Is it secure to use session ID as authentication token received from an HTTP header?

I am writing a mobile application for an already existing web app.
In the backend, I implemented the usual cookie-based session ID authentication. with a CSRF token generated on login and sent with each request in a custom header.
the prob… Continue reading Is it secure to use session ID as authentication token received from an HTTP header?

Why is the absence of a Content-Type header with a HTTP 204 response considered a security vulnerability and what should we do about it?

We have recently developed a web application with a RESTful API backend. This web app need to have a certain security certification (something called PCI-DSS), and thus it is being scanned occasionally to identify potential vulnerabilities… Continue reading Why is the absence of a Content-Type header with a HTTP 204 response considered a security vulnerability and what should we do about it?

Burpsuite proxy does not get HTTP error 429 but vanilla python requests do?

When I make a normal Python request to some site without any proxies, I get a 429 response, which is too many requests. However, when I open up Burpsuite proxy and add:
import requests

# Set up the proxies dictionary for Burpsuite
proxies… Continue reading Burpsuite proxy does not get HTTP error 429 but vanilla python requests do?

Is a random unknown HTTP request header ‘Host’ that is reflected in the HTTP response ‘Location" header (3xx) a open redirect or DNS rebinding?

If I send an unknown domain name in the HTTP request header ‘Host’ to a webserver and the webserver responds with a HTTP status code 301/302 (redirect) along with a HTTP response header ‘Location’ reflecting my initial Host header input.
D… Continue reading Is a random unknown HTTP request header ‘Host’ that is reflected in the HTTP response ‘Location" header (3xx) a open redirect or DNS rebinding?

Should the use of the HTTP ‘ETag’ header be avoided for security and privacy concerns?

I’m looking into the risks associated with the use of the HTTP ‘Etag’ header and found the following relevant information already.
Information Disclosure (inodes)
This article titled: "Vulnerabilities that aren’t. ETag headers" f… Continue reading Should the use of the HTTP ‘ETag’ header be avoided for security and privacy concerns?

What security risks are involved in using older HTTP protocols such as HTTP/1.x that would justify upgrading to HTTP/2 or HTTP/3?

As of 2023, still many webservers support HTTP/1.0 and HTTP/1.1 while not supporting recent HTTP/2 and/or HTTP/3 protocols. I understand that newer HTTP versions offer various performance enhancements, but I’m particularly interested in th… Continue reading What security risks are involved in using older HTTP protocols such as HTTP/1.x that would justify upgrading to HTTP/2 or HTTP/3?