whitedec's Blog

2026-01-23

Allow Only Permitted HTTP Methods: Block Noise Requests with 405/444 in Nginx

Learn how to block abnormal HTTP methods like PROPFIND or MKCOL at Nginx using 405 or 444 responses. Cut traffic early, keep app logs tidy, shrink the attack surface, and see practical configuration examples to improve operational efficiency.

#security #nginx #444 #405 +2

2026-01-15

Understanding Pillow’s `open()`, `verify()`, and `load()` from a Security Perspective

Explore how Pillow’s `open()`, `verify()`, and `load()` methods affect image‑upload security. Learn practical strategies—policy checks, corruption filtering, and safe re‑encoding—to mitigate decoding risks and prevent DoS attacks.

#django #security #pillow #verify +3

2026-01-14

Let Nginx Handle File Delivery in Django with X‑Accel‑Redirect

When Django streams files directly, the app server can become a bottleneck. By using X‑Accel‑Redirect, Django handles permission checks while Nginx streams the file, boosting performance and security—especially for large files or high‑concurrency downloads. This guide explains the best practices.

#django #security #nginx #x-accel-redirect +2

2026-01-13

Django Image Upload Security Guide: Efficiently Preventing Server Crashes

A practical guide for Django‑based web services to secure image uploads while avoiding resource waste. Learn how to perform low‑cost size, MIME, and resolution checks, then re‑encode files on the server to strip metadata and prevent DoS or malicious payloads. Follow the checklist and code examples for a robust solution.

#django #security #drf #pillow +3

2025-12-19

The Aesthetics of Log Tailing: A World of Bots Skimming Your Server

Monitor your server logs in real time and dissect the diverse bot traffic that appears with `tail -f`. From courteous search engine crawlers to aggressive bots, this guide details each bot’s traits, IP ranges, and impact on your server—giving you a clear view of how your site interacts with the outside world.

#security #log tailing #bots #server monitoring +2

2025-12-08

Lessons from the React RCE Incident: Why HMAC Signatures, Key Rotation, and Zero Trust Matter

The React Server Components/Next.js RCE (CVE‑2025‑55182) demonstrates the dangers of unconditionally trusting client data. This article explains how HMAC signatures, key rotation, and Zero Trust principles can secure internal APIs and preserve data integrity.

#security #react rce #hmac signature #key rotation +2

2025-12-05

Malicious Bots Won’t Stop—Let’s Cut Them Off at the Front with Nginx: Cleaning Up Weird URLs Early

When you expose a web application, malicious bots and scanners will bombard it with odd requests. This guide shows how to use nginx’s 444 status code and a shared `blackhole.conf` to pre‑emptively block those URLs, reducing log noise, CPU usage, and improving operational efficiency.

#security #nginx #444 #blackhole +3

2025-12-05

Why Is Cloudflare Free? Understanding CDN Mechanics and the Business Model

Explore why Cloudflare offers free CDN and security services, the underlying business model, and how the free plan benefits personal blogs and small services. Learn how the freemium strategy drives upgrades and the key paid products that sustain the company.

#security #performance #developer #cdn +3

2025-12-04

Safely Storing Secret Keys in Django Models (Fernet Edition)

Learn how to securely store API keys and secrets in Django using Fernet encryption. This guide covers key generation, settings configuration, a custom EncryptedTextField, model integration, search limitations, key rotation, and a practical security checklist—all written in clear, native English.

#django #security #fernet #encryption +1

2025-11-24

Is Your SSH Server Secure? A Deep Dive into SSH Server Logs for Hacking Signs

Learn how to identify hacking signs through SSH server logs, prevent brute-force attacks, and failures in password logins. This practical guide includes reading logs, configuring fail2ban, and firewall settings step by step.

#ssh #fail2ban #security #logs +1

2025-11-21

SSH: A Complete Guide from Concepts to Practical Security Settings

This post provides a step-by-step guide on the fundamental concepts of SSH and practical security settings that you can apply. It includes tips for keyboard shortcuts, authentication methods, port forwarding, and firewall settings for immediate practical use.

#linux #ssh #security #guide

2025-11-17

Essential Knowledge for SPA and React - A Complete Guide to Browser Storage

A comprehensive guide on utilizing browser storage (session storage, local storage, IndexedDB, etc.) for SPA and React developers, detailing types of storage, usage scenarios, security issues, performance tips, and practical code examples for immediate application.

#security #spa #react #indexeddb +5

2025-11-12

Django's HTTP Utility - 'django.utils.http'

This post introduces how to implement URL encoding, safe token transmission, and redirection security using Django's `django.utils.http` module.

#security #http #url #base64

2025-11-10

Why Running a Container as Root Is Not Recommended?

Running containers as root poses significant security risks. This article discusses the possibilities of gaining host root privileges upon container escape, the principle of least privilege, and best practices for Dockerfiles.

#security #root #dockerfile #container