Collaborate Disseminate
I have been using lots of various APIs in my frontend lately and they all have to be properly configured with CORS and the browser always do extra OPTIONS request that only make debugging harder.
I was wondering if there could be a way of … Continue reading Is prohibiting cookies a viable CORS alternative?
I have recently figured out that Lets Encrypt provides "invalid" certificate chain in it’s certificates that are pointing to the root certificate that has expired a month ago (they did it apparently to support old android devices… Continue reading What happens if one certificate path is valid while the other one is not?
I have a certificate issued by lets encrypt and one of the certificate in the path has this information:
[1]CRL Distribution Point
Distribution Point Name:
Full Name:
URL=http://x1.c.lencr.org/
On the client … Continue reading Firewall is blocking OCSP (Online Certificate Status Protocol) check
I have read about X-Content-Type-Options and it says often that it protects against IE mime sniffing problems.
I am wondering if in 2021 it is still valid and a problem for modern browsers? In other words, will it be beneficial for my web … Continue reading Is mime-sniffing still something to protect against with modern browsers (with X-Content-Type-Options)?
I have a system that has different entities stored in the database with an integer Id as a primary key. There are different scenarios for queries that cannot be processed:
Get entity by id [Entity does not exist in the database]
Get entit… Continue reading Should I hide the difference between Not Found error and Access Denied error in my API?
I have learned that the certificate is something that contain information about a public key. An article on wikipedia says Public Key Certificate as well. If we are talking about private key, it’s not a certificate, but a key that correspo… Continue reading What is the correct terminology for a private key corresponding to a public key certificate?
Lets say I have a site at myapp.com that talks to the api at myapi.com. For that to work I have to turn on CORS. I want to do it like that:
Access-Control-Allow-Origin: *
and my API authentication is performed via a custom Authorize header… Continue reading Is it safe to add "Access-Control-Allow-Origin:*" to an API endpoint with custom authentication via header?
I have a simple code for an input model:
public class MyClass
{
[Required]
public MyEnum? Type { get; set; }
}
Now if I do not send Type as a part of json to the request, I get this error from Web.Api:
“The JSON value coul… Continue reading Does Asp.Net Core exposes too much information for required enums that were not supplied?
I have recently found out that a very common setup of Kubernetes for some use cases of access over TLS returns an invalid certificate with name Kubernetes Ingress Controller Fake Certificate. I.e. making it obvious to anyone … Continue reading Is it a security issue that underlying infrastructure (like e.g. Kubernetes cluster) can easily be revealed?
I have recently sat up an Nginx in a way that makes it not return a Server header and hide the version information from the error pages.
The error page looks like that now (and anyone can provoke it by sending wrong HTTP req… Continue reading Is it a security issue that Nginx returns server name in errors?