Safeguard
Tag

tls

Safeguard articles tagged "tls" — guides, analysis, and best practices for software supply chain and application security.

25 articles

Application Security

Implementing TLS in Java applications: keystores, trust managers, and protocol pinning done right

One overridden checkServerTrusted() method disables certificate validation for an entire Java app — and it still ships to production more often than most teams admit.

Jul 15, 20267 min read
Kubernetes Security

TLS termination and cert-manager: a hardening guide for Kubernetes Ingress

IngressNightmare's CVSS 9.8 RCE showed that ingress-nginx's own admission webhook can be turned against cluster Secrets — here's how to configure TLS safely.

Jul 15, 20267 min read
Application Security

ssl vs. requests vs. httpx: where Python TLS configuration goes wrong

Python didn't verify TLS certificates by default until PEP 476 landed in 2014 — a decade later, one stray verify=False call still reopens that exact hole.

Jul 14, 20265 min read
Application Security

How to actually implement TLS correctly in Python

One `verify=False` in a requests call disables both certificate and hostname checks — the same escape hatch PEP 476 tried to close in 2014.

Jul 12, 20265 min read
Application Security

Building an authenticated, TLS-secured WebSocket server in Python

WebSockets skip same-origin checks by default — CWE-1385 exists because of it. Here's how to build one in Python with origin checks, TLS, and rate limits.

Jul 11, 20266 min read
Application Security

Implementing SSL/TLS certificate pinning in Node.js

HTTP Public Key Pinning died in Chrome 67 back in 2018, yet Node.js apps still need pinning for mobile backends and server-to-server calls — here's how to do it without bricking your own API.

Jul 8, 20266 min read
Vulnerability Analysis

Heartbleed (CVE-2014-0160) Explained: When OpenSSL Leaked Memory to Anyone

CVE-2014-0160, Heartbleed, let remote attackers read up to 64KB of an OpenSSL server's memory per request — private keys, sessions, passwords. Here is the missing bounds check that caused it.

Jul 1, 20266 min read
Security Guides

OWASP A02: Cryptographic Failures — A Deep-Dive Guide

Cryptographic Failures rank #2 in the OWASP Top 10 (2021). A deep dive into weak algorithms, key management, real CVEs, and how to detect and fix them in 2026.

Jul 1, 20266 min read
Open Source Security

OpenSSL vs LibreSSL vs BoringSSL in 2026

A 2026 comparison of OpenSSL, LibreSSL, and BoringSSL on security posture, release cadence, FIPS posture, and which one to ship in which context.

Feb 26, 20265 min read
Cryptography

Perfect forward secrecy

Perfect forward secrecy stops a single leaked TLS key from unlocking years of past traffic. Here's how ephemeral key exchange works, and why it matters for supply chain security.

Feb 26, 20267 min read
AI Security

MCP Transport Layer Security Options

MCP supports stdio, streamable HTTP, and a handful of experimental transports. Each has distinct security properties, and the choice of transport constrains every other security decision you make about the deployment.

Feb 18, 20266 min read
Vulnerability Response

CVE-2025-15467 in OpenSSL CMS: Patch Posture & SBOM Response

OpenSSL CMS pre-auth stack buffer overflow scored CVSS 9.8. Mail servers, web servers, and anything that processes S/MIME need the fix. Defender playbook below.

Jan 28, 20267 min read
tls — Safeguard Blog