frontpage.
newsnewestaskshowjobs

Made with ♥ by @iamnishanth

Open Source @Github

fp.

Open in hackernews

A modern approach to preventing CSRF in Go

https://www.alexedwards.net/blog/preventing-csrf-in-go
48•todsacerdoti•15h ago

Comments

truth_seeker•1h ago
https://simonwillison.net/2025/Oct/15/csrf-in-go/
teiferer•1h ago
CSRF: Cross-Site Request Forgery

From https://developer.mozilla.org/en-US/docs/Web/Security/Attack...

In a cross-site request forgery (CSRF) attack, an attacker tricks the user or the browser into making an HTTP request to the target site from a malicious site. The request includes the user's credentials and causes the server to carry out some harmful action, thinking that the user intended it.

NewJazz•1h ago
Do most languages have good support for TLS 1.3 as the client?
ale•1h ago
Are CSRF attacks that common nowadays though? Even if your app is used by the 5% of browsers that don’t set the Origin header the chances of that being exploited are even more miniscule. Besides, most webdevs reach for token-based auth libraries before even knowing how to set a cookie header.
monster_truck•57m ago
Yes
tankenmate•22m ago
I would never rely on headers such as "Sec-Fetch-Site"; having security rely on client generated (correct) responses is just poor security modelling (don't trust the client). I'll stick to time bounded HMAC cookies, then you're not relying on client properly implementing any headers and it will work with any browser that supports cookies.

And having TLS v1.3 should be a requirement; no HTTPS, no session, no auth, no form (or API), no cookie. And having HSTS again should be default but with encrypted connections and time bounded CSRF cookies the threat window is very small.

nmadden•16m ago
Enforcing TLS 1.3 seems like a roundabout way to enforce this. Why not simply block requests that don’t have an Origin/Sec-Fetch-Site header?

FSF announces Librephone project

https://www.fsf.org/news/librephone-project
687•g-b-r•7h ago•250 comments

Pixnapping Attack

https://www.pixnapping.com/
20•kevcampb•51m ago•2 comments

A modern approach to preventing CSRF in Go

https://www.alexedwards.net/blog/preventing-csrf-in-go
48•todsacerdoti•15h ago•7 comments

Beliefs that are true for regular software but false when applied to AI

https://boydkane.com/essays/boss
335•beyarkay•12h ago•250 comments

I am a programmer, not a rubber-stamp that approves Copilot generated code

https://prahladyeri.github.io/blog/2025/10/i-am-a-programmer.html
93•pyeri•1h ago•100 comments

Nvidia DGX Spark: great hardware, early days for the ecosystem

https://simonwillison.net/2025/Oct/14/nvidia-dgx-spark/
81•GavinAnderegg•6h ago•29 comments

Interviewing Intel's Chief Architect of x86 Cores

https://chipsandcheese.com/p/interviewing-intels-chief-architect
68•ryandotsmith•5d ago•0 comments

How bad can a $2.97 ADC be?

https://excamera.substack.com/p/how-bad-can-a-297-adc-be
224•jamesbowman•13h ago•121 comments

DOJ seizes $15B in Bitcoin from 'pig butchering' scam based in Cambodia

https://www.cnbc.com/2025/10/14/bitcoin-doj-chen-zhi-pig-butchering-scam.html
72•pseudolus•15h ago•61 comments

Unpacking Cloudflare Workers CPU Performance Benchmarks

https://blog.cloudflare.com/unpacking-cloudflare-workers-cpu-performance-benchmarks/
194•makepanic•10h ago•29 comments

Can we know whether a profiler is accurate?

https://stefan-marr.de/2025/10/can-we-know-whether-a-profiler-is-accurate/
31•todsacerdoti•4h ago•6 comments

How AI hears accents: An audible visualization of accent clusters

https://accent-explorer.boldvoice.com/
200•ilyausorov•14h ago•78 comments

Hacking the Humane AI Pin

https://writings.agg.im/posts/hacking_ai_pin/
115•agg23•6d ago•27 comments

Printing Petscii Faster

https://retrogamecoders.com/printing-petscii-faster/
20•ibobev•4d ago•2 comments

Python's splitlines does more than just newlines

https://yossarian.net/til/post/python-s-splitlines-does-a-lot-more-than-just-newlines/
10•woodruffw•6d ago•1 comments

SmolBSD – build your own minimal BSD system

https://smolbsd.org
173•birdculture•13h ago•13 comments

A 12,000-year-old obelisk with a human face was found in Karahan Tepe

https://www.trthaber.com/foto-galeri/karahantepede-12-bin-yil-oncesine-ait-insan-yuzlu-dikili-tas...
297•fatihpense•1w ago•126 comments

Astronomers 'image' a mysterious dark object in the distant Universe

https://www.mpg.de/25518363/1007-asph-astronomers-image-a-mysterious-dark-object-in-the-distant-u...
215•b2ccb2•16h ago•115 comments

Show HN: Greenonion.ai – AI-Powered Design Assistant

https://exuberant-premise-723012.framer.app/
26•yanjiechg•1w ago•20 comments

How to turn liquid glass into a solid interface

https://tidbits.com/2025/10/09/how-to-turn-liquid-glass-into-a-solid-interface/
132•tambourine_man•11h ago•91 comments

A Early History of Algebraic Data Types

https://www.hillelwayne.com/post/algdt-history/
4•surprisetalk•5d ago•1 comments

CSS for Styling a Markdown Post

https://webdev.bryanhogan.com/miscellaneous/styling-markdown/
34•bryanhogan•1w ago•9 comments

Surveillance data challenges what we thought we knew about location tracking

https://www.lighthousereports.com/investigation/surveillance-secrets/
375•_tk_•10h ago•89 comments

What Americans die from vs. what the news reports on

https://ourworldindata.org/does-the-news-reflect-what-we-die-from
510•alphabetatango•12h ago•284 comments

GrapheneOS is ready to break free from Pixels

https://www.androidauthority.com/graphene-os-major-android-oem-partnership-3606853/
271•MaximilianEmel•8h ago•115 comments

Disk Prices

https://diskprices.com/?locale=us
90•bookofjoe•4h ago•40 comments

Why Is SQLite Coded In C

https://www.sqlite.org/whyc.html
180•plainOldText•10h ago•200 comments

ADS-B Exposed

https://adsb.exposed/
297•keepamovin•20h ago•76 comments

Preparing for AI's economic impact: exploring policy responses

https://www.anthropic.com/research/economic-policy-responses
43•grantpitt•11h ago•37 comments

Beating the L1 cache with value speculation (2021)

https://mazzo.li/posts/value-speculation.html
30•shoo•4d ago•8 comments