Collaborate Disseminate
I feel like there’s a lot of variation in the suggested HTTP headers.
Commonly I see suggestions for:
HTTP Strict Transport Security
Content Security Policy
X-Frame-Options (Same Origin)
X-Xss-Protection (block)
X-Content-… Continue reading What HTTP headers do you generally suggest to use? [on hold]
I have two services – A and B – which both expose a HTTP/REST API. Service A is exposed to the public and authenticates its users. It delegates part of the workload to service B which also has to know the identity of the auth… Continue reading Passing user identity to an internal REST service
We have a REST API that communicates with a mobile front-end. After submitting a one time password, the backend will issue a token (random UUID v4 string) for the mobile app to use as authentication on subsequent requests. Th… Continue reading What kind of hashing to use for storing REST API tokens in the database?
I’m writing a simple REST API, and I want to restrict access to my mobile-client only. In other words, I’m trying to prevent a malicious user from e.g. using curl to make an unauthorized POST request.
Of course, this is impo… Continue reading Returning the wrong HTTP response code on purpose?
I have followed the OWASP guidelines and many other articles talking about different approaches to follow and what we should exactly test when it comes to API testing. I was not able to find a good tool that can be used to au… Continue reading what are the recommended tools for REST API Security testing? [on hold]
I want to have nginx in front of my Tomcat and to act as a authentication gateway. So if request is not authenticated in will be redirected to login form that will also be stored on nginx. nginx will collect user/password fro… Continue reading Nginx Form-base Authentication
I want to have nginx in front of my Tomcat and to act as a authentication gateway. So if request is not authenticated in will be redirected to login form that will also be stored on nginx. nginx will collect user/password fro… Continue reading Nginx Form-base Authentication
I am testing http requests and responses in a REST API. I am testing by capturing the data from one machine to another using wireshark.
I want the data to be more secure. Technologies are: php, python and javascript.
I re… Continue reading How to do API testing using wireshark? [on hold]
Is there any programmatic way that where I can mandate the HTTPS in my ASP.Net Web API? I need to perform this for all HTTP methods in my Web API.
Can we mandate HTTPS to specific HTTP messages as well ?
Please note that … Continue reading ASP.Net Web API make HTTPS Mandatory
I am working with a ASP.Net Web API 2 service and the firewall denies the DELETE method to go through (only POST and GET are allowed).
Is there a way that we can bypass this and invoke my DELETE method in the API?
Continue reading Allow DELETE method over firewall WEB API 2