What is the difference between using an auth header and the request body to send credentials?

I have an API that uses JWT token-based authentication. In order to get a short-lived token, the client first calls a /Token endpoint, passing username and password in the body of the request. As I understand it, this is a st… Continue reading What is the difference between using an auth header and the request body to send credentials?

Why image resources loaded from different origins triggers HTTP authentication dialogs would be harmful?

From https://developer.mozilla.org/en-US/docs/Web/HTTP/Authentication, it says:

A potential security hole that has recently been fixed by browsers is
authentication of cross-site images. From Firefox 59 onwards, image
Continue reading Why image resources loaded from different origins triggers HTTP authentication dialogs would be harmful?

Firefox not deleting HTTP Basic authentication credentials although being instructed to do so

On one of my web servers, I have set up a password-protected directory using the well-known .htaccess / .htpasswd mechanism. The web server is run by Apache 2.4.10 under Debian jessie, if that matters. The relevant snippet from the virtual… Continue reading Firefox not deleting HTTP Basic authentication credentials although being instructed to do so

How to prevent popping up a login dialogue using a malicious hotlinked image and HTTP Basic Auth header?

While using Firefox to browse my forums, I noticed that a malicious user posted an image (via hotlinking, not by uploading to my server) with the extension .png which complies with the forum rules (allowing only .png, .gif, …. Continue reading How to prevent popping up a login dialogue using a malicious hotlinked image and HTTP Basic Auth header?