Right now the problem is what the author already mentions - the use of Sec-Fetch-Site (FYI, HTTP headers are case insensitive :) - is considered defense in depth in OWASP right now, not a primary protection.
Unfortunately OWASP rules the world. Not because it's the best way to protect your apps, but because the corporate overloads in infosec teams need to check the box with "Complies with OWASP Top 10"
This was actually a mistake. If you look at the OWASP cheat sheet today you will see that Fetch Metadata is a top-level alternative to the traditional token-based protection.
I'm not sure I understand why, but the cheat sheet page was modified twice. First it entered the page with a top-level mention. Then someone slipped a revision that downgraded it to defense in depth without anyone noticing. It has now been reverted back to the original version.
HTTP/2, headers are not unique if they only differ by casing, but they must be encoded as lowercase.
Just as in HTTP/1.x, header field names are strings of ASCII characters that are compared in a case-insensitive fashion. However, header field names MUST be converted to lowercase prior to their encoding in HTTP/2. A request or response containing uppercase header field names MUST be treated as malformed (Section 8.1.2.6).[1]
HTTP/1.X, headers are insensitive to casing for reasons of comparison and encoding.
Each header field consists of a name followed by a colon (":") and the field value. Field names are case-insensitive.[2]
So, if Sec-Fetch-Site is sensitive at all, it would be sec-fetch-site when sending via HTTP/2 and you're responsive for encoding/decoding.
While you’re correct, corporate security teams demand suppliers “comply with OWASP,” despite this being a nonsensical statement to anyone who’d read the website.
Unfortunately, the customer purchasing your product doesn’t know this and (naturally) trusts their own internal experts over you. Especially given all their other suppliers are more than happy to state they’re certified!
I'm, uh, pretty familiar with the routine. I stand by what I said: you do not need any particular CSRF defense in place; you need to not have CSRF vulnerabilities. There's no OWASP checkbox-alike that requires you to have CSRF tokens, and plenty of real line-of-business apps at gigantic companies don't.
It's almost a rhetorical question, isn't it? Clearly, from both the original post, and this reporting, they are NOT safe to redeem.
In addition, it just re-emphasizes how tied we all are to these "digital lives". I used to do it without a blink, but now think twice before clicking "Login with Google/Apple".
> Strangely, he did tell me to only ever buy gift cards from Apple themselves
The Singapore Apple exec person who eventually reported the issue fixed provided the above advice, and I think it is the best advice given to anyone in this entire situation.
What can a normal person do? Only buy Apple gift cards from Apple, only buy Home Depot gift cards from Home Depot, et cetera.
That one piece of advice destroys a retail line of revenue that’s suffering massive endpoint fraud and removes the vast majority of risks to recipients of gift cards, and is simply explained to uninterested people that those conveniently-placed gift cards are bait cast by fishers for the unwary.
(I’d also sue the retailer in small claims court for selling a fraudulent product that didn’t perform as advertised.)
We chose to do a custom cache key to avoid modifying the origin host NextJS app as much as possible. If we had more confidence in modifying the host then I agree cache-tags would have been better.
Funny enough, my phone upgraded to iOS 26 tonight, and I am like - what is this garbage, who though this is a good idea? And lo and behold, now I know...
Immediately went Tinted mode, yet there is transparency where it shouldn't be, text overlays other text, etc...
26.1 feels significantly less laggy (UI frame rate), especially on low power mode, than 26.0.1. But it's still not back to 18.x level of performance. Battery seems to be improved on 26.1 over 26.0.1 also but that seems to be hardware-generation dependent.
Thank you. I would imagine the entire Fortune 500 list passes the line of "evil", drawing that line at AI is weird. I assume it's a mask for fear people have of their industry becoming redundant, rather than a real morality argument.
"Works with Google" in what way? And at what tome-frame? Even as someone who's actively decoupling from Google it's hard to truly de-Googlefy in this world as is.
You are not missing much. Yes there will be situations where AI won’t be helpful, but that’s not a majority
Used right, Claude Code is actually very impressive. You just have to already be a programmer to use it right - divide the problem into small chunks yourself, instruct it to work on the small chunks.
Second example - there is a certain expectation of language in American professional communication. As a non native speaker I can tell you that not following that expectation has real impact on a career. AI has been transformational, writing an email myself and asking it to ‘make this into American professional english’
"Unfortunately, as a result, FingerprintJS was no longer so easily accessible to the developer community. We heard your feedback — now, all new code updates to FingerprintJS are under the MIT license. We want to ensure the latest in browser fingerprinting technology is accessible and available to all developers and businesses to help fight against fraud."
NPM has public download numbers, which can be used as a proxy for popularity and usage of library. The 2023 change is clearly visible: https://npmtrends.com/@fingerprintjs/fingerprintjs (Switch to "All time") Interestingly, it seems the downloads picked up earlier in 2025 again...
Unfortunately OWASP rules the world. Not because it's the best way to protect your apps, but because the corporate overloads in infosec teams need to check the box with "Complies with OWASP Top 10"
reply