How to prevent horizontal escalation attacks when a centralized authorization service as gateway is used?

Say I have a gateway which provides authorization mechanisms by validating a JWT, behind an api-gateway there are different micro-services but only the gateway port is public. As a software designer you decide to make all micro services unaware of authorization-related operations to remove code duplication and minimize the affected components when a security related change is needed. That is, all of the micro services would not contain any validation of the JWT.

How is it possible to prevent a horizontal privilege escalation when there’s a valid JWT but the attempted operation does not pertain to the current user? such as updating the user profile of a different person, keep in mind the api should not require to read the and compare the subject or issuer of a JWT to the user profile being updated, Is it even possible to achieve this?

Recurring 502 Bad Gateway issue

Hoping one of you out there can offer suggestions or at least tell me I’m not alone. Our WP site has had a random 502 Bad Gateway problem for few days now – happens once every few page loads. I’ve been down the server-side troubleshooting list (with help of Bluehost) and the my-side list (disabling all plugins, updating theme, latest PHP..) – everything on the site is up to date, and 2 bad plug-ins were removed.

Some online articles tell me if this happens once every few loads it’s a server-side problem. The hosting company assures me it is a problem with the ‘optimization of website or database’ – whatever that great expanse of possibilities entails.

I’m running out of questions to ask – I just want my site to load each time somebody visits. Can anybody help?

How to secure a price passed to a payment gateway on client?

Using Javascript, say a customer buy a product that cost 10$ .

Many payment gateways, like PayPal and Stripe, offer a client side Form where you input the sale data (price, amount, buyer address, etc), and it’s being sent to the gateway (e.g PayPal) from the client side.

But, at this point when i fill the form using Javascript on the client side, someone can change the price from 10 to 1 and pay only 1 to PayPal.

I know things has to be validated on my server, but validation means that the server is sending back to client a response saying this price is good or not good, but this respond can also be manipulated.

So how is it that companies allow client side payment anyway using a form ? How/where the actual sale data is being passed to the payment gateway ? client? server?

Block Connections from Consumer VPN networks at gateway

We have a web server behind an AWS Load Balancer. We’d like to block any host from accessing our web server if they are connecting from a Consumer VPN style network. We’ll also be doing some geo-location blocking too which we can do with AWS WAF.

For blocking Consumer VPN networks, does anyone know the easiest/fastest way to obtain a listing of CIDR blocks registered to Consumer VPN companies? I have a list of IPs that I can do a WHOIS on and find the registered block, but that wouldn’t give me all of the networks out there. I’d have to do quite a bit of WHOIS searching and guessing to build it manually. If there’s a resource out there that could help me with this endeavor that’d be great.

ExoCrow – payment gateway for crypto, merchant accounts


Accept cryptocurrency payments from all over the world

Accept Bitcoin and other cryptocurrencies, gain new customers, and avoid the cost of high fees and chargebacks.

ExoCrow makes accepting blockchain payments fast and reliable. To get started, sign up for an ExoCrow account.

With blockchain payments, there's no sensitive customer information to collect and store, and there are no cards to charge. Customers simply send cryptocurrencies (like Bitcoin, Ether, or…

ExoCrow – payment gateway for crypto, merchant accounts

Why nmap scans port in my default gateway?

I tried to use nmap in my computer and saw that nmap cant find nothing for my local computer ip(even that HTTPS absolutely open).

But when I tried to scan nmap with range of IP’s I saw that the only open port’s nmap found was on the default gateway ip.

Why is that?(cant find nothing on the web).

edit: I have been asked to give exampale.

so lets say my default getway(router) ip its and my first computer local ip is and my second computer loacl ip is

when I try nmap(with different parameters) on or I dont getting any open port(“all 1000 ports are closed”)

but when I try nmap on I am getting 12 open ports(that I belive open on my first or second computer).