frontpage.
newsnewestaskshowjobs

Made with ♥ by @iamnishanth

Open Source @Github

Nginx introduces native support for ACME protocol

https://blog.nginx.org/blog/native-support-for-acme-protocol
312•phickey•4h ago•119 comments

PYX: The next step in Python packaging

https://astral.sh/pyx
79•the_mitsuhiko•1h ago•32 comments

OCaml as my primary language

https://xvw.lol/en/articles/why-ocaml.html
100•nukifw•1h ago•57 comments

Fuse is 95% cheaper and 10x faster than NFS

https://nilesh-agarwal.com/storage-in-cloud-for-llms-2/
20•agcat•46m ago•0 comments

FFmpeg 8.0 adds Whisper support

https://code.ffmpeg.org/FFmpeg/FFmpeg/commit/13ce36fef98a3f4e6d8360c24d6b8434cbb8869b
674•rilawa•9h ago•252 comments

Pebble Time 2* Design Reveal

https://ericmigi.com/blog/pebble-time-2-design-reveal/
124•WhyNotHugo•5h ago•55 comments

Launch HN: Golpo (YC S25) – AI-generated explainer videos

https://video.golpoai.com/
31•skar01•2h ago•48 comments

Cross-Site Request Forgery

https://words.filippo.io/csrf/
38•tatersolid•2h ago•8 comments

So what's the difference between plotted and printed artwork?

https://lostpixels.io/writings/the-difference-between-plotted-and-printed-artwork
142•cosiiine•6h ago•50 comments

Coalton Playground: Type-Safe Lisp in the Browser

https://abacusnoir.com/2025/08/12/coalton-playground-type-safe-lisp-in-your-browser/
74•reikonomusha•5h ago•25 comments

rerank-2.5 and rerank-2.5-lite: instruction-following rerankers

https://blog.voyageai.com/2025/08/11/rerank-2-5/
6•fzliu•1d ago•1 comments

ReadMe (YC W15) Is Hiring a Developer Experience PM

https://readme.com/careers#product-manager-developer-experience
1•gkoberger•3h ago

DoubleAgents: Fine-Tuning LLMs for Covert Malicious Tool Calls

https://pub.aimind.so/doubleagents-fine-tuning-llms-for-covert-malicious-tool-calls-b8ff00bf513e
60•grumblemumble•6h ago•18 comments

This website is for humans

https://localghost.dev/blog/this-website-is-for-humans/
366•charles_f•4h ago•175 comments

New treatment eliminates bladder cancer in 82% of patients

https://news.keckmedicine.org/new-treatment-eliminates-bladder-cancer-in-82-of-patients/
191•geox•4h ago•90 comments

The Mary Queen of Scots Channel Anamorphosis: A 3D Simulation

https://www.charlespetzold.com/blog/2025/05/Mary-Queen-of-Scots-Channel-Anamorphosis-A-3D-Simulation.html
57•warrenm•6h ago•13 comments

OpenIndiana: Community-Driven Illumos Distribution

https://www.openindiana.org/
53•doener•4h ago•44 comments

April Fools 2014: The *Real* Test Driven Development (2014)

https://testing.googleblog.com/2014/04/the-real-test-driven-development.html
74•omot•2h ago•13 comments

Google Play Store Bans Wallets That Don't Have Banking License

https://www.therage.co/google-play-store-ban-wallets/
29•madars•1h ago•10 comments

We caught companies making it harder to delete your personal data online

https://themarkup.org/privacy/2025/08/12/we-caught-companies-making-it-harder-to-delete-your-data
214•amarcheschi•6h ago•51 comments

DeepKit Story: how $160M company killed EU trademark for a small OSS project

https://old.reddit.com/r/ExperiencedDevs/comments/1mopzhz/160m_vcbacked_company_just_killed_my_eu_trademark/
20•molszanski•53m ago•6 comments

PCIe 8.0 Announced by the PCI-Sig Will Double Throughput Again – ServeTheHome

https://www.servethehome.com/pcie-8-0-announced-by-the-pci-sig-will-double-throughput-again/
47•rbanffy•3d ago•47 comments

29 years later, Settlers II gets Amiga release

https://gamingretro.co.uk/29-years-later-settlers-ii-finally-gets-amiga-release/
54•doener•1h ago•15 comments

Job Listing Site Highlighting H-1B Positions So Americans Can Apply

https://www.newsweek.com/h1b-jobs-now-american-workers-green-cards-2041404
30•walterbell•1h ago•9 comments

Claude says “You're absolutely right!” about everything

https://github.com/anthropics/claude-code/issues/3382
525•pr337h4m•13h ago•411 comments

A case study in bad hiring practice and how to fix it

https://www.tomkranz.com/blog1/a-case-study-in-bad-hiring-practice-and-how-to-fix-it
75•prestelpirate•3h ago•65 comments

Honky-Tonk Tokyo (2020)

https://www.afar.com/magazine/in-tokyo-japan-country-music-finds-an-audience
19•NaOH•4d ago•6 comments

New downgrade attack can bypass FIDO auth in Microsoft Entra ID

https://www.bleepingcomputer.com/news/security/new-downgrade-attack-can-bypass-fido-auth-in-microsoft-entra-id/
7•mikece•34m ago•1 comments

Gartner's Grift Is About to Unravel

https://dx.tips/gartner
91•mooreds•4h ago•44 comments

Claude Sonnet 4 now supports 1M tokens of context

https://www.anthropic.com/news/1m-context
1256•adocomplete•1d ago•664 comments
Open in hackernews

Cross-Site Request Forgery

https://words.filippo.io/csrf/
38•tatersolid•2h ago

Comments

nchmy•1h ago
i just discovered the Sec-Fetch stuff recently, due to Go 1.25's changelog. Very excited to start using it in some applications where tokens are currently used - what a hassle to deal with those.
jerf•1h ago
Cookies have been truly horrible. I check in on them every couple of years, because I don't do a lot of front-end but when I do it's often security-sensitive, and every single time I check in on them there's some new entry in "SameSite; NoSeriouslySecureHarder; WhoopsTheLastStandardWasNotGoodEnough=BeActuallySecure; AwwShitDidWeGetItRightLastTime=false" parade of attributes you need to send to get actually secure cookies.

No shade on the people implementing this stuff, I understand the backwards compatibility concerns, but I mean, keeping up with this stuff is harder than it should be. And thanks to backwards compatibility most of it still defaults open, though browsers have pecked at that as they can.

MajesticHobo2•48m ago
Not sure I agree with this part:

> Allow all GET, HEAD, or OPTIONS requests.

> These are safe methods, and are assumed not to change state at various layers of the stack already.

Plenty of apps violate this assumption and do allow GET requests to alter state.

chrisfosterelli•6m ago
IMO apps that do this have a bug, and possibly a security one. This causes issues with prefetching, bot traffic, caching, CSRF, and just plain violates HTTP standards.
akersten•47m ago
I'm not really grokking the explanation in the article of why the SameSite cookie attribute doesn't fix CSRF. I thought that was the whole design intent of SameSite=Secure on an HTTPS cookie, was to fix CSRF. Can someone boil it down?

The article seemingly says "these cookies won't be sent with an unsafe request. But that doesn't fix it!" And doesn't elaborate?

MajesticHobo2•42m ago
The problem boils down to the lack of equivalence between a site and an origin. The article explains how https://app.example.com and https://marketing.example.com may sit at very different trust levels, but are considered the same site by the browser. You don't want https://marketing.example.com to be able to make requests to https://app.example.com with your authentication cookies, but SameSite wouldn't prevent that.
dizlexic•30m ago
none of this matters when you can just lie...
cube2222•20m ago
I recently needed this and the implementation in the Go stdlib was perfect timing!

One thing is that it won’t work for WebSockets (which start as a GET, which is allowed as-is here) so I had to effectively copy out the implementation from the stdlib for that use case (which is not much - it’s a couple lines, really).