Kai Nakamura

Posted Security review checklist for production readiness of new services

Posted Signed release artifacts with cosign for software supply chain trust

Posted Email security baseline with SPF DKIM and DMARC records

Posted Incident response severity matrix and first hour checklist

Posted CSP report endpoint for monitoring attempted browser policy violations

Posted Password reset flow that avoids user enumeration and token leaks

Posted Client certificate pinning considerations for mobile apps

Posted Signed and encrypted Rails cookies for tamper resistant state

Posted PostgreSQL hardening with pg_hba and strict role separation

Posted Redis hardening with ACLs protected mode and network isolation

Posted Security focused CORS configuration for browser APIs

Posted Secure webhook endpoint design with replay protection

Posted Web application DAST automation with OWASP ZAP baseline scans

Posted Threat hunting query ideas mapped to MITRE ATT and CK patterns

Posted Certificate transparency checks for unexpected certificate issuance

Posted TOTP based multi factor authentication for sensitive actions

Posted S3 bucket policy that enforces TLS and blocks public reads

Posted Least privilege IAM policy for an application on AWS

Posted Linux privilege escalation checks for suspicious local state

Posted Wireshark display filters that speed up incident triage

Posted tcpdump filters for fast packet capture during investigations

Posted Forensic collection script for volatile host evidence

Posted Suricata IDS rule authoring for suspicious lateral movement

Posted YARA rules for spotting suspicious binaries during triage

Posted DNSSEC zone signing basics for integrity of DNS answers

Posted TLS certificate automation with certbot and strict renewal checks

Posted Mutual TLS between internal services with Nginx

Posted HMAC signed API requests for webhook and partner integrity

Posted ModSecurity WAF rules for common web attack patterns

Posted Structured audit logging for privileged actions

Posted Sanitizing logs so secrets and PII do not leak downstream

Posted Python security audit script for exposed risky filesystem state

Posted sqlmap workflow for approved injection testing

Posted Nmap reconnaissance profiles for safe internal assessments

Posted Fail2ban filters to slow SSH and application abuse

Posted Host firewall rules with nftables for default deny networking

Posted SSH daemon hardening and key based access only

Posted Kubernetes RBAC roles with least privilege service accounts

Posted Kubernetes NetworkPolicy for namespace level traffic control

Posted Trivy image scanning in pull request pipelines

Posted Dockerfile hardening for smaller safer containers

Posted Dependency vulnerability scanning for Ruby and Node projects

Posted Static application security testing with Semgrep in CI

Posted Git secret scanning with pre commit hooks

Posted Secrets management with environment isolation and Vault

Posted Parameterized queries in Python with psycopg

Posted Session cookie hardening for browser based authentication

Posted Core HTTP security headers at the reverse proxy layer

Posted Content Security Policy header design for modern web apps

Posted Secure random token generation for sessions and recovery flows

Posted XXE safe XML parsing with external entity resolution disabled

Posted SSRF mitigation with URL allowlists and egress controls

Posted Preventing path traversal in download endpoints

Posted Hardening file uploads with MIME checks and storage isolation

Posted Input validation with allowlists and explicit schemas

Posted Rate limiting abusive clients with Rack::Attack

Posted OAuth 2.0 Authorization Code with PKCE for public clients

Posted JWT issuance and verification without common footguns

Posted Password hashing with Argon2 and bcrypt migration paths

Posted CSRF protection for Rails and JSON APIs

Posted Cross site scripting defense with output encoding and CSP

Posted SQL injection prevention with unsafe and safe query patterns