Will web browsers cache content over https
As of 2010, all modern, current-ish browsers cache HTTPS content by default, unless explicitly told not to. It is not required to set cache-control:public for this to happen. Source: Chrome, IE, Firefox.
security
What is the best practice for dealing with passwords in git repositories?
The typical way to do this is to read the password info from a configuration file. If your configuration file is called foobar.config, then you would commit a file called foobar.config.example to the repository, containing sample data. To run your program, you would create a local (not tracked) file called foobar.config with your real password … Read more
JWT refresh token flow
Below are the steps to do revoke your JWT access token: When you do log in, send 2 tokens (Access token, Refresh token) in response to the client. The access token will have less expiry time and Refresh will have long expiry time. The client (Front end) will store refresh token in his local storage … Read more
Payment Processors – What do I need to know if I want to accept credit cards on my website? [closed]
I went through this process not to long ago with a company I worked for and I plan on going through it again soon with my own business. If you have some network technical knowledge, it really isn’t that bad. Otherwise you will be better off using Paypal or another type of service. The process … Read more
How do you Encrypt and Decrypt a PHP String?
Before you do anything further, seek to understand the difference between encryption and authentication, and why you probably want authenticated encryption rather than just encryption. To implement authenticated encryption, you want to Encrypt then MAC. The order of encryption and authentication is very important! One of the existing answers to this question made this mistake; … Read more
Simplest two-way encryption using PHP
Important: Unless you have a very particular use-case, do not encrypt passwords, use a password hashing algorithm instead. When someone says they encrypt their passwords in a server-side application, they’re either uninformed or they’re describing a dangerous system design. Safely storing passwords is a totally separate problem from encryption. Be informed. Design safe systems. Portable … Read more
Best practices when running Node.js with port 80 (Ubuntu / Linode) [closed]
Port 80 What I do on my cloud instances is I redirect port 80 to port 3000 with this command: sudo iptables -t nat -A PREROUTING -i eth0 -p tcp –dport 80 -j REDIRECT –to-port 3000 Then I launch my Node.js on port 3000. Requests to port 80 will get mapped to port 3000. You … Read more
Where to store JWT in browser? How to protect against CSRF?
We need to store the JWT on the client computer. If we store it in a LocalStorage/SessionStorage then it can be easily grabbed by an XSS attack. If we store it in cookies then a hacker can use it (without reading it) in a CSRF attack and impersonate the user and contact our API and … Read more
Exploitable PHP functions
To build this list I used 2 sources. A Study In Scarlet and RATS. I have also added some of my own to the mix and people on this thread have helped out. Edit: After posting this list I contacted the founder of RIPS and as of now this tools searches PHP code for the … Read more