Production Docker: Dropping Alpine for Distroless to kill CVEs and bloated layers
If you run a vulnerability scan on your "slim" production images right now, the results might terrify you. I recently audited a fleet of …
Istio 503: Debugging mTLS Handshake Failures & Automating Rotation
It started with a sudden spike in 503 errors on our payment gateway service. The Kubernetes pods were running, resources were healthy, but the logs…
JWT 보안: XSS로 털린 리프레시 토큰, Rotation 전략으로 막아낸 실전 코드
최근 금융 도메인의 인증 시스템 을 고도화하던 중, 모의 해킹(Penetration Test)에서 치명적인 시나리오가 보고되었습니다. 공격자가 XSS(Cross-Site Scripting) 취약점을 통해 사용자의 Refresh Token 을 탈취했을 때, Acces…
Stopping JWT Theft: Implementing Refresh Token Rotation with Reuse Detection
The security audit report landed on my desk on a Friday afternoon, and it wasn't pretty. While our access token expiration was tight (15 minutes…