@hammadxcm

From Singleton AuditService to Event-Driven AuditModule: A Decoupling Story

May 23 · 10 min read · From Singleton AuditService to Event-Driven AuditModule: A Decoupling Story Every codebase I've worked on for more than six months has an AuditTrailService somewhere. It starts life as a helpful singl

CSRF Double-Submit Cookies: The Underrated Defense for Same-Origin SaaS

May 22 · 10 min read · The first time a pen tester filed a CSRF finding against a portal I owned, my reaction was the same as everyone else's: "We're SameSite=Lax. Aren't we fine?" We weren't fine. And the fix wasn't the fr

CSP Headers in Practice: Lessons From a Real Security Audit Pass

May 16 · 8 min read · CSP Headers in Practice: Lessons From a Real Security Audit Pass The first time I deployed a strict Content Security Policy in production, the application broke in three places nobody had ever thought

HMAC Request Signing for Third-Party Webhook Security

May 13 · 8 min read · HMAC Request Signing for Third-Party Webhook Security Webhook endpoints are the most under-secured class of route in most codebases. They take requests from the internet, often without a session, ofte