security
6 articles
-
Rate limiting — how to test the limits everyone remembers only after an incident
While nobody is hammering the API, limits seem unnecessary — their absence is invisible right up until the first incident. A first-person take: the limit as a two-sided contract (the server restricts — the client survives it), the N/N+1 boundary and an honest 429 with Retry-After, key scope and how an account-based limit lets attackers DoS a victim, the burst at window boundaries, bypasses via X-Forwarded-For and sibling endpoints, the zones where a limit is mandatory (OTP, reset, promo codes), and why 'limits are off on staging' equals an untested production.
-
Registration & login testing checklist — with a Playwright autotest for every item
Login is the first screen a user sees and a favorite spot for production incidents. The "checklist item → how to automate it" format: user enumeration via identical error messages, password reset with a single-use token, logout and the back button, HttpOnly/Secure cookies via context.cookies(), sessions across two tabs, mocking 429 for lockout UI, the storageState pattern so you don't log in inside every test — and what parts of auth should never go into e2e.
-
File upload testing checklist: 30+ cases people forget
A reusable file upload testing checklist: content vs extension and magic bytes, sizes and decompression bombs, file names and path traversal, the upload process and dropped connections, server-side processing and storage, security (SVG XSS, RCE, SSRF) and accessibility. 30+ points.
-
Idempotency and retry storms — what QA must test in distributed systems
The most expensive class of bugs in payments isn't 'didn't go through' — it's 'went through twice'. A QA-eye view of idempotency: Idempotency-Key, 5 typical retry scenarios, retry storms, tools (WireMock, Toxiproxy, k6), and a 13-point release checklist.
-
CrowdStrike, July 2024 — how a single driver bricked 8.5 million Windows machines in 78 minutes
The most expensive software failure in history — $5.4B in direct losses. A trivial off-by-one on the side of an internal validator. Full timeline, root cause, three separate QA failures, and 10 lessons for your team.
-
OWASP API Security Top 10 for QA — a guide with test cases
Most QAs know SQL injection and XSS. But 90% of vulnerabilities in modern products live in APIs, and the OWASP API Top 10 2023 is a separate list that QA courses don't cover. All 10 threats with test cases, curl snippets, and tools.