Kubernetes Pod Security Standards 📌 TL;DR: I enforce PSS restricted on all production namespaces: runAsNonRoot: true, allowPrivilegeEscalation: false, all capabilities dropped, read-only root filesystem. Start with warn mode to find violations, then switch to enforce. This single change blocks the majority of container escape attacks. 🎯 Quick Answer: Enforce Pod Security Standards… Read more →
Security, DevOps & Trading Tech — Practical Guides
-
ArgoCD vs Flux 2025: Secure CI/CD for Kubernetes
I run ArgoCD on my TrueNAS homelab for all container deployments. Every service I self-host — Gitea, Immich, monitoring stacks, even this blog’s CI pipeline — gets deployed through ArgoCD syncing from Git repos on my local Gitea instance. I’ve also deployed Flux for clients who wanted something lighter. After… Read more →
-
OAuth vs JWT: Choosing the Right Tool for Developers
I’ve implemented both OAuth and JWT in production systems across my career—from enterprise SSO rollouts to lightweight API auth for side projects. The single most common mistake I see? Treating OAuth and JWT as the same thing, or worse, picking one when you needed the other. They solve different problems,… Read more →
-
Secrets Management in Kubernetes: A Security-First Guide
Secrets Management in Kubernetes 📌 TL;DR: Kubernetes Secrets are base64-encoded, not encrypted. Enable etcd encryption with aescbc, use External Secrets Operator to sync from Vault or your cloud KMS, set RBAC to restrict Secret access per namespace, and rotate credentials on 24-hour TTLs with Vault dynamic secrets. This is the exact… Read more →
-
PassForge: Building a Password Workstation Beyond One Slider
I was setting up a new server last week and needed twelve unique passwords for different services. I opened three tabs — LastPass’s generator, Bitwarden’s generator, and 1Password’s online tool. Every single one gave me a barebones interface: one slider for length, a few checkboxes, and a single output. Copy,… Read more →
-
Enterprise Security at Home: Wazuh & Suricata Setup
I run Wazuh and Suricata on my home network. Yes, enterprise SIEM and IDS for a homelab—it’s overkill by any reasonable measure. But after catching an IoT camera phoning home to servers in three different countries, I stopped second-guessing the investment. Here’s why I do it and how you can… Read more →
-
YubiKey SSH Authentication: Stop Trusting Key Files on Disk
I stopped using SSH passwords three years ago. Switched to ed25519 keys, felt pretty good about it. Then my laptop got stolen from a coffee shop — lid open, session unlocked. My private key was sitting right there in ~/.ssh/, passphrase cached in the agent. That’s when I bought my first… Read more →
-
Master Docker Container Security: Best Practices for 2026
Your staging environment is a dream. Every container spins up flawlessly, logs are clean, and your app hums along like a well-oiled machine. Then comes production. Suddenly, your containers are spewing errors faster than you can say “debug,” secrets are leaking like a sieve, and you’re frantically Googling “Docker security… Read more →
-
Pre-IPO API: SEC Filings, SPACs & Lockup Data
I built the Pre-IPO Intelligence API because I needed this data for my own trading systems and couldn’t find it in one place. If you’re building fintech applications, trading bots, or investment research tools, you know the pain: pre-IPO data is fragmented across dozens of SEC filing pages, paywalled databases,… Read more →
-
Browser Fingerprinting: Identify You Without Cookies
Last month I was debugging a tracking issue for a client and realized something uncomfortable: even after clearing all cookies and using a fresh incognito window, a third-party analytics script was still identifying the same user session. No cookies, no localStorage, no URL parameters. Just JavaScript reading properties that every… Read more →