Introducing bx-jwt: Enterprise-Grade JSON Web Tokens for BoxLang
Table of Contents The Fluent Builder — jwtNew()The BIF FunctionsHMAC Sign and VerifyRSA Sign and VerifyJWE Encryptionalg:none RejectionHMAC Minimum Key Lengths (RFC 7518 §3.2)Algorithm AllowlistClock Skew ToleranceAuthentication MiddlewareToken Refresh with Grace PeriodKid-Based Key RotationSigning (JWS)Encryption (JWE) JWT authentication is everywhere. ...
-
BoxLang v1.13.0: Compatibility, Concurrency, and Formatter Maturity
Table of Contents New FeaturesCharacter-Aware Trimming — trim(), ltrim(), rtrim()getClassMetadata() by Absolute PathSystemExecute() Environment ControlsThe BoxLang Formatter Goes Production-ReadyAsync & Concurrency HardeningMiniServer: Security & ReliabilityCompatibility WinsChangelog Highlights BoxLang 1.13.0 is a stability-first release with deep compatibility work and runtime hardening. …
-
Don’t Panic: The Thymeleaf Template Injection That Only Hurts If You Let It (CVE-2026-40478)
Table of Contents What the sandbox protects againstAbusing the templating engineHow the tab character breaks the Thymeleaf sandboxWhat you need to doThe CVSS score 9.1 is real, but conditional The Thymeleaf vulnerability with a CVSS score of 9.1 grabs your …
-
Foojay Podcast #95: Is Your Java App Actually Secure, Or Does It Just Look That Way?
Table of Contents YouTubePodcast AppsGuestsSteve PooleDavid WelchContent Is your Java application actually secure, or does it just look that way? In this episode of the Foojay Podcast, Frank is joined by Steve Poole and David Welch, both from HeroDevs, to …
-
Crossing the River Styx: Spring Boot 3.5 and the Zombie Dependency Problem
Table of Contents The CVE Blind SpotThe River StyxThe Rules Changed. The Habits Didn’t.What This Looks Like in PracticeWhen Dependencies Become ZombiesSpring Boot 3.5: The Next CrossingWe’ve Seen This Film BeforeThe Window Is Open. For Now.The Map, Not Just the …
-
Why Java Developers Over-Trust AI Suggestions
Table of Contents Your Brain Is Working Against YouWhere Java Developers Are Most ExposedYour Toolchain Catches Some of ThisMake the Model Show Its WorkingThe Confidence TaxSources This article is adapted from The Confidence Trap, part of the “2026 Supply Chain …
-
🤖 5 Best Practices for Working with AI Agents, Subagents, Skills and MCP
Table of Contents §0 📖 Where This Fits in the Series§1 🏗️ The Naive Architecture — and Why It Breaks§2 ✅ The Better Architecture — Multi-Agent with MCP§3 📉 Before You Build: The Productivity Reality Check§3b 📐 Requirements First — …
-
DPoP: What It Is, How It Works, and Why Bearer Tokens Aren’t Enough
Table of Contents What is DPoP?The Problem: Bearer Tokens and the “Finders Keepers” RiskHow Does DPoP Work?Configuring DPoP in KeycloakDPoP in Action with QuarkusProject SetupProtected EndpointsReplay Protection with a jti FilterTesting with k6Conclusion DPoP is one of the most exciting …
-
Cipher Downgrade: How a Tomcat Update Could Weaken Your TLS Configuration
Table of Contents What’s the risk?Who is AffectedThe FixHow to VerifyRecommendation A recent update to Apache Tomcat introduced a subtle but significant change to how TLS cipher suites are configured. If your Spring Boot application explicitly configures TLS ciphers, particularly …
-
The Shai-Hulud Cyber Worm and more thoughts on supply chain attacks.
Table of Contents first, a word about ecosystemsSpeed first.Still optimised for speed.Open Source Security Doesn’t Work the Way You Think It DoesThis matters more than people realise.The Inevitable AI in the MixEnter Shai-HuludThen it pivoted.The defining shift.This Is Also What …
-
Security Doesn’t Start at Liftoff
Table of Contents Are you sitting comfortably?The CVE is (almost) not importantThe Inversion of the Security TimelineHabit vs. HypeThe Flawed Assumption of Loud AlertsPrioritising Changes Over StoriesThe main timelineAre we done?How the message dilutesA common scenerioWhat This Means to You …
