Collaborate Disseminate
I have a web page with a Cross-Origin-Embedder-Policy: require-corp header. When I include an cross-origin image without CORP or CORS headers in the response, I expect the image to be blocked, because of the Cross-Origin-Embedder-Policy. H… Continue reading Image loaded despite Cross-Origin-Embedder-Policy: require-corp
As we know some important information can be found in MIME Boundary field in email headers.
Such as the one described in this interesting link (Dates in Hiding Part 2 — Gmail MIME Boundary Timestamps)
Do you have any idea about MIME Bounda… Continue reading MIME Boundary field meaning & decoding in email header(mail.com web client)
In an email forensic study, I want to know the meaning of the field "X-UI-Sender-Class" in email header and how can we decode this information.
Note: the email is sent from mail.com Email server through mout.gmx.com
I came across a site that allows the client-security-token in CORS requests:
Access-Control-Allow-Headers: …, client-security-token
I have not found any request yet that includes this header. But it also does not seem to be application-… Continue reading What is the client-security-token header typically used for?
In my webserver log files I sometimes find such entries:
185.30.14.116 [2024-09-14T07:56:57+02:00] 400 | HOST-HDR "185.30.14.116" | SRV _:80" | URI "/"
So there is a request from 185.30.14.116 that my default serve… Continue reading What is the sense of the client’s IP in a Host header?
I implement a server application in .NET. I just want to know which security headers I need to set if I use HTTPS. I know about the HttpOnly and SameSite Cookies. OWASP has a recommendation HTTP Headers Cheat Sheet but do I need every sing… Continue reading Which security Headers for HTTPS?
For various reasons, I need to shrink my CSP header a bit without degrading its effectiveness. I’m able to save some bytes by wildcarding some subdomains, but I’m also tempted to strip out all instances of https://.
Example:
connect-src ‘s… Continue reading If I’m using HSTS, can I skip the scheme from my CSP directives?
I might have found a way to highjack an Oauth Flow, but the source server is responding with 403 errors when the Oauth request is sent with a Sec-Fetch-Dest HTTP header.
Is there a way to alter or disable such headers like the referer poli… Continue reading Is it possible to disable or change sec-fetch-* HTTP headers?
Actually I’m using Linux and I would like to see the DRM protected contents offered by nowtv.it because I have a paid account with them.
The browsers supported by nowtv.it are :
Google Chrome version 102 or later (on MAC and Windows)
Moz… Continue reading Linux OS / Windows User Agent does not work for nowtv.it [closed]
I’m studying the basics of XSRF on Portswigger and I’ve completed Lab: CSRF vulnerability with no defenses with FireFox. I attempted to go a step further by completing the same lab from the terminal. However when I send a request to the se… Continue reading Unable to login to Portswigger lab website with curl or javascript [closed]