Collaborate Disseminate
Let’s say I am an organization with all my resources on example.com. I have a web server in the DMZ that hosts a website named app.example.com open to the internet.
The CSP for that website is Content-Security-Policy: default-src ‘self’ ht… Continue reading How secure is using https://*.domain.com as a value in a Content Security Policy?
Before starting quick notes to consider this case.
The method of how this session was generated is not relevant for the question
What access controls are outside the application for it’s protection are not relevant for the question
The sce… Continue reading CSP vulnerability scanning with initiated session in webapp
Let’s say the Content Security Policy looks like this:
Content-Security-Policy: default-src ‘self’;
It’s also not possible to upload JS files on the same origin.
Now there’s an exploit to write arbitrary HTML on a page, including <scri… Continue reading Should I call a vulnerability XSS even though it is blocked by the CSP?
I had a discussion with PenTesters at my company today, who have said that security headers, like for example Content-Security-Policy, Strict-Transport-Security, Referrer-Policy and Permissions-Policy, should always be sent in the subseque… Continue reading Security headers: Are they needed on subsequent requests (eg. Scripts, Images) after they have been sent on the main HTML request?
I have a site that have SSO resolved in a way of opening identity provider in iframe to access it. I have CSP to ‘self’ but it didn’t work, adding the implicit url also fails. SSO does not work and I keep getting this confusing message:
R… Continue reading Refused to frame url despite having it in frame-ancestors [migrated]
We are implementing clickjacking protection on our website as follows:
By default every page on our site has frame-ancestors self
We have a list of pages that are specifically designed to be embeddable in 3rd party apps, so those pages do… Continue reading do I need CSP: frame-ancestors on a redirect page?
We have added HSTS policy at Akamai level (domain). When we Intercept the request using burp we dont see HSTS policy is getting added in response, in case we hit site with http.
But with https we able to see the HSTS policy.
Issue is to fi… Continue reading HSTS Policy Not Appear in Burp Intercept Response
We have added HSTS policy at Akamai level (domain). When we Intercept the request using burp we dont see HSTS policy is getting added in response, in case we hit site with http.
But with https we able to see the HSTS policy.
Issue is to fi… Continue reading HSTS Policy Not Appear in Burp Intercept Response
We have added HSTS policy at Akamai level (domain). When we Intercept the request using burp we dont see HSTS policy is getting added in response, in case we hit site with http.
But with https we able to see the HSTS policy.
Issue is to fi… Continue reading HSTS Policy Not Appear in Burp Intercept Response
I use node-jose library to encrypt my data before sending it to the server. This works great. However, I can see that the web assembly which is a dependency of node-jose, has wasm-eval, which some browsers do report and some do not.
Due to… Continue reading node-js library in JS throwing wasm-eval