🔐 Joomla tiene un plugin nativo que puede mejorar MUCHO la seguridad de tu web… y casi nadie lo usa bien. HTTP Headers, HSTS, CSP, X-Frame… Este miércoles te explico cómo configurarlo sin romper nada 😉 #Joomla #SeguridadWeb #HTTPHeaders

the one video player package that works very well with hls playback doesnt natively allow httpheaders so ig ill fork it bweh

What if I told you that one small change in your dev setup could turn painful blockchain builds into smooth, repeatable deployments and unlock TRON’s full power? That was my reality when I switched my toolchain. Here’s how it transformed my developer journey. 👇 ✳️ The Early Struggle Like most blockchain devs, I started with high hopes. But building on TRON wasn’t easy at first. I bounced between TronBox, custom scripts, and Ethereum-first tooling, and the results were frustrating: ➠ Tests kept breaking. ➠ Deployments failed randomly. ➠ Onboarding teammates was messy and slow. Sound familiar? You’re not alone. ✳️ The Turning Point The game-changer came when I discovered the @layerzerolabs/hardhat-tron plugin. This plugin seamlessly integrates TRON into the Hardhat workflow. Suddenly, compiling, testing, and deploying to the Nile Testnet or TRON Mainnet felt just as easy as working on Ethereum. No hacks. No weird workarounds. Just smooth dev experience. Quick Demo: A Starter Project You can try this out in minutes. Here’s the starter repo: 👉 github.com/aziz1975/layer… Setup steps: git clone github.com/aziz1975/layer... cd layerzero-hardhat-tron npm install Then configure your .env: TRON_PRIVATE_KEY=your_key_here TRON_PRO_API_KEY=your_api_here ※ Example Smart Contract (Greeter.sol) // SPDX-License-Identifier: MIT pragma solidity ^0.8.23; contract Greeter { string private _greeting; constructor(string memory g) { _greeting = g; } function greet() external view returns (string memory) { return _greeting; } function setGreeting(string memory g) external { _greeting = g; } } A super simple contract — perfect for learning the workflow. ※ Hardhat Config (hardhat.config.cjs) tronSolc: { enable: true, compilers: [{ version: '0.8.23' }], }, networks: { nile: { url: "nile.trongrid.io/jsonrpc", accounts: [process.env.TRON_PRIVATE_KEY], httpHeaders: { "TRON-PRO-API-KEY": process.env.TRON_PRO_API_KEY }, tron: true, }, }, Pro tip: Always match your Solidity version with tronSolc to avoid unexpected errors. Deployment Script (Hardhat Deploy) await deploy('Greeter', { from: deployer, args: ['Hello TRON!'], log: true, }); Run these commands: npx hardhat compile npx hardhat test npx hardhat deploy --network nile Framework for Success: PLAN → BUILD → SHIP ➩ PLAN → Set compiler version, grab test TRX from Nile faucet, secure keys in .env. ➩ BUILD → Start small. Write contracts, test with Mocha/Chai, integrate Hardhat-TRON. ➩ SHIP → Deploy to Nile, test behavior, then push to Mainnet with confidence. Best Practices to Save You Headaches ✅ Never hardcode private/API keys (use .env). ✅ Keep Nile & Mainnet configs separate. ✅ Tag deploy scripts for reproducibility. ✅ Always test energy costs on TVM before scaling big. The Resolution Once I switched to Hardhat TRON, my workflow went from debugging nightmares → clean, reproducible deployments in hours. The payoff? A rock-solid foundation to build dApps, DeFi protocols, NFT projects, and cross-chain applications — while helping grow TRON’s decentralized ecosystem. Resources for You ➾ Hardhat-TRON Plugin → npmjs.com/package/@layer… ➾ Hardhat Deploy → npmjs.com/package/@layer… ➾ TRON Dev Hub → developers.tron.network ➾ Demo Repo → github.com/aziz1975/layer… If you’ve been struggling to build on TRON, the solution might just be one plugin away. @justinsuntron @trondao #TRONEcostar

Have you ever wondered what your developer journey would look like if you made one small change — like switching your toolchain — and suddenly, instead of struggling, you’re shipping live on a blockchain? That was my story with TRON. The developer struggle But like many devs, my first attempts at building on TRON were rough. I bounced between TronBox, custom scripts, and Ethereum-first tooling. Tests broke. Deployments failed. Onboarding new teammates was painful. Sound familiar? The turning point The breakthrough came when I discovered the @layerzerolabs/hardhat-tron plugin. This tool integrates TRON directly into the Hardhat workflow, making compiling, testing, and deploying smart contracts to the Nile Testnet or Mainnet feel as seamless as working on Ethereum. Quick demo project Here’s a starter repo: 👉 github.com/aziz1975/layerzer… Setup is simple: git clone github.com/aziz1975/layerzer… cd layerzero-hardhat-tron npm install Then configure your .env with: TRON_PRIVATE_KEY TRON_PRO_API_KEY Example smart contract (Greeter.sol) // SPDX-License-Identifier: MIT pragma solidity ^0.8.23; contract Greeter { string private _greeting; constructor(string memory g) { _greeting = g; } function greet() external view returns (string memory) { return _greeting; } function setGreeting(string memory g) external { _greeting = g; } } A simple, testable contract — perfect for learning the workflow. Hardhat config (hardhat.config.cjs) tronSolc: { enable: true, compilers: [{ version: '0.8.23' }], }, networks: { nile: { url: "nile.trongrid.io/jsonrpc", accounts: [process.env.TRON_PRIVATE_KEY], httpHeaders: { "TRON-PRO-API-KEY": process.env.TRON_PRO_API_KEY }, tron: true, }, }, ⚡ Pro tip: Always match Solidity tronSolc versions. Deployment script with Hardhat Deploy await deploy('Greeter', { from: deployer, args: ['Hello TRON!'], log: true, }); Run: npx hardhat compile npx hardhat test npx hardhat deploy --network nile References: Hardhat Deploy Plugin → npmjs.com/package/@layerzero… TRON Dev Hub → developers.tron.network/ A reusable framework: PLAN → BUILD → SHIP 🔹 PLAN → set compiler version, get test TRX from Nile faucet, secure .env. 🔹 BUILD → write small contracts, test with Mocha/Chai, integrate Hardhat-TRON. 🔹 SHIP → deploy to Nile, verify behavior, then push to Mainnet with a separate config. Best practices Never hardcode private/API keys — use .env. Keep Nile & Mainnet configs separate to avoid errors. Tag deploy scripts with hardhat-deploy for reproducibility. Always test energy costs on TVM before scaling. The resolution With Hardhat TRON, I went from debugging nightmares to smooth, reproducible deployments in hours. The payoff? A strong foundation to build dApps, DeFi, NFTs, and cross-chain protocols — while contributing to the broader vision of a decentralized internet. Resources for you If you’re ready to skip the friction and ship faster on TRON, here are the links again: LayerZero Hardhat TRON Plugin → npmjs.com/package/@layerzero… Hardhat Deploy → npmjs.com/package/@layerzero… TRON Developer Hub → developers.tron.network/ GitHub Demo Repo → github.com/aziz1975/layerzer… @justinsuntron @trondao

🖥️ Headers You Should Always Check • X-Frame-Options: Missing → Clickjacking • Strict-Transport-Security: Prevent MITM • X-Content-Type-Options: Stops MIME sniffing • Referrer-Policy: Avoid leaking URLs • Content-Security-Policy: Blocks XSS 🔬 Headers often hide security gaps. #BugBounty #WebSecurity #HTTPHeaders

Always use Content Security Policy (CSP) headers to block XSS & injection attacks 💥 ✅ Blocks inline scripts ✅ Stops data leaks ✅ SEO-safe secure #WebSecurity #CSP #XSS #SecureCoding #HTTPHeaders #FrontendSecurity #WebDev #OWASP #SEOTips #CyberSecurity #AppSec

Final chain: 1. Bypassed origin checks via request flooding 2. Used CSPT to modify API paths 3. Exploited $httpHeaders to set Content-Type 4. Extracted sensitive data from API responses

Spamming requests caused it to sometimes return both domain=google and domain=attacker, breaking validation and '//' allowed to modify API paths Google RPC APIs accept $httpHeaders, so we set Content-Type: application/x-protobuf to take full control of the request.

HackerNotes TLDR for episode 115! Link for the entire blog post below. XSS in Excalidraw: What inspired @Mokusou4 to look for this bug was that he noticed Excalidraw had some XSS issues, after reading reports by @spaceraccoonsec and @elmehdimee Looking at the source code, he found string concatenations when importing SVGs from external hosts. Since Excalidraw is a whiteboard where you can't just type in XSS, he had to find other ways the app interacts with uploaded content. He discovered that uploading a malicious file adding it to a Excalidraw library, the XSS would trigger whenever someone opened that library. Cool bug! "A Google Bug": So and Justin found a widely-used Google iframe component where origin checks were tricky due to its flexibility across products. This let them access postMessage handlers. The iframe made requests to Google's API with an auto-included Auth header. They found it sent two requests: one with a `?domain=` parameter for origin checking, and another for the API call. Using Intruder, they discovered sometimes both `domain=google.com` and `domain=attacker.com` would get through. Through CSPT they could access any API endpoint, and using $httpHeaders in Google's RPC interface, they set the content-type to application/x-protobuf. The chain: - Used $httpHeaders for the right content-type - Hit any RPC endpoint via CSPT - Bypassed domain checks - Controlled the request body - Got sensitive data in the response Live Mentorship: In the live mentorship segment, Justin shares his mentoring approach and tips for bug hunters: > Understanding their bug bounty career goals > Pentester vs Bug Bounty Hunter comparison: - Pentesters enjoy stable salary but often work on routine projects - Bug hunters get more freedom but deal with income uncertainty > Tip for aspiring full-time bug hunters: - Keep a business account and pay yourself a monthly salary - This gives you space to explore new research areas without stress - Even Justin says the pressure to find bugs is always there - you just learn to relax! Bring a Bug(3): Justin shared an XSS bug he found with So that worked in an unusual way. They found a <base> tag auto-generating in innerHTML. This tag sets the base URL for relative links, but when values went into its href attribute, a forward slash was added first, making it a PATH (like url.tld/path/injected-value). Regular bypasses like "//" and backslashes didn't work, so they tried HTML Entities. Instead of using `&#HEX;` (since "#" breaks paths), they used Entity names like `<`. This let them use the <base> tag to load their payload from a location they controlled Read the entire post here: blog.criticalthinkingpodcast…

Although frequently misunderstood, the HTTP Cache-Control header is crucial because it specifies caching mechanisms within requests and responses. In its typical format, it reveals details as to how resources are stored, the location of the resource and the maximum age before expiring… In our latest blog post, Kieran Larking highlights that the No-cache directive does not prevent caching and looks at typical caching behaviour directives and how to correctly use these directives to balance performance and security: pentestpartners.com/security… #Caching #CacheControl #WebPerformance #WebSecurity #HTTPHeaders #Cybersecurity #DeveloperGuide #HTTP

🚨 New Writeup Alert! 🚨 "CTFLearn-Don’t Bump Your Head(er) Walkthrough" by Qais Hammad is now live on IW! Check it out here: infosecwriteups.com/bad20c66… #httpheaders #burpsuite #ctf #ctfwriteup #ctflearn

I like how every property on HttpHeaders ends in header. like who knew that HttpHeaders.authorization could be anything other than a header. Glad it's called HttpHeaders.authorizationHeader to make sure there are no mistakes

spring使えますーって言って、interceptor,filter,security書けなさそうなの多い。 便利なUtil系あるのに自前で書いてたり。 HttpHeaders使わないで"application/json"とか文字列で書いてないよね？とか。

HTTP Security Headers: A complete guide to HTTP headers #HTTPSecurityHeaders #CompleteGuide #WebSecurity #HTTPHeaders #RiskMitigation darkrelay.com/post/http-secu…

Там была библиотека/пакет у которой версия видимо была не совсем совместима или косячила с местным курлом и поэтому про попытка закрыть объект курла в котором был HTTPHEADERS, все убивало Поставил этот же пакет с compile опцией и оно заработало

#Java @SpringFramework Tip: when creating standard HttpHeaders for Spring MVC Responses instead of providing them as Strings some have dedicated Builders which allow you to create the headers in a more type-safe way. See HttpHeaders set() methods which you can configure that way.

"Learn how to add HTTP headers to requests in Angular with functional interceptors! Author Dany Paredes shares a better alternative to repeating code in every request. #Angular #HTTPHeaders #Interceptors" ift.tt/r4jQqoV

I swear to god docker is the most redacted piece of software in the entire universe of possible turing complete programs. Straight from the config - "HttpHeaders": {"redacted": "redacted"}, "auths": {"redacted": "redacted"},

Um exemplo no Spring é criar um builder para construir HttpHeaders de requisições, que normalmente sempre precisam conter o Authorization Token, o ID do usuário, a API key… Então fica mais fácil extrair isso para um builder e evita ficar duplicando a criação por todo código!