there is room for improvement. But assuming adequate security from the fact that the data is encrypted is a logical error.

Encryption in the cloud

29 October 2019, Tamás Sallai
In many projects, one of the key aspects of perceived data security was whether the data was encrypted or not. I remember a particular case when the management insisted that the data must be encrypted locally before writing to the database but then nobody cared where the key was stored or whether it was protected or not. But as long as the developer could point to the rows and show that they are in an unreadable form, everybody was assured.

How to reproduce a Lambda function's environment variables locally

22 October 2019, Tamás Sallai
Getting started with Lambdas usually involves a lot of trial-and-error which means a lot of redeploys. Change something, deploy, refresh in the browser. While the deployment can be fast, it still takes multiple seconds, not to mention it’s way harder to set breakpoints and see what the code actually does.

Editors' Favourites

Despite my ambivalent feeling about CloudFormation I use it a lot, but managing stacks through the Console is a pain. Fortunately, this service enjoys the same CLI support most other ones do, so it is just a matter of scripting to make it more developer-friendly.
One of the most catastrophic of the AWS account security breaches is not sophisticated hacking involving 0-day vulnerabilities traded on the deep web by high-profile hackers. It is when you post your access and secret keys in plain text to the public. After all, it’s so easy to test with some hard-coded keys and accidentally push it to the VCS.
Since the release of version 8, up to version 11, Java is shaped by 120 JDK Enhancement Proposals (JEPs), each of which brings some improvement to the platform. I’ve decided to read them and create a concise, categorized list from the improvements.
S3 signed URLs provide fine control over who can access private resources. It is flexible regarding both the permission side and also on the ease of automation.