AI 资讯
Hermes Agent's skill trust model is a four-repo allowlist
So far I've only been running openclaw agents and had a steep learning curve. "self-improvement" became a very attractive term on this journey. So I took a dive into Hermes Agent, the self-improving agent runtime from Nous Research. One of the first things I wanted to understand was a risk: what actually happens when you install a community skill? Skills are code and instructions that the agent will execute, and Hermes pulls them from an open ecosystem. So I read the install path in the source - instead of blindly trusting the docs. What I found is better than I expected in one way and structurally limited in another. What Hermes already has on board Hermes does not install external skills blindly. Every externally-sourced skill goes through a real gate before it lands on disk. In hermes_cli/skills_hub.py , the install flow is: fetch → quarantine → scan → policy decision → install or block-and-audit. The scan lives in tools/skills_guard.py and runs regex-based static analysis for known-bad patterns: secret exfiltration ( curl interpolating $API_KEY / $TOKEN / $SECRET ), reads of credential stores ( ~/.ssh , ~/.aws , ~/.gnupg , ~/.kube , and Hermes's own ~/.hermes/.env ), destructive commands, persistence, and obfuscation. If the scan blocks an install, the quarantined copy is deleted and the event is written to an audit log. This is more than most agent tooling ships with. If you remember the wave of malicious skills that hit competing ecosystems, a chunk of that class of attack would be caught here before anything ran. Someone thought about this. The part that doesn't scale imo The scanner produces a verdict — safe , caution , or dangerous . That verdict is then combined with a trust level to decide whether to install. The trust levels and their policies look like this: INSTALL_POLICY = { # safe caution dangerous " builtin " : ( " allow " , " allow " , " allow " ), " trusted " : ( " allow " , " allow " , " block " ), " community " : ( " allow " , " block " , " bloc
AI 资讯
OpenAI unveils Lockdown Mode to protect sensitive data from prompt injection attacks
Even with Lockdown Mode, ChatGPT could be still vulnerable to prompt injections, but the goal is to reduce the likelihood that sensitive data gets shared in the process.
AI 资讯
How We Built Cryptographic Invoice Signatures for a SaaS Invoicing Platform
How Reinvoice Uses HMAC Signatures to Detect Invoice Tampering Every invoice sent through Reinvoice includes a cryptographic integrity signature. It is not a PDF stamp, a visual badge, or a checkbox. It is an HMAC-SHA256 hash generated from the invoice payload and a server-side signing secret. If signed invoice data changes after creation, Reinvoice can recompute the hash, compare it to the stored signature, and flag the invoice as potentially tampered with. Here is why we built it, how it works, and what we learned. Why Integrity Checks Matter for Invoicing Invoices are high-value documents. A single altered field could change a payment amount, tax calculation, client record, or audit trail. Most invoicing systems treat invoices as ordinary database records. That works for normal CRUD workflows, but it does not automatically prove that the invoice data being viewed today is the same data that was created and sent. Reinvoice adds an integrity layer. When an invoice is created, we sign the fields that define the invoice. Later, when someone verifies the invoice, we recompute the signature from the current data and compare it against the original stored signature. If the values do not match, the invoice is flagged. The Implementation The signature is stored in two places: on the invoice record in the database, and behind a public verification endpoint. import { createHmac , timingSafeEqual } from ' node:crypto ' ; const SIGNATURE_FIELDS = [ ' invoiceNumber ' , ' issuerName ' , ' clientName ' , ' totalAmount ' , ' currency ' , ' taxAmount ' , ' issuedAt ' , ' dueDate ' , ' lineItems ' , ' notes ' , ' subtotal ' , ' discountAmount ' , ' shippingAmount ' , ] as const ; export function generateInvoiceHash ( invoice : InvoiceData ): string { const payload = SIGNATURE_FIELDS . map (( field ) => { const value = invoice [ field as keyof InvoiceData ]; return ` ${ field } = ${ JSON . stringify ( value )} ` ; }). join ( ' | ' ); return createHmac ( ' sha256 ' , SIGNING_SECRET )
AI 资讯
Crypto-Funded Chinese Peptide Labs Are Booming
Plus: Hackers use Meta’s AI bots to hack Instagram accounts, Anthropic helps NSA hackers, a decades-long GPS satellite mystery may have been solved, and more.
AI 资讯
# Next MDL Update: Security-First Adapters and HTMX Support
In the last update, I introduced MDL as an HTML-first language for building websites and apps with less noise. This update is about the next layer: adapters . The goal is simple: MDL source should describe intent. Adapters decide how that intent becomes deployable HTML. Why adapters? I don’t want MDL to become locked into one frontend framework. Instead, the same MDL structure should be able to target different deployment styles: static HTML MDL-native runtime attributes HTMX future template or framework adapters So this: form@api(post /api/login)@result(loginResult)@swap(replace): .input@type(email)@required .btn-primary@type(submit)(Sign in) status@id(loginResult): Waiting. Can become plain HTML: html <form method= "post" action= "/api/login" > Or HTMX: html <form hx-post= "/api/login" hx-target= "#loginResult" hx-swap= "outerHTML" > Security before convenienceThe important part is that MDL does not pass behavior attributes through blindly. Raw HTMX attributes like this are blocked: mdl form@hx-post(/api/login): Instead, MDL uses intent-based attributes: mdl form@api(post /api/login): Then the adapter validates and translates it. Current safety rules include: external api(...) URLs are rejected raw @hx-* attributes are blocked raw browser events like onclick(...) are blocked unsafe URL schemes like javascript: are blocked broad form inclusion like @params( ) is blocked @inherit( ) is blocked @disinherit(*) is allowed because disabling inherited behavior is safer That means MDL can support HTMX without making MDL source depend directly on HTMX’s full raw surface area. New HTMX adapter attributesThe HTMX v2 adapter now supports more behavior attributes: mdl @select-oob(...) @swap-oob(...) @disabled(...) @disinherit(...) @encoding(...) @history-elt(...) @inherit(...) @params(...) @preserve(...) @prompt(...) @replace(...) @request(...) @sync(...) @validate(...) Example: mdl form@api(post /api/profile)@result(profileResult)@swap(replace)@params(email csrfToken)@disable
AI 资讯
6개 프로젝트 보안 감사: 25개 이슈 발견 수정 기록
Published on : 2026-06-06 Reading time : 8 min Tags : #security #python #audit #devops 개요 3개월에 걸쳐 개발한 6개 Python 프로젝트(3개 봇 + 3개 라이브러리)를 종합 감사했습니다. 25개 보안/코드 이슈를 발견했고, 23개를 즉시 수정했습니다. 감사 대상 : FastAPI + Telegram Bot + LLM 통합 시스템 총 파일 : 91개 Python 파일 발견 이슈 : 25개 (심각 5개, 중간 18개, 경미 2개) 수정율 : 92% (23/25) 심각도 높음 - 5개 이슈 1. API 키가 Git 히스토리에 노출됨 🔴 문제 : Anthropic, Supabase, Telegram API 키가 .env 파일로 커밋됨 # ❌ 노출된 상태 (git log에서 확인 가능) ANTHROPIC_API_KEY = sk - ant - api03 - xxxxxxxxxx SUPABASE_KEY = sb_publishable_xxxxxxxxxx 위험도 : 누구든 이전 커밋으로 API 키 접근 가능 → 리소스 도용, 데이터 침해 해결책 : # 1. BFG로 히스토리 정리 bfg --delete-files ".env" --no-blob-protection . # 2. Git에서 제거 git rm --cached .env echo ".env" >> .gitignore # 3. API 키 로테이션 (필수) # - Anthropic: console.anthropic.com/account/keys # - Supabase: app.supabase.com → Settings → API # - Telegram: @BotFather → /token 2. SSL 검증 비활성화 (MITM 공격 위험) 🔴 문제 : requests 호출에 verify=False 사용 (10곳) # ❌ 위험한 코드 response = requests . get ( url , verify = False ) # ✅ 안전한 코드 response = requests . get ( url , verify = True ) # 기본값 영향 : HTTPS 중간자 공격(MITM) 가능 → 민감한 데이터 도청 수정 : contest-agent, supabase-async 전체 10곳 제거 3. 광범위한 예외 처리 🔴 문제 : except Exception 으로 모든 오류를 무시 (114곳) # ❌ 버그 추적 불가 try : result = await db_select ( " contests " ) except Exception : print ( " failed " ) # 어떤 오류인지 알 수 없음 # ✅ 구체적인 처리 try : result = await db_select ( " contests " ) except requests . HTTPError as e : logger . error ( f " DB error: { e } " , exc_info = True ) raise 영향 : 버그 원인 파악 불가 → 프로덕션 문제 대응 시간 증가 4. 라이브러리 __init__.py 부실 문제 : llm-router, supabase-async, telegram-agent의 __init__.py 비어있음 # ❌ 기존 (빈 파일) # __init__.py # (아무것도 없음) # ✅ 수정 후 from llm_router import LLMRouter __version__ = " 0.1.0 " __all__ = [ " LLMRouter " ] 영향 : PyPI 설치 후 import 실패 from llm_router import LLMRouter # ❌ ImportError 5. 문법 오류 (try-except 들여쓰기) ai-insight-curator의 processor.py에서 DB 작업이 try 블록 밖에 있었음 → 예외 처리 안 됨 심각도 중간 - 18개 이슈 의존성 버전 불일치 Anthropic: 0.25.0 / 0.34.0 혼재 → 0.34.0으로 통일 Supabase: 2.0.0 / 2.4.0 혼재 → 2
AI 资讯
Day 26 - HashiCorp Vault & Secrets Management
Modern applications depend on secrets. Every application requires: Database Passwords API Keys SSH Keys TLS Certificates Cloud Credentials OAuth Tokens Service Account Keys The biggest question is: Where should we store them securely? Unfortunately many organizations still store secrets in: Git Repository Docker Image Application Config Files Environment Variables Shared Documents Excel Sheets This creates a massive security risk. This is why Secret Management platforms like HashiCorp Vault became critical in modern cloud-native environments. 🔗 Resources ** Support the Journey on GitHub: If you're following along, consider starring and forking the repo:** https://github.com/17J/30-Days-Cloud-DevSecOps-Journey What is a Secret? A secret is any sensitive piece of information used to authenticate or authorize access. Examples: Database Password AWS Access Key JWT Signing Key API Token TLS Certificate Private Key OAuth Secret If a secret gets exposed: Attacker ↓ Application Access ↓ Database Access ↓ Infrastructure Compromise What is Secrets Management? Secrets Management is the process of: Store Protect Rotate Control Audit sensitive credentials securely. A modern secrets management platform provides: Centralized storage Encryption Access control Secret rotation Audit logs Dynamic credentials Why Secrets Management Matters Imagine this scenario: database : username : admin password : Password123 committed into GitHub. Result: Developer Pushes Code ↓ GitHub Repository ↓ Credential Leak ↓ Database Breach This happens more often than people realize. The Problem with Traditional Secret Storage Many teams use: .env Files Kubernetes Secrets Configuration Files Hardcoded Passwords Problems: Difficult rotation No audit trail Poor access control Risk of accidental exposure Compliance failures What is HashiCorp Vault? HashiCorp Vault is a centralized secrets management platform designed to securely store, access, and manage secrets. Think of Vault as: Central Secret Bank for you
AI 资讯
Drift Protocol $285M Exploit - North Korean APT Attack on Solana
On April 1, 2026, Solana's largest decentralized perpetual futures exchange Drift Protocol suffered an attack, losing approximately $285 million . This is the second-largest DeFi hack of 2026 (behind KelpDAO's $292M attack the same month). Together, these two incidents totaled $577M — 76% of all DeFi stolen funds in 2026 . Key Finding : This was not a smart contract vulnerability. The attacker penetrated protocol personnel through social engineering , used Solana's durable nonce feature to pre-sign malicious transactions, and drained the entire treasury in 12 minutes . Mandiant confirmed the attacker as North Korean state-sponsored APT group UNC6862. ⏱️ Attack Timeline Time Event 6 months prior North Korean hackers establish fake trading company identities, attend crypto industry events Weeks prior Operatives attend crypto conferences in person, build deep trust with Drift contributors Late Feb - Early Mar Telegram group discussions about trading strategies, posing as partners Dec 2025 - Jan 2026 Fake company "Ecosystem Vault" builds partnership with Drift, deposits $1M+ Feb - Mar Attackers gain access to some contributors' code repositories Mar 23 Create 4 malicious wallets using Solana durable nonce feature Mar 27 Security Council migrates to 0-second timelock , removing safety buffer Apr 1, 16:06:09 UTC Execute pre-signed malicious transactions 16:06 - 16:18 UTC Treasury completely drained in 12 minutes Post-Apr 1 Funds swapped via Jupiter, bridged to Ethereum via CCTP, mostly dormant 🔧 Attack Technical Analysis Initial Penetration The attackers used a multi-layered social engineering + technical infiltration combination: HUMINT Operation Spent months building credible identities, attending global industry events Used intermediaries rather than direct contact (classic Lazarus tactic) ZachXBT noted this layered identity structure is a hallmark of Lazarus operations Malicious Code Injection Shared code repositories containing malicious code Exploited unpatched VSCo
AI 资讯
AI Code Security: Claude's rsync Bugs; Europe's GNSS Interference & GPS Anomalies
AI Code Security: Claude's rsync Bugs; Europe's GNSS Interference & GPS Anomalies Today's Highlights This week in security, a deep dive explores how AI code generation might introduce new vulnerabilities, with analysis showing Claude increasing bugs in rsync. We also highlight two critical infrastructure concerns: a powerful GNSS interference source over Europe and the mysterious 'numbers station' broadcasts found on GPS frequencies. Did Claude increase bugs in rsync? (Hacker News) Source: https://alexispurslane.github.io/rsync-analysis/ This article presents an intriguing analysis of how large language models (LLMs) might inadvertently introduce bugs into software. Focusing on Claude's contributions to the widely used rsync utility, the author investigates code changes attributed to AI and compares them against human-written code. The study reveals instances where AI-generated code, while appearing plausible, introduced subtle yet significant defects, raising questions about the reliability of AI assistance in critical codebases. The implications extend beyond rsync , pointing to potential supply chain vulnerabilities if AI-generated code is not rigorously audited. This research highlights a new frontier for AI-specific security, emphasizing the need for developers to employ practical hardening guides and thorough review processes when integrating AI into their development workflows to prevent the unintentional introduction of new attack vectors. Comment: As a developer, seeing concrete examples of AI introducing bugs, even subtle ones, in a fundamental tool like rsync is a wake-up call. It's a reminder that AI-generated code requires diligent human review, especially when security or reliability is paramount, highlighting prompt engineering as a defensive technique. Tracing a powerful GNSS interference source over Europe (Hacker News) Source: https://arxiv.org/abs/2606.03673 Researchers have identified and traced a significant source of Global Navigation Satellite
AI 资讯
Highly reviewed speaker can be hacked over the air to infect connected devices
Seller of the Sound Blaster Katana V2X doesn't consider the behavior a vulnerability.
产品设计
Former cyber executive turned whistleblower accuses IBM of covering up several data breaches
IBM and two of its subsidiary companies were allegedly breached during the mid-2010s, which a lawsuit filed by a former cybersecurity executive accuses IBM of not disclosing and actively covering up.
AI 资讯
HIPAA Risk Assessment in 2026: A Healthcare Engineer's Field Guide
If you build, run, or audit systems that touch protected health information (PHI), the HIPAA risk assessment is the document that quietly decides whether the next OCR investigation ends in a closure letter or a corrective action plan with a six-figure settlement. The proposed 2026 HIPAA Security Rule update (published as an NPRM in January 2025, still pending finalization at OCR) doesn't change the underlying requirement at 45 CFR § 164.308(a)(1)(ii)(A) — and OCR has repeatedly reaffirmed that the absence of a current, written risk analysis is itself the most-frequently-cited Security Rule deficiency . This is the engineering view: what a defensible HIPAA risk assessment actually contains in 2026, how to model it, and what tooling fits the workflow. 1. The asset inventory is non-negotiable Every defensible HIPAA risk assessment starts with a complete inventory of where ePHI lives, where it flows, and who touches it. If you can't enumerate every system, every integration, and every workforce role that creates / receives / maintains / transmits ePHI, the rest of the assessment is built on sand. A minimal asset-inventory record per system: { "system_id" : "ehr-prod-01" , "system_type" : "ehr" , "ephi_states" : [ "create" , "receive" , "maintain" , "transmit" ], "data_classification" : "phi-high" , "hosting" : { "type" : "saas" , "vendor" : "epic" , "region" : "us-east-1" }, "workforce_roles_with_access" : [ "clinician" , "billing" , "admin" ], "integrations" : [ { "to" : "billing-system" , "protocol" : "hl7-fhir" , "direction" : "outbound" }, { "to" : "patient-portal" , "protocol" : "https-rest" , "direction" : "bidirectional" } ], "encryption_at_rest" : true , "encryption_in_transit" : true , "mfa_enforced" : true , "audit_log_destination" : "central-siem" , "ba_agreement_on_file" : true , "last_reviewed" : "2026-05-15" } If you don't have this, build it before you do anything else. The HHS-provided ONC SRA Tool walks through asset enumeration but it's optimized for s
AI 资讯
Applying Checkov to Terraform as Code – A TFSEC Alternative
Static Application Security Testing (SAST) is a critical practice in modern DevSecOps. While tools like SonarQube, Snyk, and Veracode are popular, this article focuses on GitHub CodeQL – a semantic code analysis engine that treats code as a database. We will apply it to a vulnerable Java Spring Boot application to detect SQL Injection and Path Traversal. 🤔 Why CodeQL? Unlike pattern-based scanners, CodeQL builds a relational database of your code, including abstract syntax trees, control flow graphs, and data flow graphs. This allows it to track tainted data across functions, classes, and files, drastically reducing false positives. 🚨 Target Application (Vulnerable Java App) Let's look at a simple REST API with two vulnerable endpoints. File: UserController.java package com.demo.controller ; import com.demo.model.User ; import org.springframework.beans.factory.annotation.Autowired ; import org.springframework.jdbc.core.JdbcTemplate ; import org.springframework.web.bind.annotation.* ; import java.nio.file.Files ; import java.nio.file.Paths ; import java.util.List ; @RestController @RequestMapping ( "/api" ) public class UserController { @Autowired private JdbcTemplate jdbcTemplate ; // Vulnerability 1: SQL Injection @GetMapping ( "/users" ) public List < User > getUsers ( @RequestParam ( "id" ) String userId ) { String sql = "SELECT * FROM users WHERE id = " + userId ; // Dangerous concatenation return jdbcTemplate . query ( sql , ( rs , rowNum ) -> new User ( rs . getString ( "id" ), rs . getString ( "name" ))); } // Vulnerability 2: Path Traversal @GetMapping ( "/file" ) public String readFile ( @RequestParam ( "filename" ) String filename ) throws Exception { return new String ( Files . readAllBytes ( Paths . get ( "/var/data/" + filename ))); } } 🛠️ Installing and Configuring CodeQL CLI You can run CodeQL locally to analyze your code before pushing it to a repository. 1. Download CodeQL from GitHub releases: wget [ https://github.com/github/codeql-cli-binaries/re
科技前沿
The US Has a Plan to Combat Screwworm. It Involves a Lot More Flies
Releasing sterilized flies can crash a local population of flesh-eating screwworms. But the US currently has limited capacity to produce them.
开发者
Google and FBI warn of ransomware group that sends fake IT workers to hack victims in person
Cybercriminals, part of a gang known as Silent Ransom Group, have sent people pretending to be IT support employees to law firms' offices, where the criminals have stolen data using USB drives or remote access tools.
AI 资讯
The Website Was Working Fine. The CMS Wasn't: Understanding Drupalgeddon2
Imagine you're responsible for a company's website. Everything seems healthy. Pages load quickly. Users can log in. Content editors publish articles every day. Customers aren't reporting problems. From the outside, everything looks perfect. But then one day you discover something surprising: Attackers don't care whether your website looks healthy. They care whether the software behind it is vulnerable. That's exactly what happened with Drupalgeddon2. One of the most significant CMS vulnerabilities in recent years. And one that still teaches valuable lessons for developers, DevOps engineers, and security professionals today. The Building Manager Analogy Imagine a large office building. The company hires a building manager. The manager handles: Visitors Deliveries Maintenance Schedules Room Access The employees don't worry about these details. They trust the manager. A Content Management System (CMS) works similarly. Instead of manually managing every page and article, organizations rely on a CMS. Website ↓ CMS ↓ Content The CMS becomes the central control system. And that's why it becomes such an attractive target. What Is Drupal? Drupal is an open-source Content Management System. Organizations use it to manage: Corporate websites Government portals Universities Media platforms Enterprise applications A simplified architecture looks like: Visitor ↓ Drupal ↓ Database ↓ Content Every request passes through Drupal. Which means Drupal becomes part of the application's attack surface. Why Attackers Love CMS Platforms Suppose an attacker discovers a vulnerability in: Custom Internal Tool Maybe a few organizations are affected. Now suppose they discover a vulnerability in: Popular CMS Thousands of organizations may be affected. Potentially millions of users. One vulnerability. Many targets. That's why CMS platforms receive so much attention. Understanding Drupalgeddon2 Drupalgeddon2 refers to: CVE-2018-7600 A Remote Code Execution vulnerability affecting Drupal. The import
AI 资讯
How OpenAI Built a Secure Windows Sandbox for Codex Agents
OpenAI details Codex Windows sandbox architecture, showing how SIDs, ACLs, restricted tokens, and dedicated sandbox accounts enable safe execution of autonomous coding tasks. The design balances isolation with real developer workflows and shows how OS security primitives must be composed for AI agents on local development environments. By Leela Kumili
AI 资讯
NSA said to be readying Anthropic’s Mythos for use in cyber operations
The U.S. eavesdropping agency is reportedly preparing Anthropic's Mythos for use in cyberattacks, despite a federal ban on using the AI model maker.
开发者
Top 10 Non-Human Identity Security Tools and Platforms for 2026
TL;DR: Non-human identities (service accounts, API keys, workload identities, certificates, OAuth apps, machine-to-machine access) now outnumber humans over 1:1 in most cloud-native orgs. The biggest security risks are unmanaged lifecycle, overprivileged access, and exposed credentials across SDLC and cloud environments, not just secret storage. The best NHI security tools in 2026 fall into four major categories: Secrets Detection and Exposure Prevention NHI Lifecycle and Governance Platforms Machine Identity and Certificate Management Vault and Authorization Extensions Most enterprises require layered coverage across detection, governance, and lifecycle automation. Adopting this multi-layered strategy enables organizations not only to find leaks but also to close the structural gaps that allow them to occur. Why Non-Human Identities Are the Fastest-Growing Attack Surface in 2026 In 2026, attackers rarely try to " hack passwords ". Instead, they exploit the massive, often unmonitored web of non-human identities (NHIs) that power modern automation. They specifically look for hardcoded API keys, overprivileged service accounts, stale OAuth tokens, misconfigured workload identities, unrotated certificates, and shadow SaaS integrations that slip through the cracks of traditional security programs. This is a problem because machine identities far outnumber human users. However, most security programs rely on frameworks designed for human-centric access. IAM Strategy for CISOs: Securing Non-Human Identities Thankfully, top non-human identity protection tools help secure this critical attack surface. By understanding the categories of enterprise NHI security solutions, you can build a strategy that provides complete visibility and robust security controls across your entire infrastructure. What Do Non-Human Identities (NHIs) Include Today? Non-human identities are the digital identities used by machines, services, and applications to authenticate and communicate with other
AI 资讯
Your Security Scanner Found 7 Missing Headers. Don't Fix Them Blindly.
Your security scanner just came back with 6 flagged items. All missing HTTP headers. You did what any reasonable developer does: Googled each one, copy-pasted the recommended config, and shipped a fix in 20 minutes. Job done. Security score green. PR merged. You also probably shipped at least two of them wrong. Here is the thing nobody tells you about HTTP security headers: knowing what to add is the easy part. Understanding why it matters, when it actually doesn't, and how a misconfigured one breaks your app in production — that's where most developers fall short. This isn't another "add these 7 headers to secure your app" post. This is the one that explains what's actually happening. First, The Contrarian Take Missing a security header is not automatically a vulnerability. If you do bug bounties, this will save you a rejection. If you're a dev, it'll save you from cargo-culting configs that don't apply to your app. Context is king. X-Frame-Options: DENY is a valid security header. YouTube doesn't use it. Because the entire point of YouTube is for people to embed its videos in iframes. Applying that header would break a core product feature. That's not a security oversight — it's a deliberate design decision. A missing Content-Security-Policy header is not a vulnerability in itself. It only becomes relevant if you already have an XSS problem to mitigate. CSP is defense-in-depth. Not a fix for a broken input sanitisation layer. This matters because a lot of developers (and worse, automated scanners) treat these headers like a binary checklist. Present = secure. Missing = vulnerable. Reality is messier than that. Now — with that said — let's talk about what each one actually does. #1. HTTP Strict Transport Security (HSTS) Most developers think HSTS is just "force HTTPS." It's more precise than that. When your app redirects http:// to https:// , that first request is still unencrypted. For a fraction of a second, on a public network, that window exists. An attacker on