Collaborate Disseminate
We have a web service where GET is always safe and all unsafe POST requests use single-use CSRF tokens. We have some cases where cross-origin domain would need to pass us POST request with data that should be used with currently active use… Continue reading I have CSRF protection implemented server side, can I safely use `SameSite=None; Secure; HttpOnly`?
Conventional wisdom to prevent CSRF is to use CSRF tokens, but with the new cookie attributes and prefixes, do you even need to generate/save tokens at all?
I’ve had the thought that if I just set a cookie with a static value, I can simply… Continue reading Is a static SameSite cookie enough to protect against CSRF?
As I understand it, the SameSite attribute for cookies helps me advise standard browsers what they can do with them.
So if I’m a server running on http://acme.com/my-app and I’ve set a cookie like:
Set-Cookie: JSESSIONID=1234567890abcdef; … Continue reading Why does Chrome require Secure for SameSite=None cookies?
I have read Incrementally Better Cookies, a couple of web.dev articles and tried to google for "same-origin cookies" but could not find anything so I wonder if this is being worked on.
SameSite=Strict & Lax are a very good pr… Continue reading Would "same-origin cookies" make sense?
I have a mostly public API with some parts of it "credentialed" behind cookies, similarly to e.g. how WordPress’ REST API works. (In our case, it’s a GraphQL API but that shouldn’t matter.)
I want to enable CORS for it and am con… Continue reading Difference between `Access-Control-Allow-Origin: *` (wildcard) and specific origins
I have read that storing the jwt token within the httponly secure cookie is the recommended way to prevent both csrf attacks and xss attacks.
When a user goes to my website they may make an api call like so
POST mygatewayproxy.example/logi… Continue reading Setting httponly secure cookies in microservice architecture
I am working on securing a Blazor WASM site. So far I have a Auth API so that my multiple apps can use one auth service. I also have a Blazor WASM site. I am tying to mimic the Anti-Forgery Tokens that a Asp.Net site would have. Since my s… Continue reading Blazor WASM Anti-Forgery Token
If I use the same machine (my PC) but with a different IP address and a different browser that I have never used to visit a site, will that site still be able to identify me? I don’t understand the browser fingerprinting thing that well. T… Continue reading How do I assure that a site that I visit does not know I have been there before?
I have three domains but the same code base (Domain X, Domain Y, Domain Z) and
Accounts website A
If a user tries to sign in accounts from domain X, I wanted to SSO in the other two domains (Browser Scenario: third party cookies blocked)…. Continue reading Cookie set from a server to a client with different domain(via XHR), but not recognized by Client domain
I visited website B after visiting website A. Upon clicking the search bar on website B, a dropdown menu appeared containing the words I searched on website A. After clearing my browser history and cookies, the search bar on website B no l… Continue reading Can a website track your browsing history on other websites?