Collaborate Disseminate
Background
There’s this website that takes in a form, and returns a ‘score’ based on your inputs https://kamelrechner.eu/en/female
Question
It’s a simple POST request, so I expected the value to be returned in the POST. However, strangely,… Continue reading acquiring POST result updated via JS script [closed]
I am developing a mobile application for financial usage. I want to make it as secure as the existing apps in the market. Many apps ask the user to enter a PIN code to unlock the app after period of time or when the user wants to perform s… Continue reading Reverse-engineering the pin code authentication flow for mobile apps
I have an API that responds to requests with a JSON that contains app updates and advertisements.
Requests are sent by my SDK that is implemented inside my game.
I need authentication because JSON responses contain some advertise provider … Continue reading authentication for SDK requests to a private API
Considering the following facts, using CSRF token for a restful API (which of course is intrisincly session-less) seems inevitable:
storing JWT in local storage(any where other than http-only cookie) makes the API vulnerable to XSS attack… Continue reading How to implement the CSRF token mechanism for restful APIs?
I’d like to implement a RESTful API service over HTTP that developers can call from their server side environments.
I intend to use a cryptographically secure pseudo-random number generator (CSPRNG) to generate keys and then convert the bi… Continue reading Is using a developer key to protect a REST API good practice?
I have a REST which takes a parameter dataSource as input and myService has follow logic.
@RequestMapping(value ="/save", method = RequestMethod.POST)
public List<String> find(@RequestBody String dataSource){
return myS… Continue reading CheckMarx SSRF Vulnerability
I’m working on a small rest api project with user authentication.
But I’m wondering whether I should store the users authentication token in a header or a cookie.
The general idea is as follows:
User makes a POST request to /tokens/authen… Continue reading Cookies Vs Headers For REST API User Authentication Token
One of the raised issues for a Web API is that for an e-mail based authentication (e-mail and password) the Register user method returns something like "the registration e-mail has been sent" regardless of the e-mail being used o… Continue reading Is it possible to avoid exposing the fact that an e-mail address is used by a web application (API) while still ensuring a decent UX?
In a new project, we try to clarify how authorization should look like. I’ve been reading up on this for days, but it’s not really clear to me which solution would be the right one to use. Some solutions are not recommended anymore, some s… Continue reading Refresh token rotation or Authorization Code Flow with PKCE
Imagine an API where all CRUD operations are done through the same POST HTTP Request but with different "action" values from request body.
{
"action":"[create|read|update|delete]",
"user":"4&quo… Continue reading Security issues of exposing CRUD operations through a single API endpoint?