Is it necessary to apply the Content-Security-Policy Header to all resources on your domain (images/CSS/JavaScript) or just web pages? For example, I noticed that https://content-security-policy.co...

If CORS is properly setup on a server to only allow a certain origins to access the server, Is this enough to prevent CSRF attacks?

I want to prevent my website from clickJacking attack. In which file and where to set X-Frame-Options for preventing clickJacking attack.

I've just noticed my console is littered with this warning, appearing for every single linked resource. This includes all referenced CSS files, javascript files, SVG images, and even URLs from ajax...

The documentation of hashlib.scrypt is a bit short: hashlib.scrypt(password, *, salt, n, r, p, maxmem=0, dklen=64) The function provides scrypt password-based key derivation function as defined in...

I'm trying to do a simple test without changing any server-side code involving a cross-domain AJAX call, and I was wondering if it's possible to use --disable-web-security anymore. It seems to not ...

At 3. CSP Policy Delivery it says The Content-Security-Policy HTTP response header field is the preferred mechanism for delivering a policy But there are two valid mechanisms, delivery via an ...

I was just looking through our logs after getting some intermittent 5xx errors on a Heroku hosted site, and in there I discovered many errors that were emanating from localhost and were reque...

I have the following application. SpringMainApplication.java @SpringBootApplication public class SpringMainApplication extends SpringBootServletInitializer { @Override protected SpringApplicatio...

The .net core server code I'm working on is going to be hosted both in cloud infrastructure and on premises. There are many options to handle secret management (connection strings etc...): Big clo...

I don't understand why is the token for AJAX requests (XSRF-TOKEN) different from a _token that normal forms use. In addition, it's much longer. Why? And why have 2 tokens at all? Why not just use ...

I'm working on a project which generates audio from text(TTS) and provides player with speed/pitch control to users. My question is related to request security. The user got widget_id during regist...

I am able to sign the SOAP XML using a certificate for the WS-Security signature. But i am unable to verify its signature. On verifying the signature it leads to Exception, Some help will be apprec...

If I release an API on the public internet, but it's only meant to be used by my apps, I can make a white list of accepted domains, so other domains can't use it. But I always wonder, can't hacker...

For a software in active development we are using Spring Boot (with Spring Security) and the Keycloak Adapter. The goal is to: require valid authentication for all endpoints except those annotat...

Lets say you are designing a new API. The consumer of your API is a mobile app that periodically sends requests in the background, but you expect other consumers as well, such as web apps or server...

Intro This topic has been the bane of many questions and answers on StackOverflow -and in many other tech-forums; however, most of them are specific to exact conditions and even worse: "over-all" ...

Hi currently i have an angular application and java backend. in my angular component html i have some image such as profile photos. the resource that serves the image files is secured with spring s...

Chrome allows us to disable the same origin policy, so we can test cross origin requests. I would like to know if there any possibility to do the same thing in IE

Burp Suite and Wireshark are said to be the best tools for penetration testing. I'm curious what the difference is between them, and the pros and cons of each.

As we already know that the URL and FORM scope variables can be modified using external proxy tools. For example if someone makes a request like this - http:\\website\index.cfm?a=1&b=2 This w...