Collaborate Disseminate
OWASP recommends setting session timeouts to minimal value possible, to minimize the time an attacker has to hijack the session:
Session timeout define action window time for a user thus this window represents, in the same time, the de… Continue reading What attacks are prevented using Session Timeout or Expiry?
For troubleshooting, it’s useful to include HTTP response headers that indicate proxy and backend EC2 instance ids, such as:
X-Backend: i-8af67c92e0f3d89b6b
X-Via: i-5b8146e7102940c75b-us-east-2b
Is there any security issu… Continue reading Are Amazon AWS instanceIds security sensitive?
RFC 3414 (published 2002) specifies a method of generating keys based on password in its Appendix, which essentially takes any “passphrase”, and keeps on repeating it until there is a 1MB string, at which point it takes eithe… Continue reading Is there any merit to the RFC 3414 (SNMPv3 User Security Model) password-to-key method?
I’m looking at JSON Web Encryption (JWE) and am left a bit confused about why you would use AES key wrapping.
The document even talks about using matching key algorithm strengths:
Algorithms of matching strengths should … Continue reading What is the point of AES key wrap (with JSON Web Encryption)?