Comment by bluesmoon
5 months ago
Exactly! For a web dev in 2025 to still not know security best practices that have been around for 20+ years is a failure on the part of the dev.
5 months ago
Exactly! For a web dev in 2025 to still not know security best practices that have been around for 20+ years is a failure on the part of the dev.
I’m sure I don’t know ALL the "security best practices that have been around for 20+ years" and this is perfectly fine as long as I’m able to react quickly. See also https://xkcd.com/1053/.
It's fine if you personally didn't know that. But if I'm paying for a service, I expect the provider to understand basic security best practices that have been industry standard for 20+ years. And if they don't, they should be hiring people who do.
XKCD 1053 is not a valid excuse for what amounts to negligence in a production service.
Author here. What kind of security negligence are you referring to? What would be a specific attack vector that I left open?
Regarding the PSL - and I can't believe I'm writing this again: you cannot get on there before your service is big enough and "the request authentically merits such widespread inclusion"[1]. So it's kind of a chicken and egg situation.
Regarding the best practice of hosting user content on a separate domain: this has basically two implications: 1. Cookie scope of my own assets (e.g. dashboard), which one should limit in any case and which I'm of course doing. So this is not an issue. 2. Blacklisting, which is what all of this has been about. I did pay the price here. This has nothing to do with security, though.
I'm sorry to be so frank, but you don't know anything about me or my security practices and your claim of negligence is extremely unfounded.
[1] https://github.com/publicsuffix/list/wiki/Guidelines#validat...
2 replies →