FAQ | hicke.se

Q: "What is Zero Trust?"

"Trust identity, not network location. Every request gets authenticated against an IDP and authorised against scoped tokens with short expiry — so a stolen credential or an inside-the-VPN attacker can't move freely the way they used to."

Q: "Are passkeys phishing-proof?"

"Yes, against credential phishing. A passkey signs only challenges from the exact domain it was registered on, so a fake `bank-secure-login.com` can't trick it into authenticating for the real `bank.com`. The private key never leaves your device's secure hardware."

Q: "What's the difference between OAuth2 and OpenID Connect?"

"OAuth2 is authorisation — what an app can do on your behalf. OpenID Connect is authentication built on top — who you are. If you need to know who the caller is, validate the OIDC ID token; for API access, validate the OAuth2 access token. Don't conflate them."

Q: "Why use a secrets manager instead of `.env` files?"

"`.env` files get committed, copied, emailed, and left on disposable laptops — and they don't rotate. A secrets manager keeps one source of truth, injects values at runtime, and lets you revoke a leaked credential in one place instead of chasing every copy."

Q: "What is STRIDE?"

"A threat-categorisation framework: Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, Elevation of privilege. You walk through each one against your system to surface threats you'd otherwise miss. It's the most-used model for a reason — concrete enough to act on."

Q: "Can an LLM do threat modelling for me?"

"It can do the breadth — listing common threats per component, classifying by STRIDE, catching the obvious. It can't do the depth — your trust boundaries, your business risk, what 'good' looks like for your system. Treat it as a fast first pass, not the final answer."

Q: "What is SASE, and why does it matter for a home lab?"

"SASE (Secure Access Service Edge) is identity-aware network access — no VPN, no exposed ports, every request authenticated. The same principles work for home labs: Cloudflare Tunnel plus Tailscale gives you Zero Trust for personal services without enterprise pricing."

Q: "Are JWTs secure?"

"When validated correctly, yes. Validate the signature against the JWKS endpoint (not a hardcoded key), check `iss` and `aud` together with `exp`, and key user identity on `iss+sub` (not `sub` alone, since IDPs reuse subject IDs). The bigger weakness is revocation — JWTs stay valid until they expire, so keep that window short."

Q: "When should I use an AI coding agent?"

"When the task is well-scoped and you can verify the output — tests, lints, a working build. Agents shine on tedious-but-clear work: refactors with explicit constraints, boilerplate, glue code. They struggle when the goal is fuzzy or the codebase has unwritten conventions only humans know."

Q: "What should I do about frontier AI security threats?"

"Stop relying on friction. Weak passwords, obscure endpoints, legacy VPN without MFA — none of those hold up against automation that finds and exploits at scale. Move to hard barriers: identity-bound access, short-lived credentials, no implicit trust by network location. The asymmetry only widens from here."

Short answers to questions readers send most often. Each one links to the long-form post if you want the full picture.

What is Zero Trust?

Trust identity, not network location. Every request gets authenticated against an IDP and authorised against scoped tokens with short expiry — so a stolen credential or an inside-the-VPN attacker can’t move freely the way they used to.

Are passkeys phishing-proof?

Yes, against credential phishing. A passkey signs only challenges from the exact domain it was registered on, so a fake bank-secure-login.com can’t trick it into authenticating for the real bank.com. The private key never leaves your device’s secure hardware.

What's the difference between OAuth2 and OpenID Connect?

OAuth2 is authorisation — what an app can do on your behalf. OpenID Connect is authentication built on top — who you are. If you need to know who the caller is, validate the OIDC ID token; for API access, validate the OAuth2 access token. Don’t conflate them.

Why use a secrets manager instead of `.env` files?

.env files get committed, copied, emailed, and left on disposable laptops — and they don’t rotate. A secrets manager keeps one source of truth, injects values at runtime, and lets you revoke a leaked credential in one place instead of chasing every copy.

What is STRIDE?

A threat-categorisation framework: Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, Elevation of privilege. You walk through each one against your system to surface threats you’d otherwise miss. It’s the most-used model for a reason — concrete enough to act on.

Can an LLM do threat modelling for me?

It can do the breadth — listing common threats per component, classifying by STRIDE, catching the obvious. It can’t do the depth — your trust boundaries, your business risk, what ‘good’ looks like for your system. Treat it as a fast first pass, not the final answer.

What is SASE, and why does it matter for a home lab?

SASE (Secure Access Service Edge) is identity-aware network access — no VPN, no exposed ports, every request authenticated. The same principles work for home labs: Cloudflare Tunnel plus Tailscale gives you Zero Trust for personal services without enterprise pricing.

Are JWTs secure?

When validated correctly, yes. Validate the signature against the JWKS endpoint (not a hardcoded key), check iss and aud together with exp, and key user identity on iss+sub (not sub alone, since IDPs reuse subject IDs). The bigger weakness is revocation — JWTs stay valid until they expire, so keep that window short.

When should I use an AI coding agent?

When the task is well-scoped and you can verify the output — tests, lints, a working build. Agents shine on tedious-but-clear work: refactors with explicit constraints, boilerplate, glue code. They struggle when the goal is fuzzy or the codebase has unwritten conventions only humans know.

What should I do about frontier AI security threats?

Stop relying on friction. Weak passwords, obscure endpoints, legacy VPN without MFA — none of those hold up against automation that finds and exploits at scale. Move to hard barriers: identity-bound access, short-lived credentials, no implicit trust by network location. The asymmetry only widens from here.