I think it's because people have their own biased opinion on different ways to do it. In security, like everything else, there is often more than one way to do something...and be equally secure.
However, people with opposing views tend to be pretty hostile and reply with a tone like: "if you do that, then your app sucks and has huge security holes"...with little or no justification...they just don't like the OP point of view.
But in addition, I think many security articles put the reader down. You know, those articles with titles like "You are doing security wrong" , "Security is hard, don't do it, use Auth0", or "If you implement security yourself, your company and products are bad", etc... And though I do agree it's sometimes easier and better to delegate some security aspects frameworks (ie HTTP escaping), judging the readers professional skills is a poor way of getting a message across and it can make the reader feel like crap.
People also tend to combine problems with protocol(and design) and implementation in the same bucket. Some can be designed correctly, but their implementations can have bugs.
I do agree that for beginners it can be overwhelming. For me, it just look lots reading and understanding of what a application's real security requirements are (vs fear mongering from the internet). I went though this whole mess when I was working on some OpenID connect tasks a while back...
Actually, don't mean to self promote, but my friends and I just built a series of videos regarding our experience using Auth0 and other authentication services you might find helpful. You can see the first video here if you want.
From my experience, the comment section of security articles can be pretty helpful or expose holes in the post. Especially if the OP has some underlying objective of the post (ie they work for Auth0).
Web security is such a large topic. It covers things like front-end coding (not just the login page, but also XSS concerns on the rest of the site), to how to store credentials in the DB, to the authentication process used (is username password good enough? do I need 2FA?), and finally the authentication mechanism (JWT, cookies, etc)
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
I think it's because people have their own biased opinion on different ways to do it. In security, like everything else, there is often more than one way to do something...and be equally secure.
However, people with opposing views tend to be pretty hostile and reply with a tone like: "if you do that, then your app sucks and has huge security holes"...with little or no justification...they just don't like the OP point of view.
But in addition, I think many security articles put the reader down. You know, those articles with titles like "You are doing security wrong" , "Security is hard, don't do it, use Auth0", or "If you implement security yourself, your company and products are bad", etc... And though I do agree it's sometimes easier and better to delegate some security aspects frameworks (ie HTTP escaping), judging the readers professional skills is a poor way of getting a message across and it can make the reader feel like crap.
People also tend to combine problems with protocol(and design) and implementation in the same bucket. Some can be designed correctly, but their implementations can have bugs.
I do agree that for beginners it can be overwhelming. For me, it just look lots reading and understanding of what a application's real security requirements are (vs fear mongering from the internet). I went though this whole mess when I was working on some OpenID connect tasks a while back...
Actually, don't mean to self promote, but my friends and I just built a series of videos regarding our experience using Auth0 and other authentication services you might find helpful. You can see the first video here if you want.
From my experience, the comment section of security articles can be pretty helpful or expose holes in the post. Especially if the OP has some underlying objective of the post (ie they work for Auth0).
Web security is such a large topic. It covers things like front-end coding (not just the login page, but also XSS concerns on the rest of the site), to how to store credentials in the DB, to the authentication process used (is username password good enough? do I need 2FA?), and finally the authentication mechanism (JWT, cookies, etc)