Collaborate Disseminate
The main pursuit of this post is to find a way to view the HTTP(S) Headers that are outgoing from my open source proxy server, Tinyproxy. I would like to accomplish this with PHP if possible, but will use any approach that works.
Very brie… Continue reading How to View HTTP(S) Headers sent FROM tinyproxy [closed]
The security team at my company has set a limit on the number of headers a HTTP request can contain (not header size, but an actual hard count limit on the number of headers).
A vendor has added a few headers for request tracing purposes, … Continue reading Is there a reason for a server-side limit on the number of HTTP headers allowed for each request?
A result of a recent pentest suggested that the HTTP Cache-Control Header max-age=0 should be set when no-store is set.
As I understand cache control, no-store is the strictest we can set; the page should not even land in cache, let alone … Continue reading Why set max-age=0 if no-store is already set?
I am using a mobile ISP to access the internet. I noticed something really weird: most sites (e.g. www.whatismyip.com, https://www.iplocation.net/http-browser-header) report my IP as let’s say IP A: XX.XX.XX.57.
However, a site that I’m ho… Continue reading Is different X-Forwarded-For values per site an indicator for something malicious?
I want to clear my doubt that Is there any issues coming from adding ‘Strict-Transport-Security’ and ‘X-XSS-Protection’ headers ?
Header set Strict-Transport-Security "max-age=10886400;
Header set X-XSS-Protection "1; mode=block&… Continue reading Headers X-XSS-Protection issue
I was looking for the answer of this question what is header and what is header Attack. And I want to know that how powerful is header attack and is the best way to perform header attacks. If anyone here who can guide me regarding to the h… Continue reading What is header ? and what is the different Between header attacks. And other normal attacks?
I found a website which is vulnerable to cors.(https://portswigger.net/web-security/cors)
GET /api/requestApiKey HTTP/1.1.
Host: vulnerable-website.com.
Origin: https://evil.com.
AUTHENTICATION: eyssdsdsdsasa…..
And the server responds … Continue reading CORS attack using authentication token
I’ve been seeing our AppScan tools tagging cookie headers from Akamai in low severity.
Mostly tagged as missing attributes of "HTTPOnly" and "Secure" flag.
The question here is should I fully ignore those flagged issues… Continue reading Should I set "Ignore" cookie headers flagged from Akamai WAF or change its severity to Informational?
i am trying to secure my apache web server myself before go live so i added these security headers to my apache site.conf file after lot of reading and googling. i know we can not secure a server 100% but 99% i know there are lot of securi… Continue reading securing apache webserver using security headers
If I have HSTS enforced on a web server with HTTPS 443, but HTTP port 80 is still open, does this make HTTP still accessible, or only for the first time before it’s added to the browser HSTS list?
I imagine best practice would be just to d… Continue reading HTTP and HSTS Web Server