PySpector’s Post

Django's CSRF token changes on every single form render. The one in the HTML is never identical to the one in the cookie. That's not a bug, it's the whole point. Here's what actually happens: 1. Django stores a 32-character random secret in the CSRF cookie. That secret never changes across the session. 2. What goes into the form is a masked token. It is a fresh 32-character salt concatenated with the XOR of that salt and the secret. 64 characters total, different every render. 3. On every unsafe request (POST, PUT, PATCH, DELETE), CsrfViewMiddleware.process_view() intercepts. It extracts the salt from the submitted token, XORs back to recover the embedded secret, then compares that to the cookie secret. 4. The tokens never match directly. The secrets do. This masking exists to defeat BREACH. It is a compression-based attack where seeing the same ciphertext repeatedly across responses leaks the underlying secret over time. The trap: - setting CSRF_COOKIE_HTTPONLY = True makes the cookie unreadable by JavaScript. - SPAs that read the token via document.cookie and inject it as X-CSRFToken silently break. Every POST returns 403. The CSRF token is a cryptographic proof that the sender could read a cookie. The XOR masking is what every tutorial skips and what actually makes that proof hold. What's the most confusing CSRF failure that turned out to be a config issue rather than a code bug? #Python #Django #BackendDevelopment #WebSecurity

59.8 MB JavaScript source leak of Claude Code. Surprisingly, it was a human error that happened during the release packaging. No customer data, API credentials, or model weights were exposed. But, 512,000 lines of TypeScript across ~1,900 files were exposed. It includes the query engine, tool system, multi-agent orchestration logic, and context compaction. But the amazing part? Someone noticed this as an opportunity. The guy's name is Sigrid Jin, a Korean Developer. He developed Claw Code, a clean-room Python rewrite of Claude Code's agent harness. He published it on GitHub where the repo reached 50k stars in just 2 hours. If you want the GitHub URL, comment "Claw Code" and I will share it with you.

LeetCode Day 10 : Problem 380 (Insert Delete GetRandom O(1)) Just solved my tenth LeetCode problem. It was "Insert Delete GetRandom O(1)", sounds like a basic Set problem, right? But here's what I actually learned: My first attempt used only a Map. Insert and remove worked fine, Map gives you O(1) for both. So I thought I was done. Then came getRandom(). I wrote Array.from(this.map.keys()) to pick a random element. It worked. Tests passed locally. But it was O(n), rebuilding an entire array from the map on every single call. The problem explicitly requires O(1) for all three operations. My solution was silently failing the constraint. I also had a crash hiding in insert. I wrote this.map.insert(val), but JavaScript's Map has no insert() method. The correct method is .set(). One wrong method name and the whole class throws a TypeError at runtime. The real fix wasn't patching getRandom(). It was rethinking the data structure entirely. The trick: maintain both a Map and an Array together. The Array holds the actual values so getRandom() is just a random index lookup, pure O(1). The Map stores each value's index in the array so insert and remove stay O(1) too. The hardest part? Remove. You can't just delete from the middle of an array in O(1). The solution: swap the target element with the last element, pop the end, then update the swapped element's index in the Map. No shifting, no gaps. Two bugs in one problem. One crashed the code, one passed tests but broke the core constraint. The real lesson? Passing test cases is not the same as meeting complexity requirements. Always verify your Big O, not just your output. #DSA #LeetCode #JavaScript #CodingJourney #Programming

🔥 STOP Confusing CSRF & CORS in Django 🐍 Python Developer Series | Day 4 Most developers use these daily… But fail to explain ❌ Let’s fix it 👇 🔐 CSRF (Cross-Site Request Forgery) 👉 Protects users from malicious requests ✔ Uses CSRF token ✔ Required in POST/PUT/DELETE ✔ Missing token → Request rejected 🌍 CORS (Cross-Origin Resource Sharing) 👉 Controls which domains can access your API Example: Frontend → localhost:3000 Backend → localhost:8000 ✔ Browser blocks by default ✔ Fix using: - CORS_ALLOWED_ORIGINS - CORS_ALLOW_ALL_ORIGINS 🔥 Bonus (Important): ✔ CORS_TRUSTED_ORIGINS → needed for secure/cookie-based requests 🧠 Remember: CSRF = user protection CORS = API access control 👇 Next Post: ALLOWED_HOSTS + Follow Up Questions #python #django #backenddeveloper #websecurity #developers #coding #softwaredeveloper

Just published a quick guide on implementing Server-Sent Events (SSE) in Django using Django Channels. A simple alternative for one-way updates like notifications and other things. If you're working with Django and want some real time solutions, this might help. Article: https://lnkd.in/gN8VWJtm #Django #Djangochannels #sse #python #pythondjango

A thought-provoking piece for crafters: "GitHub - Distributive-Network/PythonMonkey: A Mozilla SpiderMonkey JavaScript engine embedded into the Python VM, using the Python engine to provide the JS host environment." PythonMonkey embeds Mozilla's SpiderMonkey JavaScript engine directly into the Python runtime, letting developers call JavaScript from Python and Python from JavaScript within the same process — no serialization or IPC required. The project shares memory backing stores between languages for strings, typed arrays, and buffers, making cross-language data transfer extremely fast. Python dicts and lists automatically behave as JS objects and arrays (and vice versa), with full method support through proxy wrappers. It ships with a CommonJS module system, an event loop (supporting setTimeout and Promises as Python awaitables), and standard JS globals like console and XMLHttpRequest. The project reached MVP in September 2024, installs via `pip install pythonmonkey`, and Distributive actively maintains it while welcoming external contributions.

If you don't want Claude Code reading your .env files, don't put it in the rules. Put it in a hook. Rules in CLAUDE.md are suggestions. Claude reads them and usually follows them. But it's still an LLM deciding whether to listen. On a long session, in a complex task, it might ignore your rule and read that .env anyway (due to attention dilution or context rot). A PreToolUse hook is a programmatic block. The tool call literally never executes. Claude doesn't get a choice! Here's what I did — added a PreToolUse hook that blocks Read and Grep on env files across all frameworks. TypeScript/Node/Next.js, Python/FastAPI/Django, Java/Spring Boot, Go/Gin, Ruby/ROR — all of them. BONUS : When your hook exits with code 2, stderr gets sent back to Claude as feedback. So you're not just blocking the action — you're telling the LLM why it was blocked. Claude reads that error message and adjusts its approach instead of retrying blindly. Exit code 0 → all good, proceed. Exit code 2 → blocked, and here's why. This is the difference between "please don't read my secrets" and "you physically cannot read my secrets." If you're working with any sensitive config files — API keys, database credentials, tokens — hooks over rules. Every time. #ClaudeCode #AIEngineering #DevTools #Security

A few months ago, I started writing a tool to help me get a handle on some dependency issues in our 200-package monorepo. That tool is now open source: Dependicus is here! It gives you high-level visibility across all your dependencies, details about individual upgrade paths, and can create issue tracker tickets. Then you can assign those tickets to agents, who don't mind if there's a minor API change, or 5 packages need to be upgraded at once. Supports JS (all package managers), Go, Rust, Python, and Mise. Early days, but we've been running it internally for a while. https://lnkd.in/gaVWFAqW

🛡️ Advanced JavaScript — Day 2: Form Validation with Regex Today I built a Form Validation project using JavaScript — and this one was different from anything I'd done before. Not because forms are complex. But because today I used Regex for the first time to validate inputs — and it completely changed how I think about data validation. Here's everything I covered and built today 👇 📌 What is Form Validation? 📌 preventDefault() 📌 Regex — Regular Expressions 🔍 📌 Dynamic Error Messages 📌 isValid Flag Simple pattern. Used everywhere in production code. Form validation isn't just about blocking bad data. It's about respecting the user — giving clear, instant feedback instead of letting them wonder what went wrong. Project done. Concepts understood. Moving forward.... #AdvancedJavaScript #JavaScript #FormValidation #Regex #100DaysOfCode #LearnInPublic #WebDevelopment #Frontend #Programming #CodingJourney #BuildInPublic