Posts Archive
Technical and litigation notes
Database Schema Design and Data Protection by Design
GDPR Article 25 requires data protection by design and by default. Database schema design is a data protection design decision. Whether you use soft or hard deletes, how you structure audit tables, and whether you store personal data in JSON columns all have GDPR implications.
Security & ComplianceWebhook Security — HMAC, Rate Limiting, Replay Attacks
Webhook HMAC verification is widely implemented and widely misunderstood. It proves the payload was signed by someone with the app secret — not that the payload is fresh, not that it hasn't been seen before, and not that the app secret hasn't been compromised. Understanding what HMAC proves is as important as implementing it.
Security & ComplianceXSS, JSON Injection, and Output Encoding
Cross-site scripting (XSS) via JSON injection in HTML attributes is consistently underestimated because it requires an unusual combination of conditions: JSON output inside an HTML attribute, combined with content that contains HTML-special characters. When all three coincide — as they do in legal case data that contains names like "O'Brien" — the vulnerability is real.
Data Privacy & GDPRLogging Personal Data — GDPR and Application Logs
Application logs capture request URIs, query parameters, and response bodies. In a legal SaaS, these often contain personal data: client names in URL slugs, phone numbers in query strings, case details in response bodies. GDPR requires a lawful basis and a retention policy for every category of personal data — including what ends up in log files.