Container Escape: How to Stop It
Containers are not VMs. Here are the real escape vectors — privileged mode, mounted sockets, kernel CVEs — and the runtime hardening that actually helps.
Tag: security
All the articles with the tag "security".
Cosign Keyless: Sign Without Keys
Cosign keyless signing uses GitHub OIDC + Fulcio + Rekor to sign container images without managing private keys. Here's how it actually works and why you want it.
age vs GPG: Modern File Encryption That Doesn't Make You Cry
age replaces GPG for file encryption with a sane CLI, SSH key reuse, and zero key management drama. Here's how they compare and exactly when each one wins.
Sysbox vs gVisor vs Kata
Containers aren't security boundaries — Sysbox, gVisor, and Kata fix that. Here's which isolation runtime fits your actual threat model.
Trivy vs Grype vs Docker Scout
Trivy, Grype, and Docker Scout go head-to-head on speed, CVE coverage, CI integration, and cost. Pick the right scanner for your home lab or pipeline.
Beyond Akismet: Spam Protection for 2026
Akismet's licensing terms are increasingly hostile to small sites. Here are 11 spam-protection options — hosted APIs, CAPTCHA widgets, and DIY honeypots — that actually work in 2026.
Authentik vs Authelia: SSO for Your Self-Hosted Stack
Updated:
Authelia is a bouncer. Authentik is the whole security desk. Pick the right self-hosted SSO for your home lab — with working configs, gotchas, and a migration path.
Sec-Fetch & UA Client Hints in 2026: What Actually Leaks
Ran 9 real headless tools against an echo server. Sec-Fetch alone catches almost none of them. Here's what actually leaks, WAF rules that work, and where Anubis fits in.
CrowdSec Collections & Bouncers: fail2ban for 2026
CrowdSec is the modern fail2ban: community-shared threat intel, scenario collections, and pluggable bouncers. Deploy it with Caddy or Traefik and block millions of bad IPs from day one.
Incident Response for Self-Hosters
You've been compromised. Now what? A practical incident response playbook for self-hosters who didn't think they'd need one until right now.
CVE-2026-31431: The 9-Year Linux Root Bug
CVE-2026-31431 (copy.fail) lets any local user become root on virtually every Linux system since 2017. Here's what it is, why it matters, and how to fix it.
OpenCanary: Honeypots for Your Home Lab
A honeypot sits quietly on your network pretending to be something valuable. When someone touches it, you know you have an intruder. OpenCanary makes this dead simple.