tls
Safeguard articles tagged "tls" — guides, analysis, and best practices for software supply chain and application security.
25 articles
Implementing TLS in Java applications: keystores, trust managers, and protocol pinning done right
One overridden checkServerTrusted() method disables certificate validation for an entire Java app — and it still ships to production more often than most teams admit.
TLS termination and cert-manager: a hardening guide for Kubernetes Ingress
IngressNightmare's CVSS 9.8 RCE showed that ingress-nginx's own admission webhook can be turned against cluster Secrets — here's how to configure TLS safely.
ssl vs. requests vs. httpx: where Python TLS configuration goes wrong
Python didn't verify TLS certificates by default until PEP 476 landed in 2014 — a decade later, one stray verify=False call still reopens that exact hole.
How to actually implement TLS correctly in Python
One `verify=False` in a requests call disables both certificate and hostname checks — the same escape hatch PEP 476 tried to close in 2014.
Building an authenticated, TLS-secured WebSocket server in Python
WebSockets skip same-origin checks by default — CWE-1385 exists because of it. Here's how to build one in Python with origin checks, TLS, and rate limits.
Implementing SSL/TLS certificate pinning in Node.js
HTTP Public Key Pinning died in Chrome 67 back in 2018, yet Node.js apps still need pinning for mobile backends and server-to-server calls — here's how to do it without bricking your own API.
Heartbleed (CVE-2014-0160) Explained: When OpenSSL Leaked Memory to Anyone
CVE-2014-0160, Heartbleed, let remote attackers read up to 64KB of an OpenSSL server's memory per request — private keys, sessions, passwords. Here is the missing bounds check that caused it.
OWASP A02: Cryptographic Failures — A Deep-Dive Guide
Cryptographic Failures rank #2 in the OWASP Top 10 (2021). A deep dive into weak algorithms, key management, real CVEs, and how to detect and fix them in 2026.
OpenSSL vs LibreSSL vs BoringSSL in 2026
A 2026 comparison of OpenSSL, LibreSSL, and BoringSSL on security posture, release cadence, FIPS posture, and which one to ship in which context.
Perfect forward secrecy
Perfect forward secrecy stops a single leaked TLS key from unlocking years of past traffic. Here's how ephemeral key exchange works, and why it matters for supply chain security.
MCP Transport Layer Security Options
MCP supports stdio, streamable HTTP, and a handful of experimental transports. Each has distinct security properties, and the choice of transport constrains every other security decision you make about the deployment.
CVE-2025-15467 in OpenSSL CMS: Patch Posture & SBOM Response
OpenSSL CMS pre-auth stack buffer overflow scored CVSS 9.8. Mail servers, web servers, and anything that processes S/MIME need the fix. Defender playbook below.