How easy is it for hackers to intercept http traffic between VPN exitnode and the destination web service without being inside the VPN or web server?

Let’s say I’m using http connection over a properly set up VPN with secure protocol and implementation. Then, most likely, the connection will be secure all the way until it exits the VPN server.
But since the traffic is unencrypted, sensi… Continue reading How easy is it for hackers to intercept http traffic between VPN exitnode and the destination web service without being inside the VPN or web server?

Is there a reason for a server-side limit on the number of HTTP headers allowed for each request?

The security team at my company has set a limit on the number of headers a HTTP request can contain (not header size, but an actual hard count limit on the number of headers).
A vendor has added a few headers for request tracing purposes, … Continue reading Is there a reason for a server-side limit on the number of HTTP headers allowed for each request?

How is the encryption and signing handled in case of an HTTP 302 redirect to IDP for a SAML authentication request?

When an SAML Authentication request is performed, let’s say that the Service Provider uses an HTTP 302 redirect. The user agent is redirected to the IdP via a GET request. This URL is provided by the SP.
In this case, is the request:

Of t… Continue reading How is the encryption and signing handled in case of an HTTP 302 redirect to IDP for a SAML authentication request?