security
5 articles
-
Registration & login testing checklist — with a Playwright autotest for every item
Login is the first screen a user sees and a favorite spot for production incidents. The "checklist item → how to automate it" format: user enumeration via identical error messages, password reset with a single-use token, logout and the back button, HttpOnly/Secure cookies via context.cookies(), sessions across two tabs, mocking 429 for lockout UI, the storageState pattern so you don't log in inside every test — and what parts of auth should never go into e2e.
-
File upload testing checklist: 30+ cases people forget
A reusable file upload testing checklist: content vs extension and magic bytes, sizes and decompression bombs, file names and path traversal, the upload process and dropped connections, server-side processing and storage, security (SVG XSS, RCE, SSRF) and accessibility. 30+ points.
-
Idempotency and retry storms — what QA must test in distributed systems
The most expensive class of bugs in payments isn't 'didn't go through' — it's 'went through twice'. A QA-eye view of idempotency: Idempotency-Key, 5 typical retry scenarios, retry storms, tools (WireMock, Toxiproxy, k6), and a 13-point release checklist.
-
CrowdStrike, July 2024 — how a single driver bricked 8.5 million Windows machines in 78 minutes
The most expensive software failure in history — $5.4B in direct losses. A trivial off-by-one on the side of an internal validator. Full timeline, root cause, three separate QA failures, and 10 lessons for your team.
-
OWASP API Security Top 10 for QA — a guide with test cases
Most QAs know SQL injection and XSS. But 90% of vulnerabilities in modern products live in APIs, and the OWASP API Top 10 2023 is a separate list that QA courses don't cover. All 10 threats with test cases, curl snippets, and tools.