A record of preparing an upload-only, least-privilege access key on the S3-compatible DDN EXAScaler Access S3. It covers how the bucket policy format differs from AWS and how to narrow down signature and permission issues.
A Dependabot alert was the trigger to revisit the repository's automation: not just patching known CVEs, but also defending against maintainer-takeover supply chain attacks. This post bundles cooldown, Actions SHA pinning, npm overrides, ignore-scripts, and security-only auto-merge into one walkthrough.
Avoiding plaintext management of ~/.aws/credentials using aws-vault and the macOS Keychain in environments where IAM Identity Center (SSO) is not adopted, with an assessment of how practical the approach is.
I assumed having Drupal's Automatic Updates module installed meant security updates would just land. They weren't. The cron-time policy `Unattended background updates` ships disabled by default, so the module was effectively idle. This post records the diagnosis, the configuration that finally let 10.6.3 → 10.6.7 apply automatically, and the 'not officially supported' warning that surfaces once you turn it on.
An attempt to assign a subdomain managed by an external organization's DNS as a Cloudflare Workers custom domain hit the constraint that Cloudflare's free plan doesn't accept external subdomains as zones. The final solution was to place AWS CloudFront + WAF in front as a termination layer.
A record of blocking bot scraping against a cultural-archive site using AWS WAF, combining Geo block, IPset, JA3 fingerprint, and UA block in stages.
An implementation log of migrating a group of services running on Docker + Traefik, with no downtime, to a CloudFront + WAF-protected setup. I cover naming for the origin-only subdomain, pitfalls with shared Security Groups, the case for starting WAF in COUNT mode, cache design for SPARQL/API traffic, and other recurring decision points.
How to securely connect to a server via SSH without opening any ports, using Cloudflare Zero Trust Access