JWT and Token Authentication: A Practical Security Guide
JWT structure, RS256 vs HS256, the alg:none vulnerability, refresh token rotation, token revocation strategies, and secu
Engineering deep-dives, security architecture, and practical infrastructure guides from the 47Network team. We publish when we have something worth saying — not on a schedule.
A practical five-level framework for diagnosing your QA maturity — from zero tests to full CI/CD pipeline integration. Where most teams actually sit, and the highest-impact change to make at each level. By TestGate Studio.
JWT structure, RS256 vs HS256, the alg:none vulnerability, refresh token rotation, token revocation strategies, and secu
RAIDZ2 pool design, dataset hierarchy, compression, snapshots, send/receive replication, scrubs, and ECC RAM — the ZFS s
Label design, LogQL queries, Promtail pipeline stages, correlation with Prometheus metrics, and production deployment pa
Auto-instrumentation, manual spans, context propagation, exporting to Jaeger and Grafana Tempo, and the tracing setup us
Data minimisation, consent mechanisms, right-to-erasure implementation, audit logging for GDPR, and the compliance engin
How Tailscale works, when to self-host the control plane with Headscale, ACLs for zero-trust network policy, and subnet
HTTP-01 vs DNS-01 challenges, wildcard certificates, Nginx TLS hardening, auto-renewal, and Prometheus expiry alerting.
Idempotent playbooks, roles, inventory management, Ansible Vault, and rolling update patterns for self-hosted server fle
Virtual user ramps, thresholds, authenticated scenarios, InfluxDB output, and the five test types every production syste
Page Object Model, auth fixtures, parallel execution, network interception, and CI sharding — the Playwright patterns be
PromQL for the RED and USE methods, Loki log correlation, alert rules from panels, variable templating, and dashboard organisation
WebAuthn registration and authentication flows, resident keys, cross-device passkeys, attestation, and fallback strategy for produ
Self-hosted runners, Vault secrets injection, environment protection gates, reusable workflows, and artifact-based rollback for pr
Connection pooling, cache invalidation, BullMQ job queues, pub/sub for real-time events, sorted-set rate limiters, and R
Encrypted deduplicated Restic backups to S3-compatible storage, retention policies, integrity verification, and automate
TLS termination with OCSP stapling, three rate-limiting zones for auth and API endpoints, upstream health checks, JSON l
Key-only auth, modern algorithm configuration, fail2ban, user and network restrictions, a complete sshd_config, and when to graduate from static keys to Teleport.
Connection pooling with PgBouncer, partial and covering indexes, reading EXPLAIN ANALYZE output, VACUUM tuning for high-churn tables, and the postgresql.conf knobs that actually matter.
WireGuard is simpler and faster than OpenVPN or IPsec. Full site-to-site config, subnet routing, key rotation, and split-horizon DNS.
SPF authenticates sending IPs, DKIM signs message content, DMARC ties them together — and none of them work properly if you deploy them in the wrong order.
Phony targets, automatic variables, pattern rules, and a self-documenting help target. The Make conventions that turn a cryptic Makefile into something new team members can use in five minutes.
The most common Prometheus failure is alert fatigue from false positives. For loops, multi-window burn rate, and SLO-based alerting that fires when something is actually wrong.
Storage configuration, HA clustering, Proxmox Backup Server, IPMI fencing, and the network mistakes that take down nodes at 3am.
Why Argon2id won the Password Hashing Competition, how to benchmark and tune its parameters correctly, and when staying on bcrypt is still acceptable.
Cryptographic chaining, write-once storage, external anchoring, and append-only PostgreSQL enforcement — the architecture of audit logs that withstand forensic scrutiny.
The specific failure modes of env-var secrets, Vault's dynamic credentials model, AppRole auth, the Agent Injector for Kubernetes, and the six things that break during migration.
When Compose is the right answer and when Kubernetes earns its complexity budget — based on team size, operational capacity, and what failure actually costs you.
Realm setup, OIDC client config, MFA with TOTP, production hardening, and the gotchas nobody warns you about — for teams of 5 to 100. Based on real Studio deployments.
The tamper-proof audit trail, deterministic skill orchestration, OpenClaw protocol, and self-hosting constraints that shape Sven Agent's architecture.
Kernel-level network filtering with eBPF and XDP — no firewall appliance required. How Traffic Sentinel, NetMapper, and DNS resilience work under the hood.
Most zero-trust literature assumes a 500-person security team and a six-figure tooling budget. Here's how we implement production-grade zero-trust for 20-person organisations.
How 47Comms handles multi-tenant SMS routing, consent management, carrier failover, and PBX bridging — without vendor lock-in or shared infrastructure.
Matrix has matured significantly. Dendrite is production-ready for small deployments. Element X is genuinely good. An honest assessment of the current self-hosting experience.
PassVault stores nothing it could use to read your passwords. The exact cryptographic construction: how keys are derived, how vault items are encrypted, and why our servers are useless to an attacker.
No posts in this category yet.