#Never hardcode your API keys | Explore Tumblr posts and blogs

techstuff19 · 7 days ago

Text

Best Practices for API Integration in Next.js Apps

Modern web applications thrive on seamless, efficient, and secure API communication. Whether it's pulling data from a CMS, connecting with a payment gateway, or interacting with a cloud service, API integration is at the core of every high-performance Next.js app.

Next.js, with its server-side capabilities and built-in API routes, offers a flexible environment for creating and consuming APIs. But with flexibility comes the responsibility of integration best practices especially when dealing with sensitive data or mission-critical services.

Why Next.js Is Built for API-Driven Applications

Next.js offers both server-side and client-side rendering, making it ideal for hybrid API workflows. Developers can:

Use getServerSideProps() or getStaticProps() for SSR/SSG-based data fetching.

Utilize /api routes to implement backend logic directly within the app.

Take advantage of built-in middleware for authentication, error handling, and request filtering.

This architectural flexibility is why SaaS companies can scale frontend with Next.js, particularly when their APIs need to serve both dynamic dashboards and SEO-friendly landing pages.

Best Practices for Integrating APIs in Next.js

1. Centralize API Logic

Avoid scattering fetch calls across components. Instead, centralize them using a services directory or a custom hook (useApi) for consistency and maintainability.

2. Use Environment Variables

Secure API keys and sensitive data by using .env.local. Never hardcode tokens in the frontend codebase.

3. Handle Errors Gracefully

Build resilient error handling using try/catch blocks and conditionally render UI based on the state of the API response.

4. Use SWR or React Query

For client-side API calls, libraries like SWR (by Vercel) or React Query help manage caching, loading states, and automatic revalidation.

5. Secure Your APIs

Whether you're calling third-party APIs or building your own endpoints within the Next.js /api folder, security is critical. Learn how to ensure REST API security to prevent unauthorized access, data leaks, and common vulnerabilities like CSRF and XSS.

When Should You Hire an Expert?

As your application scales and API complexities increase especially with third-party integrations, real-time data, or sensitive business logic it’s beneficial to hire Next.js developers who are skilled in scalable architectures, secure integrations, and performance optimization.

Final Thoughts

APIs are the arteries of modern web apps. When combined with the server-side strengths of Next.js, your frontend becomes more powerful, reactive, and tailored to user needs. By following these best practices, you’re not only creating better experiences, you're building a scalable, secure, and resilient application foundation.

#nextjs #api integration #next js apps #web development #app development

0 notes

aisoftwaretesting · 2 months ago

Text

Promoting Security in Cloud-Based Test Automation

Why Cloud Testing Needs a Security-First Mindset and How to Achieve It

As more software development teams adopt cloud-based test automation to boost scalability, speed, and agility, one crucial element often lags behind: security. While cloud testing offers tremendous benefits — like anytime/anywhere access, seamless parallel testing, and elastic environments — it also introduces new attack surfaces, risks, and responsibilities.

If cloud-based test automation is part of your CI/CD pipeline (and it likely is), you must treat its security with the same rigor as your production systems. Ignoring the security implications of your test environments can lead to data leaks, regulatory noncompliance, and breaches that compromise the very code you’re trying to validate.

In this article, we’ll explore the risks, best practices, and how platforms like GenQE.ai support a secure approach to cloud-based test automation.

Why Security Matters in Cloud-Based Test Automation

Cloud-based test environments often handle more than just dummy data. They may include:

Real (or sanitized) production datasets

Sensitive credentials for accessing APIs, staging servers, or third-party services

Infrastructure-as-code configurations used to replicate production environments

Business-critical logic used in tests or simulation

Any of these can be targeted by threat actors if proper controls aren’t in place.

And unlike traditional on-prem testing environments that are locked behind corporate firewalls, cloud-based tools are inherently more exposed. A single misconfigured permission, unsecured endpoint, or overly permissive test script can become a vector for intrusion.

Common Security Risks in Cloud-Based Testing

Understanding the threat landscape is the first step in defending against it. Here are some of the most common risks:

1. Data Exposure

Using production data in test environments — even in sanitized form — can be dangerous. If the data is stored or transmitted without encryption, it’s vulnerable to leaks.

2. Credential Leakage

Hardcoded secrets in test scripts, environment variables, or automation tools can be inadvertently exposed to logs, public repositories, or third-party integrations.

3. Over-Privileged Test Accounts

Test environments often use admin-level accounts to ensure coverage. If compromised, these accounts can grant unauthorized access across systems.

4. Insecure API Endpoints in Testing

APIs used for testing may not be subject to the same rate limits or authentication as production, making them soft targets for abuse or data mining.

5. Lack of Audit and Monitoring

Test automation infrastructure often lacks the monitoring rigor of production systems. Suspicious activity may go unnoticed until it’s too late.

Best Practices for Securing Cloud-Based Test Automation

Security must be a shared responsibility between Dev, QA, and Ops. Here’s how to embed it into your testing strategy:

1. Minimize and Mask Sensitive Data

Avoid using real customer or financial data in your test environments. When test scenarios require realistic datasets, use robust data anonymization or synthetic data generation techniques.

2. Secure Your Secrets

Never hardcode passwords, API keys, or tokens in test scripts. Use secure secret management tools and limit the exposure of credentials through scoped permissions and short lifespans.

3. Adopt the Principle of Least Privilege

Ensure that your testing environments and test accounts only have the access they absolutely need. Overly broad permissions increase the blast radius of a potential compromise.

4. Encrypt Everything — In Transit and at Rest

From test logs to temporary datasets, ensure all information is encrypted. Cloud providers offer robust encryption capabilities — use them.

5. Regularly Audit Test Infrastructure

Just like production systems, your test environments need regular security audits. Review access logs, scan for open ports, and validate configurations on a scheduled basis.

6. Monitor Test Activity and Anomalies

Use observability tools to monitor your automated test executions. Unexpected spikes in activity or access to external services should trigger alerts and investigations.

7. Isolate Your Test Environments

Don’t run test suites in the same environments where production workloads live. Use containerization or separate virtual networks to isolate potential threats.

Shifting Left, Securing Right

With cloud-native development practices accelerating, teams are embracing shift-left testing: testing earlier in the development cycle. But shift-left without security-left can backfire.

Security needs to be embedded from the first test script. With platforms like GenQE.ai, teams can incorporate intelligent test generation, environment provisioning, and code analysis with security top of mind. GenQE.ai promotes a holistic approach where risk visibility and test coverage extend to both functionality and security considerations.

Furthermore, integrating security practices into cloud-based automation isn’t just a technical benefit — it’s a business one. It reduces the risk of data breaches, ensures compliance with privacy laws (like GDPR and HIPAA), and builds customer trust.

The Future: AI-Driven Security in Test Automation

As AI continues to transform software testing, it’s also offering new ways to detect security vulnerabilities in test infrastructure itself. Platforms like GenQE.ai are leading the way by:

Identifying insecure patterns in test code

Auto-generating tests that simulate attack scenarios

Highlighting data flows that may introduce compliance risks

Optimizing coverage with a focus on high-risk areas of code

AI-powered tools can flag insecure dependencies, detect anomalies in runtime behavior, and even suggest safer configurations — all while keeping testing speed and agility intact.

Conclusion: Secure Testing Is Smart Business

In an era where software velocity matters more than ever, cutting corners on security — even in your testing practices — is a risk your business can’t afford. Cloud-based test automation should be a force multiplier, not a vulnerability.

By adopting a security-first mindset and embracing intelligent platforms like GenQE.ai, you can ensure that your testing infrastructure is as resilient as the applications it supports.

Because true quality isn’t just about code coverage — it’s about confidence, control, and keeping your users safe.

0 notes

winklix · 2 months ago

Text

Navigating the Minefield: Key Mobile App Vulnerabilities and Strategies for Robust Security

In today's digital landscape, mobile applications have become indispensable tools for businesses and individuals alike. From streamlining 1 operations to enhancing customer engagement, the 2 power of mobile apps is undeniable. However, this pervasive adoption also brings forth significant security concerns. As a leading mobile app development company in Sydney, we understand that building a successful app goes beyond functionality and user experience; it necessitates a strong foundation of security. Ignoring potential vulnerabilities can lead to devastating consequences, including data breaches, financial losses, and reputational damage.

This comprehensive guide delves into the critical mobile app vulnerabilities that developers and businesses must be aware of and outlines effective strategies to safeguard against them. Whether you are looking to hire a mobile app developer in Sydney or are an established enterprise seeking to fortify your existing applications, understanding these risks and implementing robust security measures is paramount.

The Lurking Threats: Understanding Key Mobile App Vulnerabilities

The mobile app ecosystem presents a unique attack surface that malicious actors are constantly trying to exploit. Here are some of the most prevalent vulnerabilities:

1. Insecure Data Storage:

This is a common yet critical vulnerability. Sensitive data, such as user credentials, personal information, API keys, and financial details, should never be stored in plain text on the device. Attackers can gain access to this data through various means, including malware, physical device access, or even backups.

Impact: Data breaches, identity theft, financial fraud, privacy violations.

Example: An e-commerce app storing credit card details in shared preferences without encryption.

2. Weak Server-Side Controls:

Mobile apps heavily rely on backend servers for data and functionality. Weaknesses in server-side security, such as insufficient input validation, insecure APIs, and inadequate authentication mechanisms, can be exploited to compromise the entire system, including the mobile app.

Impact: Data manipulation, unauthorized access, denial of service, server takeover.

Example: An API endpoint that doesn't properly validate user input, allowing attackers to inject malicious code.

3. Insecure Communication:

Data transmitted between the mobile app and the backend server must be protected against eavesdropping and tampering. Failure to implement secure communication protocols like HTTPS can expose sensitive information during transit.

Impact: Man-in-the-middle attacks, data interception, session hijacking.

Example: An app transmitting login credentials over unencrypted HTTP.

4. Insufficient Cryptography:

While encryption is crucial, using weak or improperly implemented cryptographic algorithms and practices can render the encryption ineffective. This includes using outdated algorithms, hardcoding encryption keys, or failing to properly manage keys.

Impact: Data exposure, circumvention of security controls.

Example: An app using a deprecated encryption algorithm with a publicly known vulnerability.

5. Client-Side Injection:

Similar to web application vulnerabilities, mobile apps can be susceptible to client-side injection attacks. This can occur through WebView components, local databases (like SQLite), or even through inter-app communication. Attackers can inject malicious code to manipulate app behavior or gain access to sensitive data.

Impact: Data theft, unauthorized actions, cross-site scripting within the app.

Example: An app using a WebView to display external content without proper sanitization, allowing for JavaScript injection.

6. Binary Exploitation:

Attackers with advanced skills can reverse-engineer and analyze the mobile app's binary code to identify vulnerabilities. These vulnerabilities can then be exploited to bypass security controls, inject malicious code, or gain unauthorized access to device resources.

Impact: Code manipulation, privilege escalation, malware injection.

Example: Exploiting a buffer overflow vulnerability in the native code of the app.

7. Third-Party Libraries and SDKs:

Mobile app development often involves integrating third-party libraries and Software Development Kits (SDKs) to expedite development and add functionalities. However, these components can introduce their own vulnerabilities if they are not regularly updated or come from untrusted sources.

Impact: Introduction of known vulnerabilities, malicious code execution.

Example: An outdated advertising SDK with a publicly disclosed security flaw.

8. Improper Session Handling:

Weak session management can allow attackers to hijack user sessions and gain unauthorized access to user accounts and data. This includes using predictable session identifiers, failing to invalidate sessions properly after logout, or storing session tokens insecurely.

Impact: Account takeover, unauthorized access to user data and functionalities.

Example: An app using simple sequential numbers as session identifiers.

9. Lack of Proper Authentication and Authorization:

Robust authentication mechanisms are essential to verify user identities, and proper authorization controls are needed to ensure that users can only access the resources and functionalities they are permitted to. Weaknesses in these areas can lead to unauthorized access and data breaches.

Impact: Account takeover, privilege escalation, unauthorized data access.

Example: An app that doesn't enforce strong password policies or allows users to access administrative functionalities without proper authorization.

10. Sensitive Information Disclosure:

Unintentionally exposing sensitive information through logs, error messages, or other means can provide attackers with valuable insights into the app's internal workings and potential vulnerabilities.

Impact: Information leakage, aiding in further attacks.

Example: An app logging sensitive user data or displaying verbose error messages in production builds.

Fortifying Your Defenses: Strategies to Safeguard Your Mobile App

As a leading app development company in Sydney and home to experienced mobile app developers in Sydney and skilled app developers in Sydney, we advocate for a proactive and layered security approach. Here are crucial strategies to mitigate the aforementioned vulnerabilities:

1. Secure Data Storage Practices:

Encryption: Always encrypt sensitive data at rest using strong, industry-standard encryption algorithms (e.g., AES-256).

Key Management: Implement secure key management practices. Avoid hardcoding keys in the app. Consider using the device's secure hardware (like the Keystore on Android or Secure Enclave on iOS) or secure key management services.

Minimize Storage: Only store essential data locally. For highly sensitive information, rely on secure server-side storage.

2. Robust Server-Side Controls:

Input Validation: Implement rigorous input validation on the server-side to prevent injection attacks and ensure data integrity.

Secure API Design: Design secure APIs with proper authentication (e.g., OAuth 2.0), authorization, and rate limiting.

Regular Security Audits: Conduct regular security audits and penetration testing of your backend infrastructure.

3. Secure Communication Channels:

HTTPS/TLS: Enforce HTTPS (HTTP over TLS/SSL) for all communication between the mobile app and the backend server to encrypt data in transit.

Certificate Pinning: Implement certificate pinning to prevent man-in-the-middle attacks by verifying the server's certificate against a pre-defined set of trusted certificates.

4. Strong Cryptographic Implementation:

Use Strong Algorithms: Employ well-vetted and up-to-date cryptographic algorithms. Avoid using deprecated or known-to-be-weak algorithms.

Proper Key Generation and Management: Generate strong, random keys and implement secure key storage, rotation, and lifecycle management.

Avoid Custom Cryptography: Unless you have specialized expertise, rely on established cryptographic libraries.

5. Client-Side Security Measures:

WebView Security: When using WebView, carefully sanitize any external content and disable unnecessary features like JavaScript execution from untrusted sources.

Secure Local Databases: Encrypt local databases if they store sensitive information. Use parameterized queries to prevent SQL injection.

Secure Inter-App Communication: If your app communicates with other apps, ensure that the communication channels are secure and properly validated.

6. Binary Protection Techniques:

Code Obfuscation: Employ code obfuscation techniques to make it harder for attackers to reverse-engineer the app's code.

Tamper Detection: Implement mechanisms to detect if the app has been tampered with.

Root/Jailbreak Detection: Consider implementing checks to detect if the app is running on a rooted (Android) or jailbroken (iOS) device and implement appropriate security measures.

7. Vigilant Third-Party Library Management:

Source Review: Carefully vet the third-party libraries and SDKs you integrate into your app.

Regular Updates: Keep all third-party components up-to-date to patch known vulnerabilities.

Minimize Dependencies: Only include necessary libraries to reduce the attack surface.

8. Secure Session Management:

Strong Session Identifiers: Use cryptographically strong, random session identifiers.

Session Timeout: Implement appropriate session timeouts.

Secure Storage of Tokens: Store session tokens securely (e.g., in memory or using secure storage mechanisms).

Proper Logout Handling: Invalidate sessions on the server-side when a user logs out.

9. Robust Authentication and Authorization:

Multi-Factor Authentication (MFA): Implement MFA to add an extra layer of security to user accounts.

Strong Password Policies: Enforce strong password requirements.

Principle of Least Privilege: Grant users only the necessary permissions to perform their tasks.

Regularly Review Permissions: Periodically review and update user roles and permissions.

10. Minimizing Sensitive Information Disclosure:

Disable Debugging in Production: Ensure that debugging features are disabled in production builds.

Limit Logging: Avoid logging sensitive information in production. If logging is necessary, ensure logs are stored securely.

Custom Error Handling: Implement custom error handling to prevent the disclosure of sensitive internal information in error messages.

Partnering for Security: Choosing the Right Development Partner

Selecting the right mobile app development company in Sydney is crucial for building secure and reliable applications. When looking for an app development company in Sydney or a skilled app developer in Sydney, prioritize partners who demonstrate a strong commitment to security best practices throughout the entire development lifecycle. A reputable mobile app developers in Sydney team will integrate security considerations from the initial design phase to post-launch maintenance.

Conclusion: Building a Secure Mobile Future

In the ever-evolving landscape of cyber threats, mobile app security is not a one-time task but an ongoing process. By understanding the key vulnerabilities and implementing robust safeguarding strategies, businesses can build resilient and trustworthy mobile applications. As a leading mobile app development company in Sydney, we are dedicated to helping our clients navigate these challenges and build secure mobile solutions that protect their users and their businesses. Investing in security is not just a cost; it's an investment in the long-term success and reputation of your mobile application.

#mobile app development company in sydney #mobile app developer in sydney #app development company in sydney #app developer in sydney #mobile app developers in sydney

0 notes

souhaillaghchimdev · 3 months ago

Text

Software Data Encryption and Protection Methods

In today's digital world, protecting sensitive information is more important than ever. Whether you're building a web app, mobile platform, or desktop software, data encryption and security should never be an afterthought. Here’s a breakdown of essential encryption techniques and protection methods developers should implement.

1. What Is Data Encryption?

Data encryption is the process of converting readable data (plaintext) into an unreadable format (ciphertext) to prevent unauthorized access. Only someone with the correct decryption key can read the encrypted data.

2. Types of Encryption

Symmetric Encryption: Uses one secret key for both encryption and decryption. Examples: AES (Advanced Encryption Standard), DES, Blowfish

Asymmetric Encryption: Uses a public key to encrypt and a private key to decrypt. Examples: RSA, ECC

3. Hashing vs Encryption

Hashing is different from encryption. It’s a one-way process used to verify data integrity (like passwords). You can’t “decrypt” a hash.

Common hashing algorithms: SHA-256, SHA-3, Bcrypt, Argon2

Use case: Store passwords using salted hashes, not plain text!

4. Data Protection Methods

Besides encryption, software should use other protective techniques to secure data:

Secure Transmission: Always use HTTPS (TLS) to encrypt data in transit.

Access Controls: Implement authentication and authorization mechanisms (OAuth, JWT).

Database Security: Use encrypted fields, SQL injection protection, and secure ORM practices.

Environment Security: Store secrets in environment variables or secure vaults (e.g., HashiCorp Vault, AWS Secrets Manager).

5. Best Practices for Developers

Never hardcode credentials or keys in your codebase.

Use well-tested encryption libraries instead of building your own.

Regularly update dependencies to patch known vulnerabilities.

Use 2FA (Two-Factor Authentication) for admin accounts and APIs.

Log access attempts and monitor for unusual activity.

6. Real-World Tools and Libraries

OpenSSL – Encryption and SSL/TLS implementation

PyCryptodome (Python), CryptoJS (JavaScript), Bouncy Castle (Java) – for app-level encryption

Let's Encrypt – Free SSL/TLS certificates for HTTPS

Conclusion

Strong encryption and data protection methods are crucial in preventing breaches and building user trust. By implementing these practices, developers can create more secure and reliable software. Remember — security is not a feature, it’s a responsibility.

#programming

0 notes

infomagine · 3 months ago

Text

How to Secure Your Web Application: Essential Security Measures

In today's digital world, web applications are at the core of most businesses, handling sensitive data and providing essential services. With this increased reliance comes a greater risk of security threats. Hackers and malicious actors are constantly evolving their tactics, making it crucial for businesses to prioritize web application security. A single breach can lead to compromised data, damaged reputations, and significant financial losses.

If you're in the process of developing a web application or managing an existing one, it's important to implement robust security measures. In this blog, we’ll explore essential strategies for securing your web application and ensuring it remains safe from potential threats.

1. Implement Secure Authentication Methods

One of the first lines of defense for any web application is the authentication system. It's crucial to ensure that only authorized users can access sensitive parts of your application. Here are a few practices to strengthen your authentication:

Use Multi-Factor Authentication (MFA): MFA adds an extra layer of security by requiring users to verify their identity through two or more methods (something they know, something they have, or something they are).

Strong Password Policies: Enforce strong password requirements, such as a combination of uppercase and lowercase letters, numbers, and special characters.

Password Hashing: Never store passwords in plain text. Use secure hashing algorithms (such as bcrypt or Argon2) to protect stored passwords.

2. Ensure Data Encryption

Data security is one of the most important aspects of web application development. Encrypting sensitive information ensures that even if an attacker gains access to your data, they cannot read or use it.

Use HTTPS: Ensure that your web application uses HTTPS (Hypertext Transfer Protocol Secure) to encrypt data transmitted between the server and the client. This prevents attackers from intercepting sensitive data, such as login credentials or personal information.

Encrypt Sensitive Data: Encrypt all sensitive data both at rest (in storage) and in transit (during communication). Implement encryption protocols such as AES (Advanced Encryption Standard) for data storage and RSA for secure data transmission.

3. Regularly Update and Patch Software

One of the easiest ways for hackers to exploit your web application is by taking advantage of outdated software with known vulnerabilities. It's essential to stay on top of updates and patches for both your web application and the underlying infrastructure (such as the server operating system, web server, and frameworks).

Automate Updates: Set up automated systems to notify you when security patches are available and ensure they're applied immediately.

Keep Libraries and Frameworks Updated: Regularly review and update the libraries, frameworks, and third-party tools used in your application.

4. Use Secure Coding Practices

Ensuring your web application is secure starts with writing secure code. Vulnerabilities such as cross-site scripting (XSS) and SQL injection are common in poorly written code. Adopting secure coding practices from the outset can prevent many security flaws.

Input Validation and Sanitization: Always validate and sanitize user inputs to avoid attacks like SQL injection or XSS. Use whitelisting and ensure that inputs are strictly checked against allowed patterns.

Avoid Hardcoding Credentials: Never hardcode sensitive data such as API keys, database credentials, or passwords directly into your source code. Instead, use environment variables or encrypted secret management services.

5. Implement Role-Based Access Control (RBAC)

Controlling access within your web application is critical to prevent unauthorized actions. Role-based access control (RBAC) allows you to define different roles with specific permissions, ensuring that users only have access to the resources they need.

Granular Permissions: Define roles based on job functions and grant them only the necessary permissions to perform their tasks.

Least Privilege Principle: Apply the principle of least privilege by ensuring that each user has the minimum access required to perform their duties, reducing the risk of accidental or malicious data exposure.

6. Conduct Regular Security Audits and Penetration Testing

Security vulnerabilities can easily go unnoticed during development. Regular security audits and penetration testing (pen-testing) are essential for identifying weaknesses before they can be exploited.

Web Application Security Audits: Conduct regular code reviews and audits to identify any vulnerabilities in your web application. Automated tools like OWASP ZAP and Burp Suite can help you scan your application for common vulnerabilities.

Penetration Testing: Hire ethical hackers or use a web application development company that offers penetration testing services to actively try to break into your web application, identifying flaws before malicious actors can exploit them.

7. Use a Web Application Firewall (WAF)

A Web Application Firewall (WAF) is an essential security measure that filters and monitors HTTP traffic between a web application and the internet. It helps protect your web application from common attacks such as SQL injection, cross-site scripting (XSS), and distributed denial-of-service (DDoS) attacks.

Filter Malicious Traffic: A WAF can block malicious requests and prevent attacks before they reach your application.

Monitor Traffic: WAFs help in monitoring inbound and outbound traffic, allowing you to detect and mitigate threats in real time.

8. Backup and Disaster Recovery Plan

While security measures are crucial, it’s also essential to have a disaster recovery plan in place in case your web application is compromised. Regular backups are critical to restoring your data and minimizing downtime.

Backup Your Data: Ensure you back up all important data regularly. Store backups in a secure, offsite location.

Test Your Recovery Plan: Regularly test your disaster recovery plan to ensure that it’s effective and that you can quickly restore your web application in the event of an attack or failure.

9. Monitor and Respond to Security Threats

Security doesn’t stop once your web application is launched. You need to continuously monitor for potential threats and respond quickly if something goes wrong. Implementing an effective monitoring system helps identify anomalies that may indicate an attack or breach.

Set Up Logging and Monitoring: Use logging tools like ELK Stack or Splunk to monitor application logs for suspicious activity.

Implement an Incident Response Plan: Have a defined procedure for responding to security breaches, including identifying, containing, and recovering from attacks.

Conclusion

Securing your web application is an ongoing process that requires careful planning and consistent attention. By implementing strong authentication methods, encrypting data, writing secure code, and regularly conducting security audits, you can significantly reduce the risk of vulnerabilities. If you lack the internal resources to handle this, consider reaching out to web application development services to get professional help in building a secure application.

A proactive approach to web application security will not only protect your business and users but also build trust and credibility in a competitive market. Prioritize security at every stage of the development process, and you'll create a robust, resilient web application capable of withstanding the evolving threats of the digital world.

#web application development company #web application development services

0 notes

hydrus · 4 years ago

Text

Version 428

youtube

windows

zip

exe

macOS

app

linux

tar.gz

I had a good couple weeks working on the taglist code and some other jobs.

If you are on Windows and use the 'extract' release, you may want to do a 'clean' install this week. Extra notes below.

taglists

So, I took some time to make taglists work a lot cleaner behind the scenes and support more types of data. A heap of code is cleaner, and various small logical problems related to menus are fixed. The tag right-click menu is also more compact, quicker to see and do what you want.

The main benefits though are in the manage tags dialog. Now, the '(will display as xxx)' sibling suffix colours in the correct namespace for the sibling, and parents 'hang' underneath all tags in all the lists. It is now much easier to see why a parent or sibling is appearing for a file.

This is a first attempt. I really like how these basically work, but it can get a bit busy with many tags. With the cleaner code, it will be much easier to expand in future. I expect to add 'expand/collapse parents' settings and more sorts, and maybe shade parents a bit transparent, in the coming weeks. Please let me know how it works for you IRL and I'll keep working.

the rest

The main nitter site seems to be overloaded. They have a bunch of mirrors listed here: https://github.com/zedeus/nitter/wiki/Instances

I picked two roughly at random and added new downloaders for them. If you have Nitter subs, please move their 'sources' over, and they should start working again (they might need to do a bit of 'resync' and will complain about file limits being hit since the URLs are different, but give them time). If you would rather use another mirror, feel free to duplicate your own downloaders as well. Thanks to a user who helped here with some fixed-up parsers.

I gave the recently borked grouped 'status' sort in thread watchers and downloader pages another go, and I improved the reporting there overall. The 'working' status shouldn't flicker on and off as much, there is a new 'pending' status for downloaders waiting for a work slot, and the 'file status' icon column now shows the 'stop' symbol when files are all done.

The menu entry to 'open similar-looking files' is now further up on thumbnails' 'open' submenus.

The duplicate filter has its navigation buttons on the right-hand hover window rearranged a bit. It is silly to have both 'previous' and 'next' when there are only two files, so I merged them. You can also set 'view next' as a separate shortcut for the duplicate filter, if you want to map 'flip file' to something else just for the filter.

windows clean install

If you use the Windows installer, do not worry, these issues are fixed automatically for you from now on.

I updated to a new dev machine this week. Some libraries were updated, and there is now a dll conflict, where a dll from an older version is interfering with a new one. As it happens, the library that fails to load is one I made optional this week, so it doesn't ''seem'' to actually stop you from booting the client, but it will stop you from running the Client API in https if you never did it before (the library does ssl certificate generation).

It is good to be clean, so if you extract the Windows release, you may want to follow this guide this week: https://hydrusnetwork.github.io/hydrus/help/getting_started_installing.html#clean_installs

full list

interesting taglist changes:

taglists work way better behind the scenes

when siblings display with the '(will display as xxx)' suffix, this text is now coloured by the correct namespace!

parents now show in 'manage tags dialog' taglists! they show up just like in a write/edit tag autocomplete results list

the tag right-click menu has had a pass. 'copy' is now at the top, the 'siblings and parents' menu is split into 'siblings' and 'parents' with counts on the top menu label and the submenus for each merged, and the 'open in new page' commands are tucked into an 'open' submenu. the menu is typically much tighter than before

when you hit 'select files with these tags' from a taglist, the thumbgrid now takes keyboard focus if you want to hit F7 or whatever

custom tag presentation (_options->tag presentation_, when you set to always hide namespaces or use custom namespace separator in read/search views) is more reliable across the program. it isn't perfect yet, but I'll keep working

a heap of taglist code has been cleaned up. some weird logical issues should be better

now the code is nicer to work with, I am interested in feedback on how to further improve display and workflows here

the rest:

added two mirrors for nitter, whose main site is failing due to load. I added them randomly from the page here: https://github.com/zedeus/nitter/wiki/Instances . if you have nitter subs, please move their download source to one of the mirrors or set up your own url classes to other mirror addresses. thanks to a user for providing other parser fixes here

gallery download pages now show the 'stop' character in the small file column when the files are done

gallery download pages now report their 'working' status without flicker, and they report 'pending' when waiting for a download slot (this situation is a legacy hardcoded bottleneck that has been confusing)

thread watchers also now have the concept of 'pending', and also report when they are next checking

improved the new grouped status sort on gallery downloader and watcher pages. the ascending order is now DONE, working, pending, checking later (for watchers), paused

the network request delay after a system resume is now editable under the new options->system panel. default is 15 seconds

the 'wait on files too' option is moved from 'files and trash' to this panel

when the 'just woke' status is active, you now get a little popup with a cancel button to override it

'open similar-looking files' thumbnail menu entry is moved up from file relationships to the 'open' menu

the duplicate filter right-hand hover window no longer has both 'previous' and 'next' buttons, since they both act as 'flip', and the merged button is moved down, made bigger, and has a new icon

added 'view next' to the duplicate filter shortcut set, so you can set a custom 'flip between pair' mapping just for that filter

thanks to a user helping me out, I was able to figure out a set of lookups in the sibling/parent system that were performing unacceptably slow for some users. this was due to common older versions of sqlite that could not optimise a join with a multi-index OR expression. these queries are now simpler and should perform well for all clients. if your autocomplete results from a search page with thumbs were achingly slow, let me know how they work now!

the hydrus url normalisation code now treats '+' more carefully. search queries like 6+girls should now work correctly on their own on sites where '+' is used as a tag separator. they no longer have to be mixed with other tags to work

small/specific stuff:

the similar files maintenance search on shutdown now reports file progress every 10 files and initialises on 0. it also has faster startup time in all cases

when a service is deleted, all currently open file pages will check their current file and tag domains and update to nicer defaults if they were pointed at the now-missing services

improved missing service error handling for file searches in general--this can still hit an export folder pointed at a missing service

improved missing service error handling for tag autocomplete searches, just in case there are still some holes here

fixed a couple small things in the running from source help and added a bit about Visual Studio Build Tools on Windows

PyOpenSSL is now optional. it is only needed to generate the crt/key files for https hosting. if you try to boot the server or run the client api in https without the files and without the module available to generate new ones, you now get a nice error. the availability of this library is now in the client's about window

the mpv player will no longer throw ugly errors when you try to seek on a file that its API interface cannot support

loading a file in the media viewer no longer waits on the file system lock on the main thread (it was, very briefly), so the UI won't hang if you click a thumb just after waking up or while a big file job is going on

the 'just woke' code is a little cleaner all around

the user-made downloader repository link is now more obvious on Lain's import dialog

an old hardcoded url class sorting preference that meant gallery urls would be matched against urls before post, and post before file, is now eliminated. url classes are now just preferenced by number of path components, then how many parameters, then by example url length, with higher numbers matching first (the aim is that the more 'specific' and complicated a url class, the earlier it should attempt to match)

updated some of the labelling in manage tag siblings and parents

when you search autocomplete tags with short inputs, they do not currently give all 'collapsed' matching results, so an input of 'a' or '/a/' does not give the '/a/' tag. this is an artifact of the new search cache. after looking at the new code, there is no way I can currently provide these results efficiently. I tested the best I could figure out, but it would have added 20-200ms lag on all PTR searches, so instead I have made a plan to resurrect an old cache in a more efficient way. please bear with me on this problem

tag searches that only include unusual characters like ? or & are now supported without having to lead the query with an asterisk. they will be slower than normal text search

fixed a bug in the 'add tags before import' dialog for local imports where deleting a 'quick namespace' was not updating the tag list above

windows clean install:

I moved to a new windows dev machine this week and a bunch of libraries were updated. I do not believe the update on Windows _needs_ a clean install this week, as a new dll conflict actually hits the coincidentally now-optional PyOpenSSL, but it is worth doing if you want to start using the Client API soon, and it has been a while, so let's be nice and clean. if you extract the release on Windows, please check out this guide: https://hydrusnetwork.github.io/hydrus/help/getting_started_installing.html#clean_installs

the Windows installer has been updated to remove many old files. it should now do clever clean installs every week, you have nothing to worry about!™

boring db breakup:

the local tags cache, which caches tags for your commonly-accessed hard drive files, is now spun off to its own module

on invalid tag repair, the new master tags module and local tags cache are now better about forgetting broken tags

the main service store is spun off to its own module. several instances of service creation, deletion, update and basic fetching are merged and cleaned here. should improve a couple of logical edge cases with update and reset

boring taglist changes:

taglists no longer manage text and predicates, but a generalised item class that now handles all text/tag/predicate generation

taglist items can occupy more than one row. all position index calculations are now separate from logical index calculations in selection, sizing, sorting, display, and navigation

all taglist items can present multiple colours per row, like OR predicates

items are responsible for sibling and parent presentation, decoupling a heap of list responsibility mess

tag filter and tag colour lists are now a separate type handled by their own item types

subordinate parent predicates (as previously shown just in write/edit autocomplete result lists) are now part of multi-row items. previously they were 'quiet' rows with special rules that hung beneath the real result. some related selection/publish logic is a bit cleaner now

string tag items are now aware of their parents and so can present them just like autocomplete results in write/edit contexts

the main taglist content update routines have significantly reduced overhead. the various expansions this week add some, so we'll see how this all shakes out

the asynchronous sibling/parent update routine that populates sibling and parent data for certain lists is smarter and saves more work when data is cached

old borked out selection/hitting-skipping code that jumped over labels and parents is now removed

'show siblings and parents' behaviour is more unified now. basically they don't show in read/search, but do in write/edit

a heap of bad old taglist code has been deleted or cleaned up

next week

This was a big couple of weeks. Setting up the new dev machine--I replaced my six year old HP office computer with a nice mini-pc with an SSD--worked out great, but there were some headaches as always. The taglist work was a lot too. I'll take next week a little easier, just working misc small jobs.

#release

1 note · View note

eggman-is-fat-mkay · 2 years ago

Text

alright technically it is on your prof for never teaching you how to do that, but fr, if you put sensitive information (like an API key or, worse, login credentials) in a file that actually gets committed to a public git repo, you are basically asking to get 20 different kinds of hacked. it's like logging onto some MMO or forum or whatever and putting your password in chat.

now about the gitignore file. Super simple. Create a file in the root of your git repo called ".gitignore" exactly. open it with a text editor and put in relative paths to files, one to a line, that you want Git to, well, ignore. For example, say I have two files in my repo that I don't want Joe Random on the internet to be able to look at because I put hardcoded access tokens in them, secrets.json in my repo root and a Java class.

My .gitignore could look like this:

secrets.json

src/com/yourname/yourproject/Secrets.java

For 99% of use cases that's all there is to it! You can use wildcards to match multiple files, and you can find a full list of all features supported by .gitignore files here, but that's the gist. Note that one thing you cannot do is exclude individual lines from a single file -- either the whole file is there or it's not -- so I strongly recommend putting all your secrets in one file. If you're in a language that supports includes, like C++ or Rust, I'd put all of them there, and include that file as needed from your other code. Otherwise, either just have a source file containing constant definitions (like a Java class with no constructors or methods, only public static final attributes) or a YAML file or similar on disk which your program parses on startup. I prefer the first approach since the secrets get compiled into your program and you don't have to rely on that config file being there or waste time parsing it, although if everyone who uses your program is going to have a different version of that secret (e.g. if you're writing a Discord bot for people to use on their own computer with their own API key) a config file with the secret is definitely the way to go. It doesn't have to be anything fancy -- a JSON file will do, or even just a text file with one line containing the access token; people who host their own Discord bots are usually tech savvy enough to figure that out -- although if you can be bothered to figure out how to work your language's YAML parser you'll definitely thank yourself later when you decide you'd like to add config options.

Also keep in mind that no matter which approach you take, when you clone your repo on another computer, those files won't be there, and your program won't work. That's the point of a .gitignore file. You'll have to share those files between computers some other way. My preferred method is SFTP, but Google Drive works if you're using an operating system without SFTP support, like Windows (if you decide you like software development, you'll definitely want to look into Linux at some point). This should go without saying, but don't put it in the same repo under a different name, or in a different git repo on the same GitHub/GitLab account with a name like myproject-secrets. Or if you do, at LEAST make the second repo private. People will figure that out.

Pro tip: check your .gitignore file into Git. This will let other people know which files they'll need to provide for themselves, and, if you yourself clone the repo on another computer, will prevent you from accidentally uploading your secrets file from there.

Need to learn how .gitignore and config files work. Got marked down because I didn’t hide my API key that I used for my weather dashboard homework, inside of a .gitignore file…

But Hon, you never taught us that xoxo

90 notes · View notes

tak4hir0 · 5 years ago

Link

Lightning Web Components is our open source UI framework to build enterprise-scale apps that run on Salesforce, Heroku, Google Cloud Platform, or anywhere else. When running these apps on these different platforms, you can choose your own backend stack and data source, or you may want surface data from Salesforce in them. In this blog post, we will explore some options and considerations when using Salesforce as the data source. Authentication Salesforce provides a comprehensive set of REST and SOAP APIs that can be used to access its data and services from a client or server. The first step before accessing the APIs, is to establish a session with Salesforce. You can either use a username and password, or any of the OAuth flows listed here. Depending on your use case, these flows can be executed by client-side or server-side JavaScript. You can either build this logic from scratch or use external libraries like JSforce. Here are some considerations when deciding on an Authentication Flow for your app. Client Side Authentication You can use the OAuth User-Agent Flow to execute the handshake process using client side JavaScript alone. It involves a simple redirection to the /oauth2/authorize endpoint and takes in the Consumer Key of a Connected App as a parameter. Once the authorization is successful, the access token is encoded in the redirection URL. When you run client-side JavaScript, all the code is executed on the user’s device, so sensitive data like passwords and client secrets are accessible and exploitable. For this reason, this flow doesn’t use the client secret. However, the access token is encoded into the redirection URL which is exposed to the user and other apps on the device. Hence, care must be taken to remove callbacks from browser history. You can call window.location.replace(); to remove the callback from the browser’s history. It is best to use this type of Auth flow when building Lightning Web Components for desktop or mobile apps that have an embedded browser. Once you have the access token, you can pass it in the header of any HTTP requests to access Salesforce APIs. Building and sending a request from client-side JavaScript poses a risk, because the access token becomes available to the client and can be exploited. Therefore, sensitive business logic involving access tokens, usernames and passwords must never be written in client side JavaScript, because they are inadvertently exposed. To increase security and provide a better level of abstraction between your custom application and the APIs, you should use a middleware like Express, MuleSoft or any other ESB of your choice. Server Side Authentication You can use the Web server flow or the JWT Bearer flow to execute the handshake process using server side JavaScript like Node JS or any other stack of your choice. In case of Lightning Web Components, the create-lwc-app tool provides an option to create and use an Express server as a backend. You can choose an OAuth flow that suits your requirements. For instance, you can use the JWT Bearer flow when you want to use a single integration user to access data on behalf of all users. Use cases include showing read-only data (e.g. product catalog) to unauthenticated users. The web-server flow on the other hand can be used for per-user authorization. Use cases include websites where data relevant to the logged in user is shown (e.g. cart, order history etc.). You can also refer to this Trailhead Module that talks in detail about the use cases for different OAuth flows. When running authentication flows on a server, it is expected that the server protects and securely stores all the secrets. In the case of Web Server flow, the client secret that prevents a spoofing server must be stored securely. In the case of JWT Bearer flow, an X509 Certificate that corresponds to the private key of the app must be created and stored in a keystore. These secrets and certificate aliases also have to be configurable (generally using Environment Variables) and should never be hardcoded into your codebase. This also allows you to change them without rebuilding the app and to deploy instances of your app in different environments with ease. When developing locally, for example with Node.js, these are stored in a .env file, which can then be accessed in your code by using libraries like dotenv, saving you the trouble of setting them manually every time. You should exclude sensitive configuration files like .env from version control by referencing them in specific files like .gitignore for git. Data Residency Securing access to Salesforce data doesn’t stop with authentication. Data must be stored and transmitted securely as well. Data on the Salesforce Platform is secured with its core security capabilities like Sharing Model, Object and Field Level Security and optionally Salesforce Shield for encryption and high compliance. Using Salesforce APIs allows you real time access to data without making a copy of it. The data returned by the API is bound by the permissions of the user accessing the API. Depending on your use case, you might want to replicate Salesforce data into a local/managed database. Since you can deploy Lightning Web Components Open Source (LWC OSS) apps on any platform, there are different options that each platform provides for data storage and replication. For example, Heroku Connect is an add-on by Heroku that provides a data synchronization service between Salesforce and Heroku Postgres databases. Add-Ons/Connectors like these are built to securely store tokens, and establish a session with Salesforce when needed. It is important to remember that once data is replicated locally, it is not bound by the same Sharing Model that is present in Salesforce. It is therefore necessary to implement your own access control mechanism. Also, never write the logic that queries for data or filters data based on access controls on the client side, because it can be easily tampered with. In the screenshot below, an if condition is being used by the component to only show the data relevant to the logged in user. This statement can be easily removed using browser tools which would then give the logged in user access to all the data that is being returned by the server. As a best practice, you should always use a middleware to abstract sensitive logic from the client-side and make sure that the middleware returns only the data that’s relevant to the user and nothing more. Summary In this blog post, you’ve learned about different approaches to authenticate to Salesforce from an app built with LWC OSS and what factors determine the approach you take. You’ve seen drawbacks of accessing data from the client side, and how a server can help you secure your implementation. You’ve also seen how the responsibility of data security varies with choice of data residency. However, it is also important to note that this blog post doesn’t exhaustively list all of the options available for secure Salesforce data access, but instead provides general indication patterns and principles that are used. Now it’s time to get hands-on! Below are a few resources to help you get started. Sample Code Lightning Web Components OSS foundation and documentation Trailhead Project: Access Salesforce Data with Lightning Web Components Open Source Trailhead Module: Connected App Basics About the Author Aditya Naag Topalli is a 13x Certified Senior Developer Evangelist at Salesforce. He focuses on Lightning Web Components, Einstein Platform Services, and integrations. He writes technical content and speaks frequently at webinars and conferences around the world. Follow him on Twitter @adityanaag.

#Salesforce Developers Blog

0 notes

un-enfant-immature · 6 years ago

Text

GitGuardian raises $12M to help developers write more secure code and ‘fix’GitHub leaks

Data breaches that could cause millions of dollars in potential damages have been the bane of the life of many a company. What’s required is a great deal of real-time monitoring. The problem is that this world has become incredibly complex. A SANS Institute survey found half of company data breaches were the result of account or credential hacking.

GitGuardian has attempted to address this with a highly developer-centric cybersecurity solution.

It’s now attracted the attention of major investors, to the tune of a $12 million in Series A funding, led by Balderton Capital . Scott Chacon, co-founder of GitHub, and Solomon Hykes, founder of Docker also participated in the round.

The startup plans to use the investment from Balderton Capital to expand its customer base, predominantly in the US. Around 75% of its clients are currently based in the US, with the remainder being based in Europe, and the funding will continue to drive this expansion.

Built to uncover sensitive company information hiding in online repositories, GitGuardian says its real-time monitoring platform can address the data leaks issues. Modern enterprise software developers have to integrate multiple internal and third-party services. That means they need incredibly sensitive “secrets”, such as login details, API keys, and private cryptographic keys used to protect confidential systems and data.

GitGuardian’s systems detect thousands of credential leaks per day. The team originally built its launch platform with public GitHub in mind, however, GitGuardian is built as a private solution to monitor and notify on secrets that are inappropriately disseminated in internal systems as well, such as private code repositories or messaging systems.

Solomon Hykes, founder of Docker and investor at GitGuardian, said: “Securing your systems starts with securing your software development process. GitGuardian understands this, and they have built a pragmatic solution to an acute security problem. Their credentials monitoring system is a must-have for any serious organization”.

Do they have any competitors?

Co-founder Jérémy Thomas told me: “We currently don’t have any direct competitors. This generally means that there’s no market, or the market is too small to be interesting. In our case, our fundraise proves we’ve put our hands on something huge. So the reason we don’t have competitors is because the problem we’re solving is counterintuitive at first sight. Ask any developer, they will say they would never hardcode any secret in public source code. However, humans make mistakes and when that happens, they can be extremely serious: it can take a single leaked credential to jeopardize an entire organization. To conclude, I’d say our real competitors so far are black hat hackers. Black hat activity is real on GitHub. For two years, we’ve been monitoring organized groups of hackers that exchange sensitive information they find on the platform. We are competing with them on speed of detection and scope of vulnerabilities covered.”

#TechCrunch

0 notes

magzoso-tech · 6 years ago

Photo

New Post has been published on https://magzoso.com/tech/gitguardian-raises-12m-to-help-developers-write-more-secure-code-and-fix-github-leaks/

GitGuardian raises $12M to help developers write more secure code and ‘fix’ GitHub leaks

GitGuardian has attempted to address this with a highly developer-centric cybersecurity solution.

It’s now attracted the attention of major investors, to the tune of $12 million in Series A funding, led by Balderton Capital. Scott Chacon, co-founder of GitHub, and Solomon Hykes, founder of Docker, also participated in the round.

The startup plans to use the investment from Balderton Capital to expand its customer base, predominantly in the U.S. Around 75% of its clients are currently based in the U.S., with the remainder being based in Europe, and the funding will continue to drive this expansion.

Built to uncover sensitive company information hiding in online repositories, GitGuardian says its real-time monitoring platform can address the data leaks issues. Modern enterprise software developers have to integrate multiple internal and third-party services. That means they need incredibly sensitive “secrets,” such as login details, API keys and private cryptographic keys used to protect confidential systems and data.

GitGuardian’s systems detect thousands of credential leaks per day. The team originally built its launch platform with public GitHub in mind; however, GitGuardian is built as a private solution to monitor and notify on secrets that are inappropriately disseminated in internal systems as well, such as private code repositories or messaging systems.

Do they have any competitors?

#Miscellaneous

0 notes

cladeymoore · 6 years ago

Text

Bringing DeFi to the World

DeFi, or decentralized finance, is an essential part of an open financial system. DeFi tools are censorship-resistant, unbiased, and available to anyone with a smartphone. That’s why for this winter’s hackathon, we focused on bringing DeFi to the world.

Hackathons are a critical part of Coinbase’s culture. They’re a great opportunity for anyone to pursue their innovative ideas, and they allow us to disrupt ourselves before somebody else does. As Coinbase CEO and Co-founder Brian Armstrong says, “good ideas can come from anywhere.”

Why DeFi?

This winter’s hackathon was about making DeFi accessible, easy to use, and trusted, both for people curious about it today, and people who don’t know they’re curious yet. Jacob Horne, product manager at Coinbase, held a lunch and learn about DeFi where he described the space this way:

“DeFi is an opportunity to build financial infrastructure that spans the world, is open to everybody, and starts to change how we interact with markets.”

For the Coinbase winter 2019 hackathon, over 250 Coinbase employees submitted 51 ideas—ultimately demoing 31 projects—all focused around how to bring DeFi to the world.

Here is a selection of 10 notable projects, starting with the internal winners:

WINNER, Proof of People Award: Physical Bitcoin Alert

The “Proof of People” award, aka people’s choice, went to Physical Bitcoin Alert is an LED mural that animates according to Bitcoin volatility. By using a Raspberry Pi reading the Coinbase API, the LED mural responds to Bitcoin according to price milestones and volatility.

atomic 11: a keyless cryptography toolkit

Key management systems in use today generate keys in the central service and then use a key-wrapping mechanism to transfer the key to the intended recipient. While this works, if the centralized service is compromised, the client keys may be as well.

By using oblivious pseudo-random functions (OPRFs), you can create a KMS that if compromised, does not compromise the client keys.

This project intends to build a proof-of-concept implementation of an Oblivious Key Management System (OKMS) based on https://eprint.iacr.org/2019/1275 (or perhaps https://eprint.iacr.org/2018/733) and provide some wrapper APIs around it that enable you to perform secure-by-default operations of encrypt, sign, and hmac.

Coinbase Chrome Extension

Coinbase engineer Julia Chou proposed a micropayments Chrome extension. By securely signing into your Coinbase account via Chrome extension, sending payments as you browse the web will be much easier.

Winner, Bounty Hunter Award: Coinbase Oracle/Open Price Feed

Many DeFi apps use price feeds that are available on-chain. This project aims to provide signed price data feeds from Coinbase for specific trading pairs. By signing the price data with an Ethereum private key controlled by Coinbase, DeFi app developers can trust this price feed to provide the most accurate source of on-chain price data. This Oracle project is based on Compound Finance’s Open Oracle implementation. Coinbase Oracle/Open Price Feed was awarded the Bounty Hunter Award, for the best hackathon project from a list of initial bounties.

USDC Treasury DAO

In September, Coinbase initiated the USDC Bootstrap Fund, which is used to support developers building DeFi protocols by directly investing USDC into protocols such as Compound and dYdX. This project aims to make the USDC Bootstrap Fund a decentralized autonomous organization, also known as a DAO. This DAO will allow for applying for funding, accepting new members, and voting on these proposals.

Succession Wallet

Unlike traditional financial assets, there is not a native way to transfer your Bitcoin to your next of kin after your death… Until now. This CLI Bitcoin wallet written in Ruby uses timelocked UTXOs to act as a dead man’s switch. After configuring a time period (nSequence), the owner needs to periodically use the wallet to withdraw funds. If the owner does not use the wallet within the configured time period, the funds become spendable by the successor. For example, a person can spend their coins at any time; but their next of kin can only spend if the UTXO is over 6 months old. In other words, the Succession Wallet is a dead-man’s-switch Bitcoin wallet scheme with hardcoded succession order of funds.

Winner, Honorable Mention: Time Tokenz

An Ethereum token backed by a human individual. Inspired by dApp_boi, imagine a marketplace for individual services. For example, by creating custom ERC20 token users can rent out hourly work. New individuals can create personal tokens and list their services in a Services Marketplace, where you can also see reviews and token price history.

MakerDao Slack Bot

This project built a Slackbot that can pull stats for your Multicollateral Dai (Makerdao) address. Without leaving Slack, you can easily query your MCD position, and retrieve critical statistics.

Silent Witness

If it’s not on the blockchain, it may as well have never happened. Silent Witness is a mobile app to take a photo, hash it, upload the hash via an Eth transaction. Later, you can prove it was your data, as the data is now etched in the Ethereum blockchain. It lets a user prove dates for prior art (useful in patent/IP disclosures, providing evidence in legal proceedings) without revealing the art itself. The app should be able to receive documents as well and check whether their hashes are included in the contract.

Last but not least, the winner of our “Legend” award for best overall project:

Winner, Legend Award: WalletLink SDK

Today, DeFi has a major barrier in that Dapp browsers are typically unfriendly to users. Currently, dapps are only able to create web apps that run in specialized browsers on mobile to in order to access a user’s wallet.

In order to solve this problem, the WalletLink SDK was created. Here’s how it works:

WalletLink Native SDK is meant to be an easy way for dapps to have a user sign transactions from inside their own native application. Here is a demo of WalletLink in action:

To keep things fun and innovative, Coinbase hackathons allow Coinbase employees to explore a wide variety of concepts outside the confines of placing products into production. None of the products or services described in this blog post are in production or are otherwise available to the public, or represent any plan by Coinbase to do so.

This website contains links to third-party websites or other content for information purposes only (“Third-Party Sites”). The Third-Party Sites are not under the control of Coinbase, Inc., and its affiliates (“Coinbase”), and Coinbase is not responsible for the content of any Third-Party Site, including without limitation any link contained in a Third-Party Site, or any changes or updates to a Third-Party Site. Coinbase is not responsible for webcasting or any other form of transmission received from any Third-Party Site. Coinbase is providing these links to you only as a convenience, and the inclusion of any link does not imply endorsement, approval or recommendation by Coinbase of the site or any association with its operators.

All images provided herein are by Coinbase.

Bringing DeFi to the World was originally published in The Coinbase Blog on Medium, where people are continuing the conversation by highlighting and responding to this story.

from Money 101 https://blog.coinbase.com/bringing-defi-to-the-world-9b5f95c8fba?source=rss----c114225aeaf7---4 via http://www.rssmix.com/

0 notes

endenogatai · 6 years ago

Text

GitGuardian raises $12M to help developers write more secure code and ‘fix’GitHub leaks

GitGuardian has attempted to address this with a highly developer-centric cybersecurity solution.

Do they have any competitors?

from RSSMix.com Mix ID 8204425 https://ift.tt/33KJJUF via IFTTT

#IFTTT #RSSMix.com Mix ID 8204425

0 notes

esaitech · 6 years ago

Text

Top Mobile Security Best Practices for Developers

The security of an application that you are developing is a bare necessity. Even a single breach in the application can cause create havoc for your work and create a bad name for you as a developer. Security of the application should be the topmost priority for any developer since the starting of the first line of code.

Write a secure code

If your code is vulnerable and has bugs, then many attackers will be easily be able to enter into an application stealthily. A hacker can reverse engineer the code and tamper with it, they will need a public copy of your application to do the same. Studies and researches have shown that malicious code is affecting over 11.6 million of mobile devices everywhere.

Minify and obfuscate your code so that it cannot be reversed engineered. Run your application through tests time and again to fix the bugs once they are exposed to you. Design your code yourself so that it is easy to adjust and patch. Also, use code signing and code hardening.

Encrypt all data

The entire data, even thing that is exchanged over your application must be encrypted. For those who do not know about the term encryption, basically it is just the scrambling of the plain text that converts a word into a vague alphabet soup that does not hold any meaning for anybody else except for the one who have the key.

Be extra cautious with the libraries

When you are using the third-party applications then you must be careful about the code that you are using for the application. Some libraries are extremely insecure for the working of the application.

Use only the authorized API’s

API’s that are loosely coded can grant a hacker privileges that can be used mischievously. For example; if you cache the authorization information then it will easily help the programmers to use the information for making all the API calls. It will also the make the life of the coders easier by making the easy use of the APIs. However, it gives them a loophole through which they can Hijack the privileges.

Use the authentication of a really high level

Some of the biggest security breaches have occurred due to the weak authentication factor. You would not want it to ruin everything for you. Authentication means personal identifiers and the passwords that will act as the barrier for the entry. This depends upon the users of the application and even the developers must educate the users about the importance of the high-level authentication.

If you are a developer then you must design your application as such that it does must not accept any password except for a strong alphanumeric password. A password that you set must be renewed after three or six months. With time the multi-factor authentication has gained prominence as it not so easy to crack. It works on two factor authentication; it requires static password and a dynamic OTP.

If the application is too sensitive then bio-metric authentication which includes fingerprints and retina scanning must be used.

Use the temper detection technologies

These techniques are used to set off the alarms in case if someone tries to tamper the code or wants to inject any malicious code. With active temper detention you can make sure that the code will not be functional if it is once modified.

Make proper sessions for handling

The sessions on your mobile phone must last longer than the desktops. It will make the handling session harder for the server. Prefer using the tokens instead of the device identifiers when you are identifying a session. Tokens can be easily revoked at any time which will make them a more secure when you talk about the stolen devices. Enable the remote wiping of the stolen device and the remote log-off.

Do the tests repeatedly

The process of testing the security apps is unending. New threats emerge every now and then and for the digitally derived world quick solutions are needed. You must invest in threat modelling, penetration testing and make use of the emulators to know and understand the vulnerabilities of an application. Fix all the bugs and patch the issues that come along with it.

Use the best cryptography tools and techniques

Key management is important if you want your encryption efforts to pay off. You must never hardcode the keys as it becomes easy for the attackers to steal them all. You need to store the keys in the secure containers and avoid storing them locally on the device.

If you are taking all the crucial steps and running all the necessary tests, then the application users will not face any issues and who knows your application might top the list of the trending and secure mobile applications.

Author Bio: I am David M. Herd working as a Marketing Manager at eSaiTech Inc. eSaiTech is an online store selling various hardware, peripheral devices & you can Buy security products online from various biggest brands like hp, dell, Juniper, Hewlett, Samsung etc at attractive prices.

Originally published at https://www.desnav.com on May 22, 2019.

#security #products #cryptographic

0 notes

xenleaksinc · 6 years ago

Text

XenForo 2.1.1 Stable Full

XenForo 2.1.1 is now available for all licensed customers to download. We recommend that all customers running previous versions of XenForo 2.1 upgrade to this release to benefit from increased stability. We have also made some improvements to the importer framework. Notably it is now possible to perform a multi-process import in order to make better use of multi-core processors. If you run an import via the CLI and you add the --processes option with a value greater than 1, then multiple PHP processes will be used to perform the import, instead of a single CPU core being used as is the PHP default. Your results may vary, but with the number of processes set to equal the number of physical cores on a sufficiently powerful server, you should notice a significant increase in performance. You can also run your import command with the new --finalize option which will run the finalize stage automatically after the data import has finished. While we're talking about importers we should also point out that we are today also releasing XenForo Importers 1.2.0 with a new "Invision Community Forums" importer, XenForo Media Gallery 2.1.1 which reintroduces a number of importers originally included in XFMG 1.x and XenForo Resource Manager 2.1.1 which includes an XFRM to XFRM importer. See below for more information. If you are upgrading from XenForo 2.1.0, please be aware that there is a new option called "Convert Markdown-style content to BB code" which is now disabled by default. If you would like to use Markdown-style formatting in your messages, you will need to enable this option first. Download XenForo 2.1.1 Other changes in XF 2.1.1 include:

Solve a critical bug which may allow an extreme number of push subscriptions to be inserted. (Thank you @vbresults)

When pasting tables into the RTE, remove the rowspan/colspan attributes as they aren't supported. For any rows that don't have enough cells, append additional cells to the end (which is what the BB code renderer would do).

When converting emoji shortcodes, ignore any that are also smilies. This effectively prioritizes smilies over emojis on conflict. Adjust the emoji autocompleter to match this behavior.

Don't set a default alt when inserting an attachment into the rich text editor. (If no alt is present, when rendered, it will default to the filename.)

Ensure that auto-completion does not insert an HTML-encoded value when doing a text-based completion.

Ensure that textareas and code editors do not trim the values received before they are displayed.

Use the absolute date and time for poll closing when editing a poll to ensure a consistent wording for the sentence structure.

Add alt attributes to reaction <img> elements.

Support editor icons in specific FA packs by specifying the icon as "fa(l|r|s|b) fa-icon-name".

Ensure that we use the push receiver's language when rendering a push notification from a template.

Send cache-control: no-cache for error images displayed by the image proxy. For successful fetches, set the max-age of the result based on when the next refresh is planned (and if unknown, cache for a day).

Support Markdown image embedding without any alt text and maintain the alt text from Markdown image embeds.

For min-max options, add validation to ensure that the max is never less than the min.

When adding an avatar URL to a registration, only apply the avatar if the user would have permission (once their account is in the valid state).

Don't set a length when setting up boolean columns in the schema manager as we don't actually output this for integer types.

Re-enable ctrl/cmd+enter to submit textareas by default

Fix an issue where some inline styling (such as colors) before a video can cause text to disappear unexpectedly.

Prevent LESS compilation errors if removing certain style property elements (namely ones passed into H-scroller variations).

Disable inline Markdown matches that are known to be smilies. (Note this only applies to exact matches.)

Prevent URLs from being unfurled in signatures.

Fix a situation where a URL would be double auto-linked if it started with www and was on its own line.

Dynamically adjust the RTE z-index so that editor overlays work as expected when the editor is within an overlay itself

Prevent an error if there is an orphaned user connected account record (for a user that doesn't exist) if that connected account is then re-associated with another user.

When counting line limits in signatures, ensure that URLs are not unfurled as this will give an incorrect line count.

Prevent duplicate key error from push subscription update.

When listing watched forums, properly display forums that are children of nodes that are not displayed in the node list.

Provide extra space in the structured list "meta" information (replies and views) cell for longer translations.

Allow category_view template to have search constraints for "This category".

Adjust phrase used on Google Analytics Web Property ID option phrase.

Correctly use the payment profile display title when displaying a list of payment profiles if a display title is defined.

Re-jig the wording and details of the Stripe payment profile page somewhat in an attempt to make the required steps clearer and ensure the instructions of where to find things is correct.

Clarify the format of the expected event hint for the editor_dialog event. We coerce the dialog name to be alphanumeric so essentially anything beyond a-z/0-9 is stripped.

Remove unused bit of code in the GA template.

Ensure we include the fullUnicode default for new installs in the config.php.default file.

When testing for push support, check we have access to the Notification API also.

Use the correct error phrase when a profile post spam decision has been set to denied.

Add support for the iso6 ftype when detecting whether we have a valid MP4 video.

Use a standard textbox (of password type) for the SMTP password as we do not require strength checking or hide/show buttons there.

Ensure that each editor instance starts with an empty set of buttons to remove so that removals only affect the desired editor.

Sort the locale list when editing a language in an accent insensitive way.

Display an error if no templates or style properties have been marked for mass reversion.

Ensure a user cannot be following or ignoring themselves as a result of a merge, and rebuild following caches correctly.

Automatically suggest a name for the import log table, based on the importer class name and a numeric suffix.

Adjust positioning of reaction summary on the thread list.

Update LightGallery to the latest version in order to fix an issue with the slideshow pause button.

Use correct function name for reaction score ratio criteria.

Use a slightly more strict regex when detecting shortcodes in order to not necessarily attempt to replace embedded shortcodes, especially those inside URLs.

Improve behaviour of lists in content when they are used adjacent to floated images.

When inserting the description received by XF.DescLoader.onLoad run it through XF.setupHtmlInsert to ensure the resulting HTML is activated and any new JS is initialized.

When validating email addresses when handling email bounces, do so in a non-strict mode and ignore minor errors.

Exclude disabled reactions from the thread list reaction summaries.

Adjust usernameLength option so the max value cannot exceed 50 (the hardcoded username limit). Also apply that max value to the register form, rather than the max username limit (50).

Ensure a permission check happens at the point of running a search.

Prevent an error when building the backtrace of an error message that has no arguments.

When deleting a reaction definition, delete all reactions of that type to ensure correct and consistent behavior.

Add contentType values to the Report/ReportComment entity structure.

Add a hint which suggests that adding bookmark labels is optional.

Support passing in a custom perPage value to entityColumnsToJson and tableColumnsToJson methods. Set XF:ErrorLog.request_state to do only 300 per page - this table's records are quite data heavy and has been seen to exhaust memory limits.

Delay logging when inserting an emoji via the editor menu so that the emojis do not switch position until 1.5 seconds after you stop inserting emojis.

Change the double-encoded & to simply & in the custom field edit template.

For consistency with similar option groups, separate the "Enable content tagging" option from the other options on the page.

Ensure the tagLength option cannot exceed a maximum length of 100.

Fix next/prev month button color in the date picker and allow date ranges to pull colors from the style properties.

Apply the body font family to message previews.

When processing ajax responses, activate HTML elements after executing any inline scripts.

Allow detection of failed unfurl image loads even when the image proxy is enabled.

Add new template extension points for member_macros in the XF:action_groupsuter_start and XF:action_groupsuter_end positions.

Display the enableTrophies option on the user-title-ladder page so that the trophy points option can be kept disabled or re-enabled if trophies are being enabled/disabled.

Only apply the "Show value" option to member stats if the sort order is numeric (by default, if the sort order is not "username").

In some option templates, protect against invalid user ID data

Fix accidental N+1 query behavior on received reactions page and ensure consistent "all" vs type-specific counts.

Remove the default values for first_post_reaction_score in the Thread searcher, similar to the reaction_score in the User searcher.

Improve performance of loading the editor emoji menu on Android devices.

Remove inconsistent <b> tags from notice edit message explain phrase.

Add missing fal class in the core_contentrow less.

Remove commented out menu headers from navigation item menus.

Always apply the default prefix for a forum on reports sent into a forum.

Make it easier to add additional menus/buttons to the member tooltip/member view template.

Trigger class extension hint file to be rebuilt on class extension import.

When navigating directly to the post-thread page for a forum, attempt to use a predefined title (from the title URL param) if it is available.

Fix code event description argument list for app_admin_render_page event.

Add aria-hidden="true" to share icon placeholders.

In filter lists, do not count rows which we have forced to show - they most likely represent information rather than found results.

Do not duplicate the data-xf-init attribute on the prefix_input template.

Use SFS' load balanced API for SFS lookups. (Submissions do not appear to have changed).

Parse user mentions before MD parsing to avoid issues with user names that have valid MD-style markup.

Use a sufficient number of backslashes (5!) to appropriately escape the fnMaxLength templater function shortname regex.

Replace all hard-coded instances of N/A to the n_a phrase.

Swap order of filters and additional params on the forum_view "Show older items" link.

Add aria-hidden="true" to icon placeholder in the react HTML.

Hide links within ispoilers (and make them clicking the link not trigger while the spoiler is blurred).

Prevent an InvalidStateError in some cases with the numberbox input. Also change its support detection and prevent the stepping starting from an unexpected number.

Allow content_username and content_user_id to be empty/0 by default in the moderator log.

When navigating to a cached page, use conversation/alert unread counters from the most recent stored data, rather than what may have been included with the cached result.

The following public templates have had changes:

app_nav.less

app_sectionlinks.less

app_staffbar.less

bb_code.less

bb_code_preview.less

bookmark_edit

bookmark_macros

category_view

core_bbcode.less

core_block.less

core_contentrow.less

core_menu.less

core_pikaday.less

core_tab.less

editor.less

forum_post_thread

forum_view

google_analytics

member_macros

member_tooltip

member_view

PAGE_CONTAINER

poll_macros

prefix_input

register_form

register_macros

share_page_macros

structured_list.less

thread_list_macros

Where necessary, the merge system within the "outdated templates" page should be used to integrate these changes. As always, new releases of XenForo are free to download for all customers with active licenses, who may now grab the new version from the customer area. Note: add-ons, customizations and styles made for XenForo 1.x are not compatible with XenForo 2.x. If your site relies upon these for essential functionality, ensure that a XenForo 2 version exists before you start to upgrade. We strongly recommend you make a backup before attempting an upgrade. Current Requirements Please note that XenForo 2.1.x has higher system requirements than XenForo 1.x. The following are minimum requirements:

PHP 5.6 or newer (PHP 7.3 recommended)

MySQL 5.5 and newer (Also compatible with MariaDB/Percona etc.)

All of the official add-ons require XenForo 2.1.

Enhanced Search requires at least Elasticsearch 2.0.

Installation and Upgrade Instructions for XenForo 2.1 Full details of how to install and upgrade XenForo can be found in the XenForo 2 Manual. Note that when upgrading from XenForo 1.x, all add-ons will be disabled and style customizations will not be maintained. New versions of add-ons will need to be installed and customizations will need to be redone. We strongly recommended that you make a backup before attempting an upgrade. Once upgraded, you will not be able to downgrade without restoring from a backup.

XF-V2.1.1.zip

source https://xenforoleaks.com/topic/290-xenforo-211-stable-full/

0 notes

theafropunkentrepreneur · 7 years ago

Text

Recastly Review + CUSTOM Bonus + Free Training

Software Creator: Sam Bakker

Launch Date: January 17, 2018, 10AM EST

Niche: Videos on all topics can be made, transcribed and translated

Price: Front-End $37

What is Recastly?

Simply Put, Recastly creates professional viral-style videos that include SUBTITLES in any language within minutes. It is a cloud-based software that allows you to automatically transcribe and translate spoken text into HARD-CODED Subtitles that sync up perfectly with the speech.

Videos can be imported from:

Youtube

Vimeo

Facebook

Uploading from your computer

Best of all, you can convert the subtitles into ANY language. The software also has tons of very creative subtitle templates so that you can customize the style to fit your audience and your taste.

It also allows for watermarking to add your brand to these videos giving them a natural look and feel for your brand.

Who's This a PERFECT Product For?

Affiliate Marketers

CPA Marketers

Product Creators

E-commerce Store Owners

Youtube Video Creator

Those Working with the Hearing Impaired

Imagine being able to expand your audience WORLDWIDE, where language would no longer be a barrier to your message or products to be seen.

Youtube Ads, Facebook Ads, and Udemy Courses are all technology that could greatly benefit from Recastly's ability to translate into ANY language.

Voice Over Technology

This software is also PERFECT for those who are self-conscious about the sound of their own voice. Imagine being able to transcribe your videos, have your speech translated into ANY language and then use their human-like voice generator to speak for you.

There are a myriad of accents to choose from in addition to being able to simply select a male or female voice.

Simply put, Recastly is your chance to turn ANY Video Into A Traffic & Sales Machine

SEE MY FULL RECASTYLY REVIEW HERE

[embedyt] https://www.youtube.com/watch?v=_OcZjWL2e3k&width=450&height=253&rel=0[/embedyt]

Recastly as an SEO Tool

Amongst many other ranking factors, we know that Google LOVES videos with subtitles. It has been proven that videos with subtitles rank MUCH higher in Google and Youtube than those without. The reason for this is because their bots crawl your website content and the more relevant your content, the higher you will rank.

This is a perfect opportunity to optimize your niche-specific keywords.

The Software creates line-by-line translations that can be edited easily to add your keywords or to make the text seem more natural and less grammatically formal. If that is important to your audience that it speaks to them in THEIR idiom.

It also has word-by-word feature. Where instead of the whole sentence being shown at once, it is shown word by word as to not give away the rest of what you are saying before you say it.

Key Features

Recastly boosts a magnitude of very impressive features including:

Automatic Caption Generator

Generate Captions In All Languages

Generates Automatic Timestamps

Allows You to Add Professional Human-Like Voiceovers To Your Video

How About Some Proof!

Well, I happen to have my own testimonial, as I had the pleasure of having review access. So I am sharing a recent Youtube video that I had transcribed and translated into Portuguese.

As it is a language that I also speak I wanted to test its accuracy. I was BLOWN AWAY by how accurate it was. It filtered out all of my "ummmms" and "uhhhs" with ease.

SEE RECASTLY AT WORK FOR YOURSELF!!

[embedyt] https://www.youtube.com/watch?v=hqqO9Tbu85Q&end=405&width=350&height=263&centervid=1&rel=0[/embedyt]

Check Out The Original Traffic Zion Review

FAQs (From the Sales Page)

Q. Are there any limitations? No - you can create unlimited subtitles and voiceovers for unlimited videos with the software. Customize the appearance, language, and layout of as many videos as you like.Meaning you can effectively turn any single video into as many variations as you want, and enjoy ALL the traffic those variations bring. The only limitation is that the video length cannot exceed more than 10 minutes

Q. How Accurate Are Translated Subtitles? Recastly generates and translates your subtitles into ANY language. We use Google's APIs to do this and these are still computer generated translations so they cannot be 100% accurate. However, they are pretty accurate.

But if you want translations done by humans who speak the language natively, they do offer professional translation services at a low rate.

Q. Is Training Included? Absolutely! In addition to the 3 LIVE bonus training webinars, you’ll be able to access specific video tutorials right inside your dashboard.

The software is incredibly easy to use, but to make it even easier we’ve included over the shoulder training videos for each step.

Q. How Long Will It Take For My Subtitles & Voiceovers To Render? That’ll depend on the length of each video, but our dedicated servers are lightning fast. You’ll never wait more than a few minutes to get BOTH subtitles and auto-generated voiceovers for any video.

Q. Will this work on my Mac? 100% - this is a cloud-based software that works on any operating device. Customize your videos from any platform, anytime you

This software is also protected by a 30-day Money Back Guarantee.

[wp-review id="11974"]

Price Structure:

Front End: $ 37: Recastly Premium

Lifetime license that includes, automatic subtitle generator, 10 templates to hardcode the subtitles, ability to add subtitles to videos up to 10 minutes long, ability to generate and add voice over, ability to change video size and ability to add fixed text and watermark...

OTO #1: Recastly Pro: $27/Month or $97/ Year

All the features in Premium plus the ability to upload videos that are longer than 10 minutes, 5 additional templates each month, ability to turn off the Recastly branding, ability to export videos in as it is resolution (including 4k) and much more...

OTO #2: Recastly Agency: $197/One time

The agency feature lets you create Recastly accounts under your Agency. Agency users can also upload their own logo and use their own domain name and keep 100% of the profits.

OTO #3: Recastly Video Player: $27/Month or $97/ Year

The agency feature lets you create Recastly accounts under your Agency. Agency users can also upload their own logo and use their own domain name to sell the product as their own keep 100% of the profits.

My Bonuses!!

I'm excited to report that Myself and Jono Armstrong have joined forces to bring you guys some awesome CUSTOM BONUSES!

Only created for Recastly. To Help You MONETIZE Recastly!

No Rashed Crap. No PLR!

I hope that you have enjoyed my Recastly Review!

Click HERE to Get Our CUSTOM BONUSES!

#recastlyreview #recastlybonus #recastlydemo #recastlyreviewbonus

0 notes