Author Archives: TragedyStruck

Basic Auth over HTTP redirected to HTTPS – does it leak?

Posted on June 25, 2018 by TragedyStruck

I’m creating a Flask API and I’m somewhat unfamiliar with the attack surfaces that exist in redirecting from HTTP to HTTPS, or requesting HTTP when HSTS header has been sent previously.

Lets say a user requests the route use… Continue reading Basic Auth over HTTP redirected to HTTPS – does it leak?→

Posted in HSTS, HTTP, TLS, url-redirection

Risks of using UUID to identify user in mobile app

Posted on June 21, 2016 by TragedyStruck

I’ve got an existing customer base. A customer has appointments. Currently they cannot access or change their appointments without contacting me directly.

I want to offer them a way to access and change their upcoming appoin… Continue reading Risks of using UUID to identify user in mobile app→

Posted in risk analysis, TLS | Tagged Identification