Edit your apache2 configuration file which normally is on the dir: “/etc/apache2/httpd.conf”. Add the following or edit if your already have some configurations for the default web server dir (/var/www): <Directory /var/www> Options -Indexes AllowOverride All Order allow,deny Allow from all </Directory> This will disable the indexing to all the public directories.
Here’s a wild shot in the dark: We’re thinking about protecting the plaintext from the person doing the computation on it. But what if the objective was to protect both the plaintext AND the algorithm? Take, for example, MRI machines. The most expensive part of the MRI machine is the algorithm in which the machine … Read more
No. You will only get a security error if the embedding site uses SSL, but the iFramed one does not. Whether the sites use different certificates or not, that does not matter. No. (Isn’t this the same question as #1?) Summary Having different certificates between the main page and iframed pages is not a problem. … Read more
If you’re already doing authentication for the non-websocket part of your app, just pass the session cookie along as the first message after connecting and check the cookie as you normally would. WARNING: It’s been pointed out that the following doesn’t work when flashsockets are used: If you’re using socket.io, it’s even easier—the cookies are … Read more
The comment by Rory that the proxy would have to use a self-signed cert if not stricltly true. The proxy could be implemented to generate a new cert for each new SSL host it is asked to deal with and sign it with a common root cert. In the OP’s scenario of a corportate environment … Read more
You are right in that a password is only secure if it is obscure. But the “obsure” part of “security through obscurity” refers to obscurity of the system. With passwords, the system is completely open — you know the exact method that is used to unlock it, but the key, which is not part of … Read more
The purpose of a nonce is to make each request unique so that an attacker can’t replay a request in a different context. It doesn’t matter if the attacker gets the nonce: in fact the point is that because the data includes a nonce, it won’t be useful to the attacker. ADDED: A nonce is … Read more
With cross-site scripting, it’s possible to infect the HTML document produced without causing the web server itself to be infected. An XSS attack uses the server as a vector to present malicious content back to a client, either instantly from the request (a reflected attack), or delayed though storage and retrieval (a stored attack). An … Read more
JWT tokens contain claims, which are statements about the subject (for example the logged in user). These statements can be things like name, email, roles etc. JWT tokens are digitally signed and not vulnerable to CSRF attacks. These two characteristics make sure that the service receiving the token does not need to go back to … Read more
Okay, I take back what I commented earlier. Just talked to one of the senior guys in my shop and he said it is possible to lock it down hard. What you can do is convert the pdf to an image/flash/whatever and wrap it in an iFrame. Then, you create another image with 100% transparency … Read more