Mastodawn

BadHost – CVE-2026-48710: Starlette Host-Header Auth Bypass

#HackerNews #BadHost #CVE-2026-48710 #Starlette #Security #Vulnerability #Auth #Bypass

BadHost - CVE-2026-48710 Starlette Host-Header Auth Bypass

Scan your Starlette or FastAPI server for CVE-2026-48710 (BadHost): a critical auth bypass via Host header injection affecting MCP servers, LLM proxies, AI agent frameworks, and thousands of Python ASGI applications.

CVE-2026-48710 - Nemesis - BadHost

Larvitz

May 25

Achievement unlocked: SSO for the hypervisor! 🎉

My Proxmox VE is now officially using Keycloak OIDC for authentication, and the setup is fantastic:

- Centralized Users: Managed alongside my other apps (Keycloak using my LDAP as the backend).

- Hardware MFA: Locked down with a FIDO2 stick from @nitrokey

- Unified Control: Centralized policies, logging, and RBAC across the board.

Another great improvement for my HomeLab/SelfHosting setup.

#Proxmox #Keycloak #DevOps #Auth #OpenID #Homelab #SelfHosted

Jean-Baptiste Richardet May 24

Interesting take on JWT. Does an SPA really needs it? #web #security #auth https://www.dusanmalusev.dev/blog/jwt-is-a-scam-and-your-app-doesnt-need-it

JWT is a scam and your app doesn't need it

JWT promises stateless authentication and delivers neither. It's a cargo cult that makes your app slower, less secure, and harder to maintain — and almost every developer shipping it has no idea why.

Dusan Malusev

Mr. Buch 🇮🇳May 17

noticed a pattern in signup data — users that registered and never came back. checked the emails: all throwaway domains. keycloak has no built-in setting for this, so I wrote an SPI extension.

Here's how it works:
https://mrbu.ch/articles/keycloak-block-disposable-email-extension/

#Keycloak #Java #opensource #seucrity #auth

Every Disposable Email Is A Hole In Your Funnel

Disposable emails flood your signups with accounts that never convert. A small Keycloak SPI extension that blocks them at registration — no polling, no database changes, no custom themes.

Mr. Buch

Martin Wenisch May 16

Dnes me po delsi dobe pozitivne prekvapil vyvoj kvality AI kodovani. Historicky po treti jsem se pokousel zmigrovat NextAuth (4 a 5-beta) na jednotny BetterAuth v monorepu.

Uz jsem si na tom dvakrat vylamal zuby.

Claude to zvladnul v pohode. Migraci modelu, spravne vyresil vsechny appky a konflikty. Nerozbil nic v API k mobilni appce a naopak potunil webovy kontrakt. Takze ideal.

Vsecko funguje a jako bonus jsem vyhodil nejaky hodne historicky kod.

#it #next #auth

Lobsters May 8

From Supabase to Clerk to Better Auth

https://blog.val.town/better-auth

#WebDev #Auth #Programming

From Supabase to Clerk to Better Auth

The perils of logging in

Zdroják May 7

Google na konferenci Cloud Next ’26 představil Google Cloud Fraud Defense, trust platformu pro agentický web a další evoluci reCAPTCHA. Reaguje tak na nové výzvy spojené s autonomními AI agenty, kteří samostatně provádějí transakce na webu a otevírají nové způsoby podvodů.

Tři hlavní novinky:

Měření agentické aktivity – dashboard, který identifikuje a analyzuje […]

https://zdrojak.cz/zpravicky/google-cloud-fraud-defense-nova-generace-recaptcha/