Mastodawn

More and more websites want proof you’re human. Blame the bots
#AI #Cybersecurity #CAPTCHA #Technology #Internet #Bots #OnlineSecurity #DigitalSecurity #MachineLearning #Privacy #Spam #Automation #WebSecurity #Tech #CyberAttack #DataProtection #Innovation
https://the-14.com/more-and-more-websites-want-proof-youre-human-blame-the-bots/

More and more websites want proof you’re human. Blame the bots | The-14

Websites increasingly ask users to prove they are human as AI-powered bots grow smarter, faster and harder for online systems to detect.

The-14 Pictures

Manuel Bissey 1d ago

An 18-year-old flaw in the NGINX rewrite module is still exposing systems today - legacy code never really disappears, it just waits to be rediscovered. 🕰️⚠️ #WebSecurity #LegacyRisk

https://thehackernews.com/2026/05/18-year-old-nginx-rewrite-module-flaw.html

18-Year-Old NGINX Rewrite Module Flaw Enables Unauthenticated RCE

NGINX Rift CVE-2026-42945 scores 9.2 after 18 years, enabling unauthenticated RCE or DoS via crafted HTTP requests.

The Hacker News

OffSequence 2d ago

🚨 CVE-2026-2347 — CRITICAL auth bypass in Akilli Commerce E-Commerce Website <4.5.001 via user-controlled key. Session hijack risk. No patch yet — restrict access, monitor sessions. https://radar.offseq.com/threat/cve-2026-2347-cwe-639-authorization-bypass-through-fe0b7401 #OffSeq #CVE20262347 #infosec #websecurity

PPC Land 2d ago

FYI: Chrome on Android now lets users share approximate location with websites: Chrome for Android adds approximate location sharing, giving users a middle-ground privacy option between full location access and denial for website requests. https://ppc.land/chrome-on-android-now-lets-users-share-approximate-location-with-websites/ #Chrome #Android #Privacy #LocationSharing #WebSecurity

Chrome on Android now lets users share approximate location with websites

Chrome for Android adds approximate location sharing, giving users a middle-ground privacy option between full location access and denial for website requests.

PPC Land

Javed A. Butt 3d ago

The one header I didn't add yet: CSP.

For sites that render untrusted input it mitigates an active surface. For a static site it guards against rarer-but-bigger events: a compromised analytics script, a poisoned CDN, a future change that adds an input path.

Astro 6 added an integration for what it emits; iframes, external fonts, and third-party services stay manual. Will inshallah follow when the audit fits.

#CSP #WebSecurity #Astro #StaticSite

World Wide Web Consortium 3d ago

📆 21 May 2026, 16:00–16:10 CDT
"What Are Web Developers Doing About Security?" by @torgo at Open Source SSF Community Day, Minneapolis, MN, USA 🇺🇸

The W3C SWAG community group ran a survey to see what web security features and technologies web developers are using and how they're using them. This talk will be a brief introduction to SWAG, an overview of the surprising results, and what it means for the work ahead.
https://www.w3.org/events/talks/2026/what-are-web-developers-doing-about-security/
#WebStandards #WebSecurity #OpenSSFCommunity

Javed A. Butt 3d ago

Enabled HSTS with includeSubDomains and preload.

The cost is real and one-way: every current and future subdomain must serve HTTPS or become unreachable. Removal from the preload list is in browser-release hands, not yours.

Accepted because the site is HTTPS-only by intent and Caddy provisions certs for every subdomain automatically via Let's Encrypt.

#HSTS #WebSecurity #Caddy #SelfHosting