Collaborate Disseminate
I have an API that requires a security token to run.
Is it possible to use Fail2Ban or ModEvasive to block access from IPs that often try to access the API with an incorrect token?
I use PHP to receive these requests, is it possible with i… Continue reading Block many wrong requests via PHP
I’m using PHP-FPM with Apache2 on my server, as PHP-FPM doesn’t run as Apache2 module, I figured it would need a profile for it.
This is my first time working with AppArmor, so I’m afraid of crashing the server or leaving everything open f… Continue reading Is this profile for AppArmor insecure?
PHP 7 uses the default system folder (/tmp) to store uploaded files.
PHP allows you to change the settings and change the upload destination directory. Some sites indicate to change this folder to another one, since the /tmp permission is … Continue reading Should I change the default folder for uploads?
I’m setting up an Apache 2.4 server on Ubuntu 20.04 LTS, and following all CSI Benchmarks recommendations to secure it.
The CSI recommends configuring AppArmor and generating a profile for Apache2 to restrict what it can and cannot access … Continue reading Best profile for Apache2 + PHP-FPM on AppArmor
I configured an OSSEC server on Ubuntu 20.04 to monitor changes on client machines (also Ubuntu 20.04).
My configuration aims to monitor in real time changes that occur in the default system folders and in the Apache server folder (new fil… Continue reading Use OSSEC to monitor changes to directories in real time
I currently have two domains that I use for my app:
Ex: backend-app.example.com and api.example.com
In both domains the access-control-allow-origin header is *.
This configuration is this way because the backend-app.example.com is used thr… Continue reading Enable or Disable CORS for Domains and API
I came across this practice, from a big company handling personal customer data, of not allowing developers/maintainers to look straight at the application logs (e.g. good old tail | grep) by connecting to the application servers through S… Continue reading In an enterprise environment, should developers/maintainers be able to look at production logs by accessing the application servers?
I want to create a minimal example where JavaScript injection/XSS is working. This is my example server:
const express = require("express");
const path = require("path");
const app = express();
const port = 3000;
I am looking for a modern, password manager-based way to share my passwords with certain parties (partner, executor of my will) within a week or so of my death, but no sooner.
The scenario I wish to avoid is the loss of my assets and/or br… Continue reading How to share passwords *only* after death?
I’ve been unable to find any research or information on this.
Google periodically signs me out and forces me to sign back in. I have multiple devices and multiple google accounts so it’s a bit frustrating but that’s just how it is. Howev… Continue reading Is it less secure to force periodic user logouts vs keep them logged in?