401 questions
0
votes
0
answers
28
views
How to avoid burp suite from altering input dropdown values in java
We have an application which was tested from Burp suite, by intercepting and altering the values of the dropdown data in our application. Those fields are disabled when view through browser, but able ...
1
vote
1
answer
33
views
Is it possible to sandbox web components?
I'm building a dashboard on my site so my customers can more easily visualize their data. I'm going to provide graphing widgets which the customer will be able to configure to view their data however ...
- 1,031
0
votes
0
answers
17
views
How do I know if a user has used a similar string when changing the password?
I see that there's a security requirement in some audit systems that says "the user cannot change the password to a similar string". For example, simply changing 123456 to 123456! should not ...
- 1,840
1
vote
0
answers
39
views
Correct way to handle Cors origin: Null
What is the correct way to handle a Origin header of Null? We are working on a chrome extension, and any ajax requests made from this extension have a origin of null (as might be expected). In order ...
- 31
0
votes
0
answers
40
views
flutter_tools.stamp rebuilds automatically after deletion (want to fix the Flutter web XMLHttpRequest error on API call)
i was having this error:
ERROR: Dio error: The connection errored: The XMLHttpRequest onError callback was called. This typically indicates an error on the network layer. This indicates an error ...
- 81
0
votes
1
answer
39
views
CSP reporting frame-src request for pwm-image.trendmicro.com (trend micro password manager) - should I allow?
In our report-to logging for our CSP I am seeing frame-src request from Trend Micro password manager. Has anyone run across this before?
frame-src pwm-image.trendmicro.com
- 134
1
vote
1
answer
133
views
CSP reporting Kaspersky-labs injecting code - what effect will blocking have?
I'm updating the CSP for one of our sites and monitoring traffic from our users using report only mode. I've noticed that Kaspersky labs is injecting code in our application pages. I am wondering ...
- 134
-1
votes
1
answer
47
views
Exclude specific resource page(s) from Cross-Origin-Resource-Policy same-origin header in Spring WebSecurityConfigurerAdapter
We have a Java class that extends Spring's WebSecurityConfigurerAdapter and sets all of our security headers and such. Leaving only the relevant parts of the code, it's currently like this:
@...
- 9,326
0
votes
1
answer
339
views
JavaScript execution in PDFs inside browsers: What is the best practice to handle this securely?
We are currently working on a file-server like implementation which serves user-uploaded content. To circumvent CSRF attacks, we serve all content with a CSP header, which disallows any execution of ...
- 49
0
votes
0
answers
90
views
How to hide user jwt from browser inspect on Api request header
As a frontend developer, I have to send the token inside request header.
When I make api calls from web app frontend (lets assume REST Api), anyone can see it from browser inspect including the Api ...
1
vote
1
answer
72
views
Security Concern over AJAX call - use full path or just endpoint
just testing few ajax call and identify that its wether vulnerable JS attack if i use ajax call like this.
option 1
$.ajax({
url: 'https://example.com/project_folder/user',
type: "POST&...
- 57
0
votes
0
answers
58
views
How to Inject Inline Attribute Styles into an Element without style-src 'unsafe-inline' in Content Security Policy?
I'm working on a web application where I have a 3rd party hosted script that dynamically injects inline styles directly into HTML elements. I've encountered a Content Security Policy (CSP) issue ...
- 3
1
vote
0
answers
53
views
Public keys in web applications
I know that I am not supposed to place keys in my client sided application, such as a web application. But, there are more and more service providers (e.g. Google Maps, Amplitude SDK, etc) these days ...
- 3,393
0
votes
0
answers
41
views
How do I secure a website for seamless authenticated access from an App?
I'm working on the application environment below. It involves a mobile App which uses an AWS lambda based API. The App requires authentication and the API is secured using JWTs.
I need to introduce a ...
- 2,203
1
vote
5
answers
552
views
Best way to activate DEV mode on a webapp
I have a webapp (SPA) that can work in a web browser along with my iOS and Android app webviews. I need a way to activate what I call a DEV or DEBUG mode, in order to:
Target another API (test API ...
- 859