Definition: HTTP - the Hypertext Transfer Protocol - provides a standard for Web browsers and servers to communicate. The definition of HTTP is a technical specification of a network protocol that software must implement. HTTP is an application layer network protocol built on top of TCP. HTTP ...
1
vote
2answers
25 views
How to create an anti-flood mechanism without leaving VPN's out?
I'm trying to protect my applications from some bots that are either malfunctioning or trying to take my sites down (lots of requests from the same IPs in the logs).
Every time someone requests an ...
6
votes
2answers
442 views
Why is the Access-Control-Allow-Origin header necessary?
I understand the purpose of the Access-Control-Allow-Credentials header, but can't see what problem the Access-Control-Allow-Origin header solves.
More precisely, it's easy to see how, if ...
13
votes
2answers
497 views
Twitter's HTTP response vs Google's HTTP response
I was looking at the HTTP responses form https://twitter.com and https://encrypted.google.com. These two responses have interesting similarities and differences in their security definitions.
Both ...
0
votes
2answers
112 views
How to defeat CRIME, BREACH, TIME etc… server side (without sacrificing compression)
I am writing full-stack server side software and I have been researching CRIME attacks and it's relation to SPDY header compression as I am implementing the server side codecs for it at the moment.
...
1
vote
2answers
64 views
non-MiTM Reverse SSL
Do non-MiTM Reverse SSL Proxies exist? Or do all proxies that do SSL-SSL mappings decode and then re-encode HTTPS traffic?
If this is the case and I want to map https://mypublicdomain.com -> ...
1
vote
1answer
66 views
Is there a problem with issuing a HSTS header in PHP?
I want to trial a HSTS policy on my blog without enabling it site wide initially. As a HSTS policy is just a HTTP response header would there be any problem with sending the header in PHP like so:
...
-3
votes
0answers
22 views
HTTP basic authentication fails using “Authorization: Basic ”.base64_encode(“$user:$pass”) [migrated]
I tried this code in my local PHP server... everything works perfectly..
however when I uploaded this script to web hosting server, the authentication did not work. Somebody can explain why this ...
1
vote
3answers
210 views
What information can be seen from HTTPS to HTTP?
Assuming a secured page https://google.com/redirect.php?keyword=apple which redirects the visitor to a non-secured website http://apple.com, would an eavesdropper (anyone watching over the network) be ...
0
votes
0answers
360 views
Linux Hydra issue - random correct password success
I have an issue with Hydra when i use it. First let me inform that, i read multible guides, tries the excact same command lines as in guides directly supported by the Damn Vulnerable Web Application ...
1
vote
2answers
80 views
Using HTTPS GET from app to server
When developing Webpages, they say you should use POST for "destructive" actions, and GET for actions that only retrieve information.
Is the same true for apps? Is it a total no-no to use GET for ...
0
votes
1answer
88 views
What mechanism to use for simple and secure HTTP API access?
I am currently working on a service which offers a HTTP API for mobile clients.
I want clients to authenticate in order to access my API. The server itself is doing the authentication there will be ...
1
vote
1answer
115 views
Extremely big HTTP chunk size
I am working in a project which we must count HTTP response size.
I am getting chunk size like:
crlf = g_strstr_len(chunkeddata , responceSize - responceHeaderSize, "\r\n")
And than I had a ...
0
votes
1answer
57 views
Is there any reason to allow Python fetches of my Web server's pages?
I keep seeing "python-requests/1.1.0 CPython/2.7.4 Linux/3.8.0-19-generic" requests e.g. from Amazon's servers of my website.
It's kind of creepy.
Who would set up an Amazon server to scan websites? ...
1
vote
1answer
158 views
Why is Access-Control-Allow-Origin required for uncredentialed cross-domain requests?
I understand CSRF and why cross-domain AJAX requests with cookies or other credentials can't be permitted without an Access-Control-Allow-Credentials header explicitly permitting them - otherwise I'd ...
0
votes
1answer
85 views
Are there any risk in serving static assets via compressed SSL protocol from 3rd party domain?
e.g.
curl -v -H 'Accept-Encoding: gzip' 'https://cdnjs.cloudflare.com/ajax/libs/Colors.js/1.2.2/colors.min.js'
As you can see, result is gzipped.
My assumption is since they are serving from 3rd ...
