Collaborate Disseminate
Does anyone know why some ransomware families (e.g. Cuba but also Phobos if I am not mistaken) pad the file header to get to 1024 bytes?
I mean what would be a reason for the ransomware developer to not just encrypt the entire file but add… Continue reading Why some ransomware adds padding to headers
Is there any way to reliably identify the referring site on modern browsers (not considering manual HTTP requests outside of a browser e.g. cURL, etc.)?
Referrer header will not work because the referring site could just set Referrer-Polic… Continue reading How to reliably identify referrer on client browser?
When client (Postman for example) is making the request to server, is the client responsible for including the HTTP security headers in the request?
Or is the server responsible for defining these headers and showing them in response?
I co… Continue reading Is API client responsible for HTTP security headers?
My question isn’t a duplicate. I know that the IP is leaked in the computer desktop version of outlook. But from I’m able to tell, the mobile version didn’t leak it.
I need to make sure that I’m right and that the IP address wasn’t leaked … Continue reading IP address from headers (Gmail/outlook mobile app) [duplicate]
I need high security for my app, so I have to add security headers for my views. However, I’m not entirely sure I understood the CSP header correctly (specifically its parameters). Is my combination safe and provides high security against … Continue reading The most safe combination for Content Security Policy
If I analyse multiple PDF files with a hex editor, I see that all of them have two trailers.
That’s possible if an object has changed or renewed (https://blog.idrsolutions.com/multiple-trailers-in-a-pdf-file/), but in my case, the PDF file… Continue reading PDF file have two trailers? [closed]
There are some HTTP security headers in the world of cyber security of web applications. These are e.g.:
X-Content-Type-Options
X-Frame-Options
Content-Security-Policy
Referrer-Policy
Strict-Transport-Security
Expect-CT
X-XSS-Protection (… Continue reading Are HTTP security headers only for web browsers?
Does a proper Email ALG (i.e. Email-Proxy) alter/remove the local Email-Header information so the recipient does NOT get information about the locally used IP addresses?
Example:
Received: from mail.example.com (10.53.40.198) by
mail.exam… Continue reading Does a proper Email ALG (i.e. Email-Proxy) alter/remove the local Email-Header information?
How serious a security problem is it to have the name of the web server in the HTTP header (Apache, Nginx etc.)?
I am discussing this with a system administrator and he told me that deleting version is easy, but deleting the name of the se… Continue reading Is having the name of web server software in HTTP response header a serious problem?
I had a discussion with PenTesters at my company today, who have said that security headers, like for example Content-Security-Policy, Strict-Transport-Security, Referrer-Policy and Permissions-Policy, should always be sent in the subseque… Continue reading Security headers: Are they needed on subsequent requests (eg. Scripts, Images) after they have been sent on the main HTML request?