Security on Antonio Cortés (DrZippie)

Analyzing Container Filesystem Isolation for Multi-Tenant Workloads

Fri, 13 Feb 2026 00:00:00 +0000

I recently came across an exceptionally dense technical analysis about container security that’s worth sharing. The author started with a simple hypothesis: container filesystem isolation should be sufficient for multi-tenant workloads without virtual machines, if you sufficiently understand what’s happening at the syscall level.

After thorough investigation, the conclusion is more uncomfortable than expected: the defaults protect you well, but the moment you reach for “advanced” features like bidirectional mount propagation or SELinux relabeling, you’re one misconfiguration away from handing an attacker the keys to your host.

Vercel Sandbox: Running PHP, Node and Go Code Safely?

Mon, 02 Feb 2026 00:00:00 +0000

Vercel has announced the general availability of Vercel Sandbox, an execution layer designed specifically for AI agents. But beyond the AI agent hype, there’s an interesting question: can it be useful for running code safely in different languages like PHP, Node, or Go?

What is Vercel Sandbox?

Vercel Sandbox provides on-demand Linux microVMs. Each sandbox is isolated, with its own filesystem, network, and process space. You get sudo access, package managers, and the ability to run the same commands you’d run on a Linux machine.

Cloudflare Innovates Again: Cryptographic Authentication for Bots (The End of Fake User-Agents)

Wed, 02 Jul 2025 00:00:00 +0000

The Problem We All Know (But Pretend Doesn’t Exist)

As someone who has managed web infrastructure for decades, I’ve seen too many bots pretending to be what they’re not. User-Agent: “Mozilla/5.0 (Windows NT 10.0; Win64; x64)” when in reality it’s a Chinese scraper sucking up your content at 3 in the morning.

Traditional methods for identifying legitimate bots have been, let’s be honest, pathetic:

IP ranges: That change, are shared, or are spoofed
User-Agent headers: That anyone can forge in one line of code
Reverse DNS: That works until it doesn’t

Today Cloudflare announced that it’s integrating HTTP Message Signatures directly into its Verified Bots program. And after reading the technical details, I have to admit something: this could definitively change the rules of the game.

Certbot and nginx - renewal and setup without service downtime

Fri, 29 Jun 2018 00:00:00 +0000

When installing/renewing let’s encrypt on a web server with nginx, we have to decide whether to do it with a temporary server, which means we must temporarily stop the web service, or indicate what the DocumentRoot of the web server is for the domain.

The latter implies that the website or service has a “public” DocumentRoot, and that’s not always easy when we’re using, for example, a Python, Java, or Go application and nginx as a proxy.

Certbot y ngnix - renovación y alta sin parada de servicio

Fri, 29 Jun 2018 00:00:00 +0000

A la hora de instalar/renovar let’s encrypt en un servidor web con nginx tenemos que decidir si lo hacemos con un servidor temporal, lo que implica que debemos parar el servicio web temporalmente, o indicando cual es el DocumentRoot del servidor web para el dominio.

Esto último implica que la web o servicio tenga un DocumentRoot “público”, y eso no es siempre sencillo cuando estamos utilizando, por ejemplo una aplicación en Python, Java, Go y el nginx como proxy.

Who is fooling whom?

Mon, 04 Jan 2010 00:00:00 +0000

On the El Mundo website, we have an article with a headline that says: “Mr. Bean ‘sneaks in’ to the official website of the Spanish presidency“.

This article, without a doubt, is an example of the lack of rigor, and technological “yellow journalism” that floods us.

View the 10 IPs with the most access

Fri, 15 May 2009 00:00:00 +0000

A “recipe” to keep on hand:

cat fichero.log |
 \ awk '{print $1}' |
 \ sort |
 \ uniq -c |
 \ sort -n |
 \ tail -10

What to do in a disaster

Mon, 23 Mar 2009 00:00:00 +0000

I have always said: ” there are two types of people: Those who have lost data and those who have not yet“. Given this scenario, we try to do everything in our power to safeguard all the information we have on computers in the safest way.