Stack Overflow
Stack Overflow

Questions tagged [websecurity]

Below things can be tagged in this Cross-Site Scripting (XSS) Local File Inclusion (LFI) Remote File Inclusion (RFI) Remote Code Execution (RCE) PHP Code Injection HTTP Protocol Violation Shellshock Session Fixation Scanner Detection Metadata/Error Leakages Project Honey Pot Blacklist SSL related question Link to learn more https://owasp.org/ Some questions or definitions https://techletterbox.com/2020/02/08/web-security/

380 questions
5
votes
2 answers

secret management in on premise application

The .net core server code I'm working on is going to be hosted both in cloud infrastructure and on premises. There are many options to handle secret management (connection strings etc...): Big cloud providers are offering dedicated secret…
chrisdot
  • 659
  • 6
  • 19
5
votes
0 answers

next.js app how to prevent XSS and CSRF attacks?

Basically I am building a serverless next.js app with mongodb. Idea 1 : React prevents most of the XSS already , so should I just store user login info in web storage ? this way I do not need to worry about CSRF. Idea 2 : If I use httpOnly cookie…
sleeping ZZ
  • 99
  • 2
  • 6
5
votes
2 answers

Can the Request scope variables be tampered/modified using external proxy tools?

As we already know that the URL and FORM scope variables can be modified using external proxy tools. For example if someone makes a request like this - http:\\website\index.cfm?a=1&b=2 This way one can add values to URL scope of a .cfm…
Pankaj
  • 1,731
  • 1
  • 13
  • 15
4
votes
0 answers

Is the HTML output of quill.root.innerHTML always safe?

I want to save and load the rich text from a Quill editor. My plan is to call JSON.stringify(quill.getContents()) and save the resulting JSON. Then to load and display the rich text I would do: quill.setContents(JSON.parse(myJson)); myDiv.innerHTML…
fblundun
  • 987
  • 7
  • 19
4
votes
1 answer

What is the right way to protect the social security number in a web page?

The application we are building needs to store people's SSN. We already protect them using HTTPS in transit and in storage using DynamoDB's in-built encryption. The question is, how to protect it in a web page once arrived in a user's…
THpubs
  • 7,804
  • 16
  • 68
  • 143
4
votes
1 answer

How to prevent SQL injection and improve security on REST APIs?

I'm new into REST APIs and developing an API that is going to be used for iOS/Android/Web apps, but I'm unfamiliar with the kind of threats the APIs face once published. I see these same tips all over: Use oAuth 2 to allow transactions, Receiving…
Dialvive
  • 356
  • 7
  • 19
4
votes
1 answer

How does HttpOnly cookie protect against XSS/Injection attack if they are passed automatically with every request?

From what I understand, HttpOnly cookies cannot be read by client js but they are passed by the browser with any subsequent requests. If an attacker is able to inject js in to a web page and makes a request to the endpoint, it would still go through…
Aravind
  • 550
  • 7
  • 17
4
votes
2 answers

Is this possible to use cognito's Authorization code grant type as a authorizer in the api-gateway?

I would like to know is there any way or possibility to implement authorization code grant type as Authroizer in securing API gateway? As is searched, 'Authorization code' grant type is most recommended for securing API. i found below article which…
umdev
  • 359
  • 6
  • 17
4
votes
1 answer

Content Security Policy multiple nonce

I have a single page application (built in .net core MVC 2.2), where html section are loaded on the fly. On main document, added CSP policy with a dynamically generated header looks like: Content-Security-Policy: script-src 'self'…
SSA
  • 5,433
  • 4
  • 36
  • 50
4
votes
2 answers

Warning in console.log when adding embedded google maps

I want to add google maps (embedded) map in my web app. I'm building an angular 8 and using built-in server but still in console.log showing warnings A cookie associated with a cross-site resource at https://google.com/ was set without the…
Amirul Idzham
  • 43
  • 1
  • 10
4
votes
3 answers

which is better tls or ssl?

recently I learned about phpmailer and I wonder which one should I use as SMTPSecure, tls or ssl ? According to some articles, https needs a ssl certificate whereas it is written in Wikipedia that ssl has been deprecated.
sudonitin
  • 378
  • 4
  • 15
3
votes
2 answers

If I store a JWT signing key in my frontend secrets environment variable and never log it anywhere, can a FE client still access it somehow?

Purpose of this Process: I want to have some analytics tracking for unauthenticated user experience. And so I want to protect my backend analytics APIs to entertain requests only coming from my FE client. So I need a way to inject those secrets only…
Shivam Sahil
  • 4,055
  • 3
  • 31
  • 62
3
votes
0 answers

Content Security Policy Reports

I recently enforced a content security policy on my web-app. I used CSP3 with the 'strict-dynamic' source expression. I've been analysing reports and bulk of violations are attributed to "source-file": "about" and "blocked-uri":"inline". The field…
Mayur Arora
  • 447
  • 5
  • 11
3
votes
0 answers

How secure is history.pushState()

I have a small web app that needs several extra secrets saved (not covered by a normal form login submit). I want to store them using history.pushState(), but before I did, I wanted to get a sense of how secure it is from the professionals…
user2856949
  • 317
  • 2
  • 6
3
votes
3 answers

Akamai sensor data generator for a valid _abck cookie on post request (Python)

So I'm trying to do an auto checkout on a website but I keep getting blocked because I cant get a valid _abck cookie. I've seen on some websites that people pay so coders give them the sensor data generator, I can't afford that so I came here in…
Oscar
  • 41
  • 3
  • 6
1
2
3
25 26