Stack Overflow
Stack Overflow

Questions tagged [websecurity]

Below things can be tagged in this Cross-Site Scripting (XSS) Local File Inclusion (LFI) Remote File Inclusion (RFI) Remote Code Execution (RCE) PHP Code Injection HTTP Protocol Violation Shellshock Session Fixation Scanner Detection Metadata/Error Leakages Project Honey Pot Blacklist SSL related question Link to learn more https://owasp.org/ Some questions or definitions https://techletterbox.com/2020/02/08/web-security/

380 questions
3
votes
1 answer

Java Jackson json to object deserilization. How to deal with OWASP insecure Deserialization?

The OWASP insecure Deserialization threat is a well known one. My question is how to mitigate this threat when we are using parser libaries like Jackson etc on the java part? Does validations using Hibernate validation or Java validation solve the…
samshers
  • 1
  • 6
  • 37
  • 84
3
votes
1 answer

Can a user change the value of Redux/Mobx in Chrome to gain access to restricted views?

I have a react + firebase app. In the user's collection I have a permissions object where I track what the user has access to. Then in my react app, I have the following: // Login component const userRecord = await…
Antuan
  • 501
  • 2
  • 6
  • 18
3
votes
2 answers

Can hackers change their domain when making an API request?

If I release an API on the public internet, but it's only meant to be used by my apps, I can make a white list of accepted domains, so other domains can't use it. But I always wonder, can't hackers edit their "from domain" when making an HTTP…
AskYous
  • 4,332
  • 9
  • 46
  • 82
3
votes
2 answers

SSO authentication angular application with service gateway call

We have an application which is built using Angular. And the application trigger backend REST api to display data. The issue was, The application use LDAP SSO authentication to validate user (It is an internal application within company so no…
Raja
  • 3,477
  • 12
  • 47
  • 89
3
votes
1 answer

Is it unsafe for the javascript client to set the CSRF token?

It seems to me that the primary goal of CSRF is to confirm that the client making the request is the client we expect. The solution I've commonly seen is: Server generates random CSRF Token Server sets CSRF token in cookie Server injects the CSRF…
Colin
  • 2,814
  • 5
  • 27
  • 37
3
votes
1 answer

What is the purpose of webpack-dev-server's allowedHosts security mechanism?

What security risk is webpack-dev-server trying to mitigate by enforcing specific Host header values? By default, webpack-dev-server only allows connections whose Host header specifies a local loopback address (localhost, 127.0.0.1, etc). All other…
Matthias
  • 13,607
  • 9
  • 44
  • 60
3
votes
1 answer

why does Microsoft edge send empty http-referer on call of POST/REDIRECT/GET method if uri of request and response is same?

Currently, I'm working on Django1.11 project, I deployed my app using nginx with scheme 'https'. I want to submit form but don't want to resubmit same so i used POST/REDIRECT/GET pattern. Everything is working fine and as expected on Mozilla and…
Nagesh Mhapadi
  • 152
  • 3
  • 14
3
votes
1 answer

How to enable web security in Chrome after disabling it?

I did the __disable-web-security in Terminal on Mac. Do I need to enable it again? Or does it enable by itself after restart? If I need to enable it again, how do I do that? I searched everywhere, but didn't find.
jl001
  • 85
  • 1
  • 2
  • 9
3
votes
2 answers

Is it possible to modify a Web page's source and reload that page not from the server but from the edited source?

Just a stupid question. I know it's not possible but I'm just asking a confirmation simply out of paranoia. It's not possible to edit the source of a Web page and somehow reload that edited script in the browser, correct? Otherwise, anyone could…
Water Cooler v2
  • 32,724
  • 54
  • 166
  • 336
2
votes
0 answers

How to make secure API calls using vanilla JS + PHP

Let me start off saying while I have been a developer for a while, I am brand new to PHP and fairly new to web development in general. The site in question is vanilla JS frontend and PHP backend. I need to make a call to an external API with both…
Daniel Gray
  • 31
  • 6
2
votes
0 answers

How to safely use SAML RelayState

My team is having a hard time to come up with a completely safe solution to transfer critical information through SAML RelayState. I hope you can give us some advice. To give you a little bit of context, we are a Service Provider working with ~200…
dlcso
  • 21
  • 1
2
votes
0 answers

Content Security Policy directive: Either the 'unsafe-inline' keyword, a hash, or a nonce is required

I am setting security headers for the firebase project, one of them is Content-Security-Policy. The value of it is like this now: default-src 'self';base-uri 'self';font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src…
slhn.dev
  • 313
  • 3
  • 8
2
votes
1 answer

Trying to get an understanding of Plaid tokens and security

Plaid and security newbie here. From what I understand, access tokens are valid indefinitely, granting the user access to information regarding one of their accounts. Each account possesses a unique access token, and the tokens can only be…
workinprogress98
  • 85
  • 3
2
votes
0 answers

Run arbitrary HTML5 using Puppeteer as securely as possible?

I have a use case, where I need to run arbitrary HTML5 code (HTML, CSS, JS, WASM) supplied by end users and take a screenshot of the rendered website. I'd like to use puppeteer to do this. I am aware that it's generally unsafe to run arbitrary code…
pir
  • 5,513
  • 12
  • 63
  • 101
2
votes
0 answers

Express doesn't allow changing the CSP header

For some reason the latest Express.JS versions are forcing a default, restrictive CSP (Content-Security-Policy) header value. I'm trying to instantiate a middleware in order to change CSP to a more permissive one (that's currently on my needs for…
Diego S.
  • 161
  • 1
  • 9
1 2
3
25 26