Topic
Security
Threat models that match how you actually work, not airline-grade compliance checklists. SSH the right way, firewalls that aren't theater, TLS without the foot-guns, secrets that don't end up in git, and authn/SSO patterns that scale from "me" to "the family WiFi." If your security plan starts with "it's behind WireGuard" — fair, but read these anyway.
99 articles in this topic.
Featured posts
-
Container Escape: How to Stop It
Containers are not VMs. Here are the real escape vectors — privileged mode, mounted sockets, kernel CVEs — and the runtime hardening that actually helps.
10 min read -
Cosign Keyless: Sign Without Keys
Cosign keyless signing uses GitHub OIDC + Fulcio + Rekor to sign container images without managing private keys. Here's how it actually works and why you want it.
12 min read -
age vs GPG: Modern File Encryption That Doesn't Make You Cry
age replaces GPG for file encryption with a sane CLI, SSH key reuse, and zero key management drama. Here's how they compare and exactly when each one wins.
9 min read -
Sysbox vs gVisor vs Kata
Containers aren't security boundaries — Sysbox, gVisor, and Kata fix that. Here's which isolation runtime fits your actual threat model.
10 min read -
Trivy vs Grype vs Docker Scout
Trivy, Grype, and Docker Scout go head-to-head on speed, CVE coverage, CI integration, and cost. Pick the right scanner for your home lab or pipeline.
11 min read -
Beyond Akismet: Spam Protection for 2026
Akismet's licensing terms are increasingly hostile to small sites. Here are 11 spam-protection options — hosted APIs, CAPTCHA widgets, and DIY honeypots — that actually work in 2026.
13 min read
All Security articles
- Container Escape: How to Stop It
- Cosign Keyless: Sign Without Keys
- age vs GPG: Modern File Encryption That Doesn't Make You Cry
- Sysbox vs gVisor vs Kata
- Trivy vs Grype vs Docker Scout
- Beyond Akismet: Spam Protection for 2026
- Authentik vs Authelia: SSO for Your Self-Hosted Stack
- Sec-Fetch & UA Client Hints in 2026: What Actually Leaks
- Blog Comments: Self-Host or SaaS?
- CrowdSec Collections & Bouncers: fail2ban for 2026
- Incident Response for Self-Hosters
- CVE-2026-31431: The 9-Year Linux Root Bug
- OpenCanary: Honeypots for Your Home Lab
- Pi-hole vs AdGuard Home: Block Ads for Your Whole Network
- nftables: Modern Linux Firewalling
- Suricata vs Snort: Network Intrusion Detection That Actually Works
- SBOMs and Supply Chain Security
- Container Security: Scan and Sign Your Images Like You Mean It
- Falco: Catch Container Attacks at Runtime
- Cloudflare Tunnels: The Zero-Port-Forward Guide to Exposing Your Services
- Immich vs PhotoPrism: Escape Google Photos Without Losing Your Mind
- Trivy + Cosign: Scan and Sign Your Images
- Fail2ban vs CrowdSec: Blocking the Bots Actually Smartly
- Tailscale Deep Dive: Mesh Networking That Actually Works
- 2FA for SSH and sudo via PAM
- WireGuard vs OpenVPN 2026: It's Not Even Close
- SSH CA: Finally Ditch authorized_keys
- Wazuh: Open Source SIEM for Your Home Lab
- LUKS Full Disk Encryption on Linux
- Rootless Docker: Run Without Root
- LinkedIn Is Searching Your Computer
- Linux Privilege Escalation: The Defensive Playbook
- Linux su with custom shell
- SSH keys and secure file copy
- De-Googling: Self-Hosted Replacements for Google Apps
- dotenv Files: The Mistakes That Leak Secrets
- Using AI to Find Security Bugs in Your Code
- Private Docker Registry with Harbor
- TLS 1.3: Modern Encryption Without the Existential Dread
- Let's Encrypt Without Certbot
- The Zero-Trust Home Lab
- Cloudflare WAF: Free Tier Firewall Rules
- Certificate Pinning: The Nuclear Option for TLS Security (Use With Caution)
- .gitignore Entries Every Project Actually Needs
- Vault vs Infisical: Secrets Management for Teams Who've Learned the Hard Way
- Open Source Licenses Explained: What You Can and Can't Do With Free Software
- mTLS Explained: When Regular TLS Isn't Paranoid Enough
- Port Knocking: Simple Obscurity for SSH Access
- SSH Keys in 2026: Ed25519 Is the Standard
- Why Your VPN Isn't Routing What You Think
- DNS Over HTTPS and TLS: Encrypt Your DNS Before Your ISP Sells It
- tcpdump Basics: Capture Traffic Without Wireshark
- AppArmor vs SELinux: Mandatory Access Control Without the Existential Dread
- Your Server Doesn't Know What Random Means (And That's a Problem)
- Caddy Advanced: Automatic HTTPS, Plugins, and Config That Doesn't Make You Cry
- Auditd & Audit Logging: Know Exactly Who Touched What on Your Server
- HashiCorp Vault: Stop Hardcoding Secrets Like It's 2012
- VPN Kill Switch and DNS Leak Prevention: Paranoia, Justified
- Suricata vs Snort: Intrusion Detection for the Paranoid Home Lab Owner
- Plausible vs Umami: Privacy-Friendly Analytics That Won't Creep Out Your Users
- nmap for Your Own Network: What You Should Be Scanning
- Vaultwarden Organization Sharing: Password Management for Your Whole Household (or Team)
- Reverse Proxy SSL: The Cert Chain Mistake Everyone Makes
- Linux Capabilities: Drop Root Without Breaking Everything
- Docker Security Hardening: 15 Things You're Doing Wrong Right Now
- UFW Advanced: Rate Limiting, Logging, and Rules That Actually Make Sense
- Open Source Security: Scanning Your Dependencies Before They Scan You
- DDoS Mitigation: Teaching Your Server to Say No Politely (Then Impolitely)
- SSH Hardening: Lock Down Remote Access Without Locking Yourself Out
- Vaultwarden vs Bitwarden: Own Your Passwords Before Someone Else Does
- Proxy Chains and Anonymization: What Actually Works and What's Just Theater
- Linux Audit Log: What's Really Happening on Your Server
- The sudoers Mistake Everyone Makes Once
- Why Your TLS Certificate Isn't Trusted
- Certificate Expiry: Monitor Before the 3 AM Call
- The Firewall Rule Order That's Breaking Your Setup
- Sticky Bit, Setuid, Setgid: Linux Special Permissions Explained
- Is fail2ban Actually Working? Here's How to Check
- SSHFS: Ditch SCP & Access Remote Files
- SSH Agent Forwarding: How It Works
- Why Your SSH Connection Keeps Dropping
- SSH Multiplexing: Stop Reconnecting Every Time
- Stop Putting Passwords in Docker ENV
- The SSH Config File: The Shortcut You're Not Using
- The umask You've Been Ignoring
- Running Docker Containers as Non-Root (And Why You Should)
- Disabling Discord’s Activity Tracking
- The Role of Antivirus and Endpoint Detection and Response Systems
- Certificate Pinning: A Secure Connection Guide
- Understanding the regreSSHion Vulnerability in OpenSSH
- How to securely deploy Cloudflare Tunnels
- Advanced UFW Techniques: Enhancing Firewall Security
- UFW Basics: Setting Up Your Linux Firewall
- SSH Tunneling: A Secure Conduit for Your Data
- User and Group Management in Linux
- Linux Home Lab Security: Planning for the Unexpected
- Wireguard VPN Server in Docker
- Ed25519 ssh keys
- Install Caddy reverse proxy via Docker