<h1 id="they-laughed-at-my-no-jwt-rule-until-our-breach-post-mortem-went-viral-for-the-right-reasons">They Laughed at My No JWT Rule until Our Breach Post Mortem Went Viral for the Right Reasons<a aria-hidden="true" class="anchor-heading icon-link" href="#they-laughed-at-my-no-jwt-rule-until-our-breach-post-mortem-went-viral-for-the-right-reasons"></a></h1>
<ul>
<li><a href="https://medium.com/c-sharp-programming/they-laughed-at-my-no-jwt-rule-until-our-breach-post-mortem-went-viral-for-the-right-reasons-3e427244463a">https://medium.com/c-sharp-programming/they-laughed-at-my-no-jwt-rule-until-our-breach-post-mortem-went-viral-for-the-right-reasons-3e427244463a</a></li>
</ul>
<h2 id="summary">Summary<a aria-hidden="true" class="anchor-heading icon-link" href="#summary"></a></h2>
<p>Key Tools We Used</p>
<pre><code>SPIRE/SPIFFE for issuing and rotating workload certs
Envoy for terminating mTLS at the edge with SDS
Wireshark for incident packet analysis
.NET 8 Certificate Authentication Middleware for service-side validation
HashiCorp Vault for initial CA bootstrapping (later replaced by in-house HSM integration)
</code></pre>
<p>Lessons We Learned</p>
<pre><code>The best security is silent. No alert is often a good thing — when the bad actor gets no response.
Rotate early, rotate often. Cert rotation sounds scary until you automate it — and then it’s your best friend.
Trust boundaries should be enforced at the network level, not just the code level.
If your service doesn’t need to parse auth headers, don’t make it. Let the cert do the talking.
</code></pre>

They Laughed at My No JWT Rule until Our Breach Post Mortem Went Viral for the Right Reasons

public-notes


Welcome! And beware!  

## Purpose

This vault is the "[[learning-in-public|ar.swyx.learn-in-public]]" part of my Second Brain. If you share some of my interests, please [reach out](https://djradon.github.io)! 

## Contents

- [[t]] my personal wikipedia
- [[idea]] (not necessarily mine)
- Resource Notes, including highlights, thoughts and metadata, for various things:
  - [[ar]] mostly articles, papers and web pages
  - [[art]] paintings, images, 
  - [[book]]
  - [[community]]
  - [[course]]
  - [[event]]
  - [[game]]
  - [[loc]]
  - [[org]]
  - [[user]] 
  - [[prdct]] mostly software products, but also ontologies
  - [[recipe]]
  - [[video]] movies, tv episodes, youtube, etc
- [[vs]]
- [[wanted]]
- Some "Metadata Notes":
  - [[tags]] which may refer to any and multiple (or none) of the above
  - [[c]]: ways to categorize resources
  - [[p]]: ways to assert things about resources (mostly abandoned)

In terms of the [[t.km.zettelkasten]] method, this wiki is a commingling of literature notes with something @Sönke-Ahrens warned about: a "personal Wikipedia or a database" [^1]. 

In terms of [[t.tm.getting-things-done]], it's references, someday-maybe, next actions, and public projects.

## Beware!

This is a cluttered cupboard of jumbled jottings riddled with inaccuracies, confusion, and mistakes.

## What This Is Not

- evergreen-notes/digital-garden: for "synthesized" / original-ish publishable big-idea notes that should evolve over time, props to @andy-matuschak and @maggie-appleton
- blog: for "point-in-time" items to be shared: personal news, articles, etc.
  - e.g., [[ar.substack.carpe-noctem]]


[^1]: [[book.how-to-take-smart-notes]]  