Collaborate Disseminate
https://www.w3.org/TR/fetch-metadata/ for reference.
It seems like this is a simplified version of referer headers. Is the only advantage backend developer usability?
Continue reading How are Fetch Metadata Request Headers more secure than the Referer Header?
Apple and now Google are releasing products that are built on WebAuthn as a replacement for traditional username + passwords. Why did this technology beat out PAKEs?
Continue reading Why did WebAuthn beat PAKEs as the preferred password replacement?
Let’s say I have two environments: https://qa.example.com and https://example.com. In QA, I want to allow access to something insecure, like a special route that allows logging in without a password.
What are the security concerns of check… Continue reading In Ruby, can request.host be trusted to differentiate between a staging environment and production?
let key = keys[j] === ” ? (currentParams as any).length : keys[j];
if (key === ‘__proto__’) {
throw new Error(‘Prototype pollution detected.’);
}
It at least defeats basic url-encoding, but I am unsure if it is robust e… Continue reading Is checking to see if any parameters contain "__proto___" an effective way to mitigate Prototype Pollution vulnerability?
Assuming the hashing includes properly implemented salting and uses a proper password stretching algorithm such as scrypt, and that the encryption algorithm is a secure symmetric algorithm with a random key.
If an attacker gets access to p… Continue reading Why is storing a password hashed more secure than storing it encrypted? [duplicate]
This would be used in a phishing attack for example – coffee shop attack where google.com becomes a website controlled by the attacker completed with the magic lock next to the URL. Can I use letsencrypt to create a valid cert for any webs… Continue reading What prevents an attacker from registering a TLS certificate for an existing site?
While Google and AWS support managed firewalls and network connectivity rules to prevent an attacker from entering the network, Google also offers VPC Service Controls. Is this to prevent data exfiltration and an implementation of the BLP … Continue reading Is the purpose of Google Cloud VPC Service Controls to enforce the BLP star property (no write down)?
There are a number of open source secrets detectors that run via CLI. (Gitrob, trufflehog) However, is there a good way to integrate these that they run on a per PR basis? The use case here would be alerting a developer that they’ve commit… Continue reading What tools exist to integrate a open source secrets detector into a deployment pipeline and Github? [migrated]
HTTP basic auth sends credentials un-hashed and unencrypted over the wire, relying on TLS for confidentiality in transit. However, should the password be stored hashed using a standard KDF in the backend for comparison on receipt?
Continue reading Should http basic auth passwords be stored hashed serverside?
Let’s say you’re creating a banking web application with mobile apps. A bank user has permissions “transfer money” and “view balances.” When a user logs in, we can create a session token (typical random string, stored in the … Continue reading Is it advisable to tie different capabilities to different session tokens?