header – Page 16 – WindowsTechs.com

X-Content-Type-Options without content-type

Posted on October 5, 2017 by Silver

X-Content-Type-Options helps to protect against attacks that take advantage of the browser trying to interpret HTTP responses with an incorrectly stated Content-Type.

But what happens when the HTTP response sets the X-Conten… Continue reading X-Content-Type-Options without content-type→

User name and password is passed in custom headers

Posted on August 30, 2017 by Dee

Is it safe to pass username and password in two separate custom header tags in Web services/Web application Post request over https.

How is it different from using from Authorization header.

Which is more safe and what is t… Continue reading User name and password is passed in custom headers→

HTTP Security header implementation

Posted on August 21, 2017 by Metahuman

Does any one know if:

X-Frame-Options
X-XSS-Protection
X-Content-Type-Options
Content-Security-Policy

are for HTTP and:

Strict-Transport-Security
Public-Key-Pins

are for HTTPS?

What I mean is that if I have a blog … Continue reading HTTP Security header implementation→

Does the X-Permitted-Cross-Domain-Policies header have any benefit for my website if I’m not using Adobe products?

Posted on July 25, 2017 by Taul

OWASP says the X-Permitted-Cross-Domain-Policies security header gives web clients “permission to handle data across domains”. It specifically states that Adobe’s Flash Player and Acrobat PDF Reader use this header and that o… Continue reading Does the X-Permitted-Cross-Domain-Policies header have any benefit for my website if I’m not using Adobe products?→

PCI Consideration for HTTP Headers?

Posted on June 26, 2017 by Metahuman

Recently, some of our servers were being flagged for not implementing proper HTTP headers in a Qualys scan.

One of the sites that I visit regularly – http://pentestit.com has some good HTTP headers implemented:

HTTP/1.1 … Continue reading PCI Consideration for HTTP Headers?→

Password and login in a post HTTP header

Posted on May 30, 2017 by Emka

Scenario

I was monitoring some imperva(WAF) events, when a weird one appeared. Here is the client’s POST request:

POST some_url HTTP/1.1
Host: client_url
Content-Type: application/x-www-form-urlencoded
Origin: https://c… Continue reading Password and login in a post HTTP header→

What does the POST data of HackBar (Firefox add-on) do?

Posted on May 25, 2017 by Seek_hElp

What does the POST DATA Feature of Hackbar (Addon of Firefox )do ?

If I am checking for XML XXE vulnerability i use it .But what does it do by POSTing some data ?

If I want to repeat the same thing using Burp Suite ,how do … Continue reading What does the POST data of HackBar (Firefox add-on) do?→

Host header attacks: Possible exploits

Posted on May 15, 2017 by Anonymous Platypus

We have an API server hosted with amazon elb. The server has only one virtual host and hence it doesn’t enforce Host header. But if we manually add a Host header along with the request with a valid host name, the server retur… Continue reading Host header attacks: Possible exploits→

X-Frame-Options Absent but cant load the page in iframe

Posted on May 13, 2017 by one

I am trying to find the reason that a certain webpage is not getting iframed even when X-Frame-Options header is absent.
Observation:
When I write an HTML with iframe tag pointing to the URL and save this file locally and ope… Continue reading X-Frame-Options Absent but cant load the page in iframe→

How does this header handling work with CloudFlare?

Posted on May 10, 2017 by WayneXMayersX

Assuming I have my website which uses CloudFlare, can I set the X-Forwarded-For with another IP so it gets forwarded to my server?

I’m trying to do it with a tool and the website prints the IP I’ve set with X-Forwarded-For. … Continue reading How does this header handling work with CloudFlare?→