Sending JWT token in request body
I’m testing an application that sends JWT token in the request body (in JSON) instead of the header. Is it less secure than sending JWT token in the request header (like Authorization header), which is more popular?
Author Archives: user187205
Check for allowed OpenVPN SSL/TLS cipher suites from the client-side
I would like to check cipher suites that the OpenVPN server accepts. I used nmap:
nmap -sU –script ssl-enum-ciphers -p 1194 <IP>
but the results are only:
Host is up (0.0033s latency).
PORT STATE SERVICE
1194/udp open|… Continue reading Check for allowed OpenVPN SSL/TLS cipher suites from the client-side
OpenVPN algorithms configuration to allow only TLS 1.3
For my OpenVPN configuration, I have chosen only 3 symmetric ciphers: AES-256-GCM, AES-128-GCM, and also CHACHA20-POLY1305.
I don’t have any fallback algorithm. I support only modern clients.
Is this enough or should I also specify that on… Continue reading OpenVPN algorithms configuration to allow only TLS 1.3
Cookie-to-header token CSRF protection – is it necessary to verify cookie value?
I’m testing Angular application which uses Cookie-to-header token CSRF protection. According to Angular documentation https://angular.io/guide/http#security-xsrf-protection:
When performing HTTP requests, an interceptor reads a token from… Continue reading Cookie-to-header token CSRF protection – is it necessary to verify cookie value?
Snyk auth without internet access
I would like to run snyk on machine without internet access, but first step is to authenticate with Snyk account. Is it possible to do this without internet access? Unfortunately both commands snyk auth and snyk auth [api-token] requires … Continue reading Snyk auth without internet access
Cookie-to-header token CSRF protection
I have the Angular application where CSRF protection is implemented using Cookie-to-header token. It is default AngularJS mechanism to counter CSRF, which uses cookie XSRF-TOKEN and header X-XSRF-TOKEN. Only JavaScript that runs on my doma… Continue reading Cookie-to-header token CSRF protection
Is it better to disable X-XSS-Protection header or set the header as X-XSS-Protection: 0?
Because X-XSS-Protection header is now not supported by major browsers I wonder what option is better, to delete this header or to set the header as X-XSS-Protection: 0?
Because browsers do not support this header I think the better optio… Continue reading Is it better to disable X-XSS-Protection header or set the header as X-XSS-Protection: 0?
Best practice to change password while user is already logged in
What is the best practice for changing passwords while the user is already logged in?
In my application to change the password, the user who is already logged in has to pass the current password and a new password. There is no email confir… Continue reading Best practice to change password while user is already logged in
Passwords verification against a set of breached passwords
NIST and OWASP ASVS recommends checking passwords against those obtained from previous data breaches. The list of such passwords can be downloaded from "Have I Been Pwned" (https://haveibeenpwned.com/Passwords), but there are mor… Continue reading Passwords verification against a set of breached passwords
Best resource to verify weak cipher suites
Many tools enable to list accepted ciphers but not all of them verify if these ciphers are secure.
For example, Nmap with script ssl-enum-ciphers ranks some ciphers as secure even though actually this ciphers are not recommended anymore (f… Continue reading Best resource to verify weak cipher suites