<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom">
  <channel>
    <title>security on krtffl.dev</title>
    <link>https://krtffl.dev/categories/security/</link>
    <description>Recent content in security on krtffl.dev</description>
    <generator>Hugo -- gohugo.io</generator>
    <language>en</language>
    <copyright>© [krtffl](https://krtffl.dev)</copyright>
    <lastBuildDate>Mon, 06 Apr 2026 00:00:00 +0000</lastBuildDate><atom:link href="https://krtffl.dev/categories/security/index.xml" rel="self" type="application/rss+xml" />
    <item>
      <title>multi-tenant isolation is a security boundary, not a query filter</title>
      <link>https://krtffl.dev/posts/multi-tenant-isolation-security-boundary/</link>
      <pubDate>Mon, 06 Apr 2026 00:00:00 +0000</pubDate>
      
      <guid>https://krtffl.dev/posts/multi-tenant-isolation-security-boundary/</guid>
      <description>&lt;p&gt;i&amp;rsquo;m building a small multi-tenant cms for local businesses — a barbershop, a physio, a bakery each get a little site they can edit themselves. one payload backend, one postgres, many tenants. the whole promise is that the bakery&amp;rsquo;s editor logs in and sees the bakery. not the barbershop. never the barbershop.&lt;/p&gt;
&lt;p&gt;so during a pre-launch hardening pass i did the thing i&amp;rsquo;ve learned to do: i stopped admiring the isolation and started attacking it. i logged in as a low-privilege editor — scoped to exactly one tenant — and sent one request to edit &lt;em&gt;my own user account&lt;/em&gt;. not someone else&amp;rsquo;s. mine. i just added a second tenant to the list of tenants i belong to.&lt;/p&gt;
&lt;p&gt;it went through. &lt;code&gt;200&lt;/code&gt;. and on the next request i could read, edit and delete another business&amp;rsquo;s pages as if they were my own.&lt;/p&gt;
&lt;p&gt;nobody broke in. i handed myself the keys through the front door, using an endpoint that exists specifically so users can edit themselves. an isolation boundary you can widen with a &lt;code&gt;PATCH&lt;/code&gt; to your own profile isn&amp;rsquo;t a boundary. it&amp;rsquo;s a default you forgot to close.&lt;/p&gt;</description>
    </item>
    
    <item>
      <title>your rate limiter trusts x-forwarded-for. mine did too, until it was measured.</title>
      <link>https://krtffl.dev/posts/x-forwarded-for-rate-limit-bypass/</link>
      <pubDate>Mon, 22 Dec 2025 00:00:00 +0000</pubDate>
      
      <guid>https://krtffl.dev/posts/x-forwarded-for-rate-limit-bypass/</guid>
      <description>&lt;p&gt;last time i told you about &lt;a href=&#34;https://krtffl.dev/posts/elo-lost-update-postgres&#34;&gt;the elo race that ate 79% of every vote&lt;/a&gt;
 — the anchor finding from a pre-launch hardening pass on a little pairwise-voting side project. i promised, at the bottom of that post, that the &lt;em&gt;other&lt;/em&gt; critical finding was a vote rate-limiter that a rotated header walked straight through. this is that post.&lt;/p&gt;
&lt;p&gt;here&amp;rsquo;s the setup. the side project is a nougat-ranking toy: you get shown two flavours, you pick one, an elo rating moves, a leaderboard falls out. because the leaderboard is the entire point, the interesting attack is obvious — cast a pile of votes for your favourite and bend the ranking. so i&amp;rsquo;d put a rate limiter in front of it. two, actually. i felt responsible.&lt;/p&gt;
&lt;p&gt;then, during the audit, i sat down and &lt;em&gt;attacked&lt;/em&gt; them instead of admiring them. both fell over. one to a header i let the open internet write. one to a cookie i simply didn&amp;rsquo;t send. neither took more than a few lines of &lt;code&gt;curl&lt;/code&gt;.&lt;/p&gt;
&lt;p&gt;a limiter you have never fired a spoofed header at is not a limiter. it&amp;rsquo;s a comment.&lt;/p&gt;</description>
    </item>
    
    <item>
      <title>owner-scoped rbac: enforcing &#39;you can only see your own&#39;</title>
      <link>https://krtffl.dev/posts/owner-scoped-rbac-go/</link>
      <pubDate>Mon, 23 Dec 2024 00:00:00 +0000</pubDate>
      
      <guid>https://krtffl.dev/posts/owner-scoped-rbac-go/</guid>
      <description>&lt;p&gt;two users hit &lt;code&gt;GET /dojos&lt;/code&gt;. same route, same handler, same line of sql underneath. the admin gets back every dojo in the database. the dojo owner gets back exactly one — theirs. nobody wrote a second endpoint, nobody passed a flag. the query just quietly narrowed itself on the way down, and the owner never learns the other rows exist.&lt;/p&gt;
&lt;p&gt;the first time that worked in mojodojo i felt clever. &amp;ldquo;you can only see your own&amp;rdquo; is the whole ballgame in a multi-tenant app, and here it was falling out of the architecture for free. then i went looking for &lt;em&gt;where&lt;/em&gt; it happened, and the answer was: two different files, in two different layers, that don&amp;rsquo;t fully agree with each other. one of them has a hole you could drive a truck through.&lt;/p&gt;</description>
    </item>
    
  </channel>
</rss>
