Stack Overflow
Stack Overflow

Questions tagged [websecurity]

Below things can be tagged in this Cross-Site Scripting (XSS) Local File Inclusion (LFI) Remote File Inclusion (RFI) Remote Code Execution (RCE) PHP Code Injection HTTP Protocol Violation Shellshock Session Fixation Scanner Detection Metadata/Error Leakages Project Honey Pot Blacklist SSL related question Link to learn more https://owasp.org/ Some questions or definitions https://techletterbox.com/2020/02/08/web-security/

258 questions
44
votes
11 answers

Does --disable-web-security Work In Chrome Anymore?

I'm trying to do a simple test without changing any server-side code involving a cross-domain AJAX call, and I was wondering if it's possible to use --disable-web-security anymore. It seems to not work on Chrome 28. I haven't used it since Chrome…
Fields
  • 637
  • 1
  • 5
  • 11
38
votes
3 answers

How to disable same origin policy Internet Explorer

Chrome allows us to disable the same origin policy, so we can test cross origin requests. I would like to know if there any possibility to do the same thing in IE
alex.mironov
  • 2,554
  • 3
  • 25
  • 33
30
votes
4 answers

Cookie “PHPSESSID” will be soon treated as cross-site cookie against because the scheme does not match

I've just noticed my console is littered with this warning, appearing for every single linked resource. This includes all referenced CSS files, javascript files, SVG images, and even URLs from ajax calls (which respond in JSON). But not images. The…
Digital Ninja
  • 2,496
  • 3
  • 18
  • 37
7
votes
1 answer

is it bad to pass jwt token as part of url?

Hi currently i have an angular application and java backend. in my angular component html i have some image such as profile photos. the resource that serves the image files is secured with spring security . so my quesiton is it bad to append json…
prasanth
  • 73
  • 1
  • 5
6
votes
5 answers

Private authentication algorithm - web security

I'm working on a project which generates audio from text(TTS) and provides player with speed/pitch control to users. My question is related to request security. The user got widget_id during registration on my site, he put some js in his site, and…
Simon
  • 20,641
  • 35
  • 87
  • 120
5
votes
4 answers

Why do _token and XSRF-TOKEN differ in Laravel?

I don't understand why is the token for AJAX requests (XSRF-TOKEN) different from a _token that normal forms use. In addition, it's much longer. Why? And why have 2 tokens at all? Why not just use one which would be same for both ajax and normal…
good_evening
  • 19,773
  • 60
  • 178
  • 288
5
votes
1 answer

How to set X-Frame-Options in laravel project?

I want to prevent my website from clickJacking attack. In which file and where to set X-Frame-Options for preventing clickJacking attack.
Darshan Prajapati
  • 684
  • 4
  • 15
5
votes
1 answer

How to prevent script injection attacks

Intro This topic has been the bane of many questions and answers on StackOverflow -and in many other tech-forums; however, most of them are specific to exact conditions and even worse: "over-all" security in script-injection prevention via…
argon
  • 369
  • 1
  • 9
5
votes
2 answers

Can the Request scope variables be tampered/modified using external proxy tools?

As we already know that the URL and FORM scope variables can be modified using external proxy tools. For example if someone makes a request like this - http:\\website\index.cfm?a=1&b=2 This way one can add values to URL scope of a .cfm…
Pankaj
  • 1,731
  • 12
  • 14
4
votes
1 answer

Understanding Keycloak Adapter (Spring-Security & Spring Boot) session requirement

For a software in active development we are using Spring Boot (with Spring Security) and the Keycloak Adapter. The goal is to: require valid authentication for all endpoints except those annotated with @Public (see the code snippet) (this…
AskingTheGoodQuestions
  • 41
  • 1
  • 2
4
votes
3 answers

which is better tls or ssl?

recently I learned about phpmailer and I wonder which one should I use as SMTPSecure, tls or ssl ? According to some articles, https needs a ssl certificate whereas it is written in Wikipedia that ssl has been deprecated.
sudonitin
  • 343
  • 4
  • 14
3
votes
1 answer

How to prevent SQL injection and improve security on REST APIs?

I'm new into REST APIs and developing an API that is going to be used for iOS/Android/Web apps, but I'm unfamiliar with the kind of threats the APIs face once published. I see these same tips all over: Use oAuth 2 to allow transactions, Receiving…
Dialvive
  • 154
  • 1
  • 14
3
votes
1 answer

Do these .env GET requests from localhost indicate an attack?

I was just looking through our logs after getting some intermittent 5xx errors on a Heroku hosted site, and in there I discovered many errors that were emanating from localhost and were requests for hidden files, usually .env but also things like…
user14357143
  • 33
  • 3
3
votes
0 answers

next.js app how to prevent XSS and CSRF attacks?

Basically I am building a serverless next.js app with mongodb. Idea 1 : React prevents most of the XSS already , so should I just store user login info in web storage ? this way I do not need to worry about CSRF. Idea 2 : If I use httpOnly cookie…
sleeping ZZ
  • 43
  • 5
3
votes
2 answers

Is this possible to use cognito's Authorization code grant type as a authorizer in the api-gateway?

I would like to know is there any way or possibility to implement authorization code grant type as Authroizer in securing API gateway? As is searched, 'Authorization code' grant type is most recommended for securing API. i found below article which…
umdev
  • 159
  • 9
1
2 3
17 18