Stack Overflow
Stack Overflow

Questions tagged [websecurity]

Below things can be tagged in this Cross-Site Scripting (XSS) Local File Inclusion (LFI) Remote File Inclusion (RFI) Remote Code Execution (RCE) PHP Code Injection HTTP Protocol Violation Shellshock Session Fixation Scanner Detection Metadata/Error Leakages Project Honey Pot Blacklist SSL related question Link to learn more https://owasp.org/ Some questions or definitions https://techletterbox.com/2020/02/08/web-security/

380 questions
74
votes
6 answers

Does a proper CORS setup prevent CSRF attack?

If CORS is properly setup on a server to only allow a certain origins to access the server, Is this enough to prevent CSRF attacks?
programmerdave
  • 1,088
  • 1
  • 9
  • 17
52
votes
4 answers

Cookie “PHPSESSID” will be soon treated as cross-site cookie against because the scheme does not match

I've just noticed my console is littered with this warning, appearing for every single linked resource. This includes all referenced CSS files, javascript files, SVG images, and even URLs from ajax calls (which respond in JSON). But not images. The…
Digital Ninja
  • 3,415
  • 5
  • 26
  • 51
47
votes
12 answers

Does --disable-web-security work in Chrome?

I'm trying to do a simple test without changing any server-side code involving a cross-domain AJAX call, and I was wondering if it's possible to use --disable-web-security anymore. It seems to not work on Chrome 28. I haven't used it since Chrome…
Fields
  • 687
  • 1
  • 6
  • 13
40
votes
3 answers

How to disable same origin policy Internet Explorer

Chrome allows us to disable the same origin policy, so we can test cross origin requests. I would like to know if there any possibility to do the same thing in IE
alex.mironov
  • 2,834
  • 6
  • 27
  • 41
12
votes
2 answers

Do these .env GET requests from localhost indicate an attack?

I was just looking through our logs after getting some intermittent 5xx errors on a Heroku hosted site, and in there I discovered many errors that were emanating from localhost and were requests for hidden files, usually .env but also things like…
user14357143
  • 131
  • 1
  • 1
  • 4
12
votes
1 answer

What is the difference between Burp Suite and Wireshark?

Burp Suite and Wireshark are said to be the best tools for penetration testing. I'm curious what the difference is between them, and the pros and cons of each.
H S Umer farooq
  • 981
  • 1
  • 8
  • 14
11
votes
1 answer

is it bad to pass jwt token as part of url?

Hi currently i have an angular application and java backend. in my angular component html i have some image such as profile photos. the resource that serves the image files is secured with spring security . so my quesiton is it bad to append json…
prasanth
  • 335
  • 1
  • 3
  • 10
9
votes
4 answers

Why do _token and XSRF-TOKEN differ in Laravel?

I don't understand why is the token for AJAX requests (XSRF-TOKEN) different from a _token that normal forms use. In addition, it's much longer. Why? And why have 2 tokens at all? Why not just use one which would be same for both ajax and normal…
good_evening
  • 21,085
  • 65
  • 193
  • 298
9
votes
1 answer

What are recommended / minimum parameters for hashlib.scrypt?

The documentation of hashlib.scrypt is a bit short: hashlib.scrypt(password, *, salt, n, r, p, maxmem=0, dklen=64) The function provides scrypt password-based key derivation function as defined in RFC 7914. password and salt must be bytes-like…
Martin Thoma
  • 124,992
  • 159
  • 614
  • 958
9
votes
2 answers

Why is delivery of Content-Security-Policy via headers "preferred"?

At 3. CSP Policy Delivery it says The Content-Security-Policy HTTP response header field is the preferred mechanism for delivering a policy But there are two valid mechanisms, delivery via an HTTP header, and delivery via a HTML meta…
Marvin
  • 2,537
  • 24
  • 35
8
votes
2 answers

How to set X-Frame-Options in laravel project?

I want to prevent my website from clickJacking attack. In which file and where to set X-Frame-Options for preventing clickJacking attack.
Darshan Prajapati
  • 914
  • 3
  • 8
  • 19
7
votes
0 answers

API protection - JWT vs HMAC signing vs OAuth

Lets say you are designing a new API. The consumer of your API is a mobile app that periodically sends requests in the background, but you expect other consumers as well, such as web apps or servers. Now lets consider two schemes: In scheme number…
Mister_L
  • 2,469
  • 6
  • 30
  • 64
6
votes
5 answers

Private authentication algorithm - web security

I'm working on a project which generates audio from text(TTS) and provides player with speed/pitch control to users. My question is related to request security. The user got widget_id during registration on my site, he put some js in his site, and…
Simon
  • 22,637
  • 36
  • 92
  • 121
6
votes
1 answer

How to prevent script injection attacks

Intro This topic has been the bane of many questions and answers on StackOverflow -and in many other tech-forums; however, most of them are specific to exact conditions and even worse: "over-all" security in script-injection prevention via…
argon
  • 449
  • 4
  • 11
6
votes
1 answer

Understanding Keycloak Adapter (Spring-Security & Spring Boot) session requirement

For a software in active development we are using Spring Boot (with Spring Security) and the Keycloak Adapter. The goal is to: require valid authentication for all endpoints except those annotated with @Public (see the code snippet) (this…
AskingTheGoodQuestions
  • 61
  • 1
  • 2
1
2 3
25 26