Skip to content

Instantly share code, notes, and snippets.

View coverband's full-sized avatar

coverband coverband

18 followers · 3 following
View GitHub Profile
@coverband
coverband / nginx.conf
Created February 15, 2023 01:29 — forked from plentz/nginx.conf
Best nginx configuration for improved security(and performance)
# to generate your dhparam.pem file, run in the terminal
openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048
@charlesroper
charlesroper / How to setup a practically free CDN using Backblaze B2 and Cloudflare.md
Last active August 5, 2025 13:23
How to setup a practically free CDN

How to setup a practically free CDN using Backblaze B2 and Cloudflare

⚠️ Note 2023-01-21
Some things have changed since I originally wrote this in 2016. I have updated a few minor details, and the advice is still broadly the same, but there are some new Cloudflare features you can (and should) take advantage of. In particular, pay attention to Trevor Stevens' comment here from 22 January 2022, and Matt Stenson's useful caching advice. In addition, Backblaze, with whom Cloudflare are a Bandwidth Alliance partner, have published their own guide detailing how to use Cloudflare's Web Workers to cache content from B2 private buckets. That is worth reading,

@samsch
samsch / stop-using-jwts.md
Last active June 16, 2025 20:42
Stop using JWTs

Stop using JWTs!

TLDR: JWTs should not be used for keeping your user logged in. They are not designed for this purpose, they are not secure, and there is a much better tool which is designed for it: regular cookie sessions.

If you've got a bit of time to watch a presentation on it, I highly recommend this talk: https://www.youtube.com/watch?v=pYeekwv3vC4 (Note that other topics are largely skimmed over, such as CSRF protection. You should learn about other topics from other sources. Also note that "valid" usecases for JWTs at the end of the video can also be easily handled by other, better, and more secure tools. Specifically, PASETO.)

A related topic: Don't use localStorage (or sessionStorage) for authentication credentials, including JWT tokens: https://www.rdegges.com/2018/please-stop-using-local-storage/

The reason to avoid JWTs comes down to a couple different points:

  • The JWT specification is specifically designed only for very short-live tokens (~5 minute or less). Sessions
@cecilemuller
cecilemuller / 2019-https-localhost.md
Last active July 30, 2025 02:06
How to create an HTTPS certificate for localhost domains

How to create an HTTPS certificate for localhost domains

This focuses on generating the certificates for loading local virtual hosts hosted on your computer, for development only.

Do not use self-signed certificates in production ! For online certificates, use Let's Encrypt instead (tutorial).

@enricofoltran
enricofoltran / main.go
Last active July 19, 2025 10:43
A simple golang web server with basic logging, tracing, health check, graceful shutdown and zero dependencies
package main
import (
"context"
"flag"
"fmt"
"log"
"net/http"
"os"
"os/signal"
@Tiberriver256
Tiberriver256 / PowerShellNTFSStaticFileServer.ps1
Last active July 29, 2024 12:16
This script starts a small web server listening on localhost:8080 that will impersonate the authenticated user and serve static content. This means if they do not have NTFS permissions to the file they will get an access denied or a 404 file not found if they do not have NTFS access to list contents of the directory.
function Get-DirectoryContent {
<#
.SYNOPSIS
Function to get directory content
.EXAMPLE
Get-DirectoryContent -Path "C:\" -HeaderName "poshserver.net" -RequestURL "http://poshserver.net" -SubfolderName "/"
@porjo
porjo / dump_route53_records.md
Last active February 12, 2025 02:08
Export route53 records to CSV

Retrieve hosted zones with aws route53 list-hosted-zones then enter the zone Id below:

aws route53 list-resource-record-sets --hosted-zone-id "/hostedzone/xxxxxxxxxxx" | \
   jq -r '.ResourceRecordSets[] | [.Name, .Type, (.ResourceRecords[]? | .Value), .AliasTarget.DNSName?]  | @tsv'
@ciaranmahoney
ciaranmahoney / Google Sheets MX Lookup
Last active October 22, 2024 23:22
Google Apps Script to Run MX Lookups on domains from Google Sheets
function MXLookup(domain) {
try {
var url = "https://dns.google.com/resolve?name=%FQDN%&type=MX".replace("%FQDN%",domain);
//var url = "https://dns.google.com/resolve?name=e-mercy.com&type=MX"; // USED FOR TESTING ONLY
Utilities.sleep(100);
var result = UrlFetchApp.fetch(url,{muteHttpExceptions:true});
var rc = result.getResponseCode();
@nathan-osman
nathan-osman / win32.go
Last active July 3, 2025 21:23
Simple Windows GUI application written in Go
package main
import (
"log"
"syscall"
"unsafe"
)
var (
kernel32 = syscall.NewLazyDLL("kernel32.dll")
@alirobe
alirobe / reclaimWindows10.ps1
Last active July 31, 2025 14:21
This Windows 10 Setup Script turns off a bunch of unnecessary Windows 10 telemetery, bloatware, & privacy things. Not guaranteed to catch everything. Review and tweak before running. Reboot after running. Scripts for reversing are included and commented. Fork of https://github.com/Disassembler0/Win10-Initial-Setup-Script (different defaults). N.…
###
###
### UPDATE: For Win 11, I recommend using this tool in place of this script:
### https://christitus.com/windows-tool/
### https://github.com/ChrisTitusTech/winutil
### https://www.youtube.com/watch?v=6UQZ5oQg8XA
### iwr -useb https://christitus.com/win | iex
###
### OR take a look at
### https://github.com/HotCakeX/Harden-Windows-Security