Stop Credential Stuffing on Login with Cloudflare WAF Rules
A 3am login endpoint meltdown taught us why IP-based rate limiting fails against Cloudflare WAF credential stuffing — here's the fix.
3 WireGuard VPN Mistakes That Broke Our Remote Server Access
Real WireGuard VPN mistakes that cost us an outage and a security exposure — key reuse, bad AllowedIPs, and an open UDP port.
ML Anomaly Detection in Loki Logs: Per-Entity Isolation Forest
A practical look at ML anomaly detection for Loki logs — feature extraction, per-entity models, and why global thresholds fail.
Docker Rootless Mode Security Hardening Checklist
Your containers are running as root right now. This rootless Docker security checklist covers installation, hardening, and CI enforcement in 18 steps.
Secure Docker Multi-Stage Builds with Trivy CVE Gates
Secure Docker multi-stage builds go beyond size reduction — learn how to gate CVEs, pin digests, and stop shipping vulnerable layers to production.
AI vs Rule-Based Secret Scanning in CI: Which Actually Works
Rule-based or AI secret scanning in CI pipelines — I've run both in production. Here's the honest breakdown, decision matrix, and my pick.
GitLab CI AWS OIDC: Replace Static Keys with Short-Lived Credentials
Stop storing AWS access keys in GitLab CI variables. Set up GitLab CI AWS OIDC trust in under 30 minutes and get credentials that expire automatically.
AWS Config CI Compliance Gate: Config Rules vs cfn-guard
Your Terraform apply passes but an unencrypted S3 bucket ships to prod anyway. Here's how to pick the right AWS Config CI compliance gate strategy.
How to Fail CI Pipelines on AWS Config NON_COMPLIANT Resources
AWS Config CI pipeline gate that catches NON_COMPLIANT resources before they stay in production — poll compliance after Terraform apply and fail fast.
S3 Presigned URLs: Expiration Strategy and Signing Identity Controls
Most teams treat S3 presigned URLs like short-lived tokens. They're not — the signing identity determines everything, and a misconfigured one turns a "temporary" URL into a persistent credential you can't revoke without breaking things.
☕ Support us · 💳 Monobank