security – Tarik Billa

How do I integrate Perfidies (Browser plug-in vulnerability scanner) into my website?

April 11, 2024 by Tarik

You should provide some more context to your question. I will try to help you though suggesting a way to do this. You mentioned you want to disallow users to login, so I think the best way to do this is putting the validation code in the login page as a javascript include. Keep in … Read more

Is there a way to do –disable-web-security on android chrome

April 11, 2024 by Tarik

Is an X-Requested-With header server check sufficient to protect against a CSRF for an ajax-driven application?

April 11, 2024 by Tarik

AccessController usage

April 10, 2024 by Tarik

You would use AccessController.doPrivileged() to give certain code privileges that code earlier in the calling stack DOES NOT have but which the privileged codes DOES have by virtue of that privilege being granted in a policy. For example, assume ClassA invokes methods on ClassB, and ClassB needs to read the java.home system property (to borrow … Read more

Why is SSLCertificateKeyFile needed for Apache?

April 10, 2024 by Tarik

The SSL certificate file contains the X.509 certificate (which, in turn, contains a public key used for encryption). The SSL Certificate Key File contains the private key corresponding to the public key in the certificate. In order for the webserver to encrypt and decrypt traffic, it must have both the public key (certificate) and corresponding … Read more

CSRF in Mobile Applications

April 7, 2024 by Tarik

What is the security difference between API Keys and the client credentials flow of OAuth?

April 7, 2024 by Tarik

TLDR; The difference comes down to direct access vs. delegated access. OAuth allows you to make delegated access. The benefits of delegated access don’t change if there is a user involved or not. The same arguments that make the OAuth Authorization code flow attractive for user-to-machine access, apply to the OAuth Client credentials flow for … Read more

CSRF protection: do we have to generate a token for every form?

April 7, 2024 by Tarik

In general, it suffices to have just one token per session, a so called per-session token: In general, developers need only generate this token once for the current session. After initial generation of this token, the value is stored in the session and is utilized for each subsequent request until the session expires. If you … Read more

Which error message is better when users entered a wrong password? [closed]

April 6, 2024 by Tarik

The idea is to not give hackers extra information. If you say wrong password, you’ve told a hacker that they have a correct username, and vice-versa. Although what you’ve said is true, on some sites it is possible to determine if you’ve guessed a username via other means.

Should I trim spaces in a password field

April 3, 2024 by Tarik

Leave the password as the user entered it. You should never change silently a field put by a user, overall a password.