Data dodania Pytanie
2017-06-14 15:06 Anti Cross Site Request Forgery (CSRF) token in asp.net c# »
Our team has developed an c# asp.net application and it recently went through a security check. One of the many threats include using anti CSRF token....
(0) odpowiedzi
2017-06-11 21:06 Is Regexp.new(user_input) in ruby secure? »
Is it secure to create Regexp object from user-provided query directly, or do I need to do some validations on it first? Documentation doesn't say muc...
(1) odpowiedzi
2017-06-01 09:06 How to lock certain columns from being edited for a user in postgresql »
How to lock certain columns from being edited even though user have access to editing rights for the table in postgresql. ...
(2) odpowiedzi
2017-05-29 20:05 CSRF token is visible in source code »
Should my Cross-site request forgery TOKEN be viewable on my web page source code I am running a rails app in production and can see Cross-site reques...
(1) odpowiedzi
2017-05-27 21:05 rails: What are the consequences of a leaked secret_key_base »
In rails we have something called secret_key_base in config/secrets.yml What if this production secret is accidentally shared via GitHub (public repo...
(1) odpowiedzi
2017-05-27 02:05 csrf ... php form security »
I'm creating a site with a number of different access levels, from basic user thru to admin level (5 in total) manager and admin levels will have the...
(2) odpowiedzi
2017-05-25 06:05 Is Kotlin harder to reverse engineer than java »
I am deciding which one to use for an Android Studio project and I am willing to use Kotlin. If there is an advantage in terms of being harder to rev...
(1) odpowiedzi
2017-05-22 18:05 AngularJS JSON vulnerability protection not stripped »
I have an angular app communicating with an Api where I prefix JSON responses only consisting of an array with )]}', as the angular's official documen...
(1) odpowiedzi
2017-05-20 13:05 PHP most accurate way to get real user IP address in 2017 »
What is the most accurate way to get user's IP address in 2017 via PHP? I've read a lot of SO questions and answers about it, but most of answers are...
(10) odpowiedzi
2017-05-18 17:05 Spring, XSRF tokens and performance »
I am trying to implement CSRF protection in an existing application. We have Spring MVC on backend and a mix of HTML, CSS and Apache Velocity Template...
(0) odpowiedzi
2017-05-12 21:05 Login session transferred to other user »
I have kind of a strange problem. I have build a web application in Lucee. You need to login to use web application. It has happened, at least twice, ...
(2) odpowiedzi
2017-05-12 17:05 Why is a csrf token needed when a session cookie is used? »
Say I login through an opendID connect provider and am redirected to my callback www.mysite.com/auth/callback. I then create an httponly cookie, which...
(1) odpowiedzi
2017-05-11 19:05 Best practices form processing with Express »
I'm writing a website which implements a usermanagement system and I wonder what best practices regarding form processing I have to consider. Especi...
(3) odpowiedzi
2017-04-29 14:04 Searching a local JSON file not working in Chrome »
I've have a JSON file in my local machine with several property listings in it. A snippet of the code is as follows for reference; { "properties": [ ...
(1) odpowiedzi
2017-04-23 00:04 Would posting my code to github affect the security of my application? »
background I am writing a simple blog application in Django (data passed through templating language). The owner of the blog will have access to the ...
(5) odpowiedzi
2017-04-21 10:04 Python is reading past the end of the file. Is this a security risk? »
So I just noticed this, and after some experimentation, I managed to make it reproducible. I didn't see this posted anywhere. Python seems to be readi...
(0) odpowiedzi
2017-04-19 21:04 .net core security headers middleware not adding headers to external http requests »
I'm using security headers middleware in a web app to add security headers to all outgoing http requests. Security headers seem to get added to all ne...
(1) odpowiedzi
2017-04-18 21:04 spring boot + security + oauth2 + react + csrf token »
I am working on spring boot 1.5.2 security with oauth2 and I am using reactjs also. I have separate authentication server for user authentication and ...
(0) odpowiedzi
2017-04-18 17:04 How is the (X/C)SRF-TOKEN cookie more secure than the JSESSIONID cookie? »
The csrf token cookie is said to protect against cross-site attack because it would better warranty that the request is coming from the javascript pro...
(1) odpowiedzi
2017-04-17 03:04 Universal user profile for subproject sites – securely trasfering user data from main server »
I have a site (A) for main project with user system (which is supposed to display all student competitions and academic events in my country for regis...
(1) odpowiedzi
2017-04-16 23:04 Web API security using tokens »
I have built a Web API and now I am trying to determine the best approach to secure it. I would like to use tokens along with credentials and thus, o...
(1) odpowiedzi
2017-04-16 12:04 Can an HTML <script> fragment on the URL be used for XSS in a purely client side application? »
Background Say I have the following webpage: <html> <script> document.write('querystring=' + location.search.substr(1)); </sc...
(2) odpowiedzi
2017-04-02 23:04 Should API Secrets Be Hashed? »
It might sound like a silly question, because passwords of course need to be hashed and never store the original. However, for API secrets, generally...
(1) odpowiedzi
2017-03-23 11:03 Chrome and Safari not honorring HPKP »
I added HPKP header to my site, but it is not honored by Chrome or Safari. I tested it manually by setting a proxy and by going to chrome://net-intern...
(2) odpowiedzi
2017-03-22 07:03 Email and SMS not working after setting up configuration of nwebsec »
I have configured nwebsec for security purpose in .net framework. Also added connect tag with email and sms api url but still not working. Any help ? ...
(0) odpowiedzi
2017-03-21 23:03 Javascript - masking account number within a string »
I have a fun challenge I couldn't find an answer for here. I have a string of text, that could potentially contain an account number. Example: "Hi, m...
(4) odpowiedzi
2017-03-21 22:03 How to slow down too many requests in web api instead of returning 429? »
We have an API that is an interface to a huge database. We sell the access to it as a service, and our clients are then able to get the data. However...
(0) odpowiedzi
2017-03-19 02:03 XSRF and double submit cookie JWT alternative - is this implementation safe? »
I was looking into HTTP security for my REST API and I was hoping to make it more secure by using the Double Submit Cookie pattern but I'm pretty sure...
(1) odpowiedzi
2017-03-14 20:03 Rails 5 API protect_from_forgery »
I have a Rails 5 API app (ApplicationController < ActionController::API). The need came up to add a simple GUI form for one endpoint of this API. ...
(3) odpowiedzi
2017-03-10 19:03 How in Django/Python can I ensure safety from WYSIWYG-entered HTML? »
I would like to remove vulnerabilities to XSS / JavaScript injection in a web application where users are allowed to use an editor like CKEditor which...
(1) odpowiedzi
2017-03-08 19:03 Spring Security CSRF Token genaration »
CSRF prevention Spring paramters, _csrf.parameterName and _csrf.token are not getting generated in JSP. <input type="hidden" path="${_csrf.paramet...
(0) odpowiedzi
2017-03-06 11:03 Windows authentication on Angular + Web Api »
I am developing web application using angularJS and web api. I have hosted two separate projects on IIS. The URL for AngularJS is 'http://10.36.217.16...
(0) odpowiedzi
2017-03-02 11:03 Adding CSRF token for window.location.href »
I have used window.location.hrefseveral places in my javascripts. Is there any generic way to add CSRF token to all of them? Since the window.loca...
(1) odpowiedzi
2017-02-26 12:02 C# Encrypting/Decrypting a String using Windows Master Password »
According to this HowToGeek article, Chrome encrypt's a password using the Windows master password. To perform the encryption (on Windows), Chrome...
(0) odpowiedzi
2017-02-24 18:02 can't verify CSRF token authenticity after session expires - Rails + devise + redis »
We have an issue with CSRF tokens that started when moving our sessions to Redis. The issue is that users sign-out, and leave the login screen for a l...
(1) odpowiedzi