The Content-Security-Policy meta-tag allows you to reduce the risk of XSS attacks by allowing you to define where resources can be loaded from, preventing browsers from loading data from any other locations. This makes it harder for an attacker to inject malicious code into your site. I banged my head against a brick wall trying … Read more
I answered this question: How to secure an ASP.NET Web API 4 years ago using HMAC. Now, lots of things changed in security, especially that JWT is getting popular. In this answer, I will try to explain how to use JWT in the simplest and basic way that I can, so we won’t get lost … Read more
This question has been addressed, in a slightly different form, at length, here: RESTful Authentication But this addresses it from the server-side. Let’s look at this from the client-side. Before we do that, though, there’s an important prelude: Javascript Crypto is Hopeless Matasano’s article on this is famous, but the lessons contained therein are pretty … Read more
An analysis of the various options available, and the pros and cons of each is available in Jeanne Boyarsky’s Batching Select Statements in JDBC entry on JavaRanch Journal. The suggested options are: Prepare SELECT my_column FROM my_table WHERE search_column = ?, execute it for each value and UNION the results client-side. Requires only one prepared … Read more
For old-school CD keys, it was just a matter of making up an algorithm for which CD keys (which could be any string) are easy to generate and easy to verify, but the ratio of valid-CD-keys to invalid-CD-keys is so small that randomly guessing CD keys is unlikely to get you a valid one. INCORRECT … Read more
A good reason, which you have sort of touched on, is that once the CSRF cookie has been received, it is then available for use throughout the application in client script for use in both regular forms and AJAX POSTs. This will make sense in a JavaScript heavy application such as one employed by AngularJS … Read more
I found this blog post which cleared up a few things. To quote the most relevant bit: Mixed Active Content is now blocked by default in Firefox 23! What is Mixed Content? When a user visits a page served over HTTP, their connection is open for eavesdropping and man-in-the-middle (MITM) attacks. When a user visits … Read more
Sending headers earlier than the normal course may have far reaching consequences. Below are just a few of them that happened to come to my mind at the moment: While current PHP releases may have output buffering on, the actual production servers you will be deploying your code on are far more important than any … Read more
MVC defaults to DenyGet to protect you against a very specific attack involving JSON requests to improve the liklihood that the implications of allowing HTTP GET exposure are considered in advance of allowing them to occur. This is opposed to afterwards when it might be too late. Note: If your action method does not return … Read more
From early days of online stores: Getting a 90% discount by entering .1 in the quantity field of the shopping cart. The software properly calculated the total cost as .1 * cost, and the human packing the order simply glossed over the odd “.” in front of the quantity to pack 🙂