Collaborate Disseminate
Recently, I discovered that MFA apps just calculate that codes based on a private key and the time clock, so it’s easy to use tools like gnu pass to replace those apps with your computer.
But what are the securities drawbacks when we do th… Continue reading Is using the computer for MFA safe?
In AWS Cognito we could define a role/permissions as a custom attribute in the user pool, but we could have a User table and a caching database and fetch roles each time the user does a request.
Of course, the first approach avoids an unne… Continue reading Is there a problem to store user permissions in the database instead of in a external auth service?
It is common to say that CORS headers protect against CSRF, so that if you visit a malicious website, it cannot make a request to your web application because the referer header (the URL of the malicious website) wouldn’t be allowed by the… Continue reading Are CORS headers useless?
For instance, suppose we have a request that uses the field name in a request’s body or query params, but the client sends the params name and age. Some web server frameworks allow us to strip properties outside a whitelist so this age par… Continue reading What vulnerability query params or body outside a whitelist can allow?