136
votes
Does it make sense to consider a triggerable server software crash a DOS attack?
Yes. Any attack which has as a goal to deny the normal usage of a service by legitimate users is by definition a DoS (Denial of Service).
- 2,746
129
votes
Accepted
Do I need CSRF token if I'm using Bearer JWT?
This is relevant but doesn't necessarily answer 100% of your question:
https://security.stackexchange.com/a/166798/149676
The short of it is that as long as authentication isn't automatic (typically ...
- 31.9k
59
votes
Does it make sense to consider a triggerable server software crash a DOS attack?
DDoS (Distributed DoS) is characterised by floods creating a DoS (in all available definitions). A single node causing a flood successfully is kind of rare.
But DoS can be caused by a broad range of ...
- 134k
50
votes
Do I need CSRF token if I'm using Bearer JWT?
Generally, CSRF happens when a browser automatically adds headers (i.e: Session ID within a Cookie), and then made the session authenticated. Bearer tokens, or other HTTP header based tokens that ...
- 3,336
26
votes
Do I need CSRF token if I'm using Bearer JWT?
Previous answers are rock solid. I'll jump in here to provide a more context and little caveat. There are lots of ways to using JWT; session management is one of them. Although it presents a few ...
- 2,035
15
votes
Accepted
Where to store private and public keys?
Public key: that's the easy part, it can be almost anywhere (known URL, some type of file store like S3/GCS/..., even source control). The only concern is to make sure it is not modified, but it can ...
- 4,341
12
votes
Accepted
What was the concern that caused the warning in GitHub Actions documentation about setting NODE_OPTIONS?
According to the developer who committed the blacklist, the reason for including the NODE_OPTIONS variable in particular is rather banal:
For the deprecated set-env command we received bug bounty ...
- 38.2k
10
votes
Does it make sense to consider a triggerable server software crash a DOS attack?
Quite often security is looked at as providing three properties:
Availability
Integrity
Confidentiality
In your case, you've found something that allows a user to affect the availability of the ...
- 741
10
votes
Accepted
Why sign session cookies?
Apparently, the software permits developers to provide their own session IDs, which (because people are often bad at security) might be short and/or predictable. The signature is thus added to create ...
- 53.9k
9
votes
Does it make sense to consider a triggerable server software crash a DOS attack?
I wanted to add one more important detail not explicitly stated in the other answers. You said this:
It works by sending the server some crafted payload, which makes the
server code throw an ...
- 31.9k
6
votes
Can string comparison realistically be exploited in a timing attack on a web server?
Timing attacks are possible even if response times seem inconsistent, because you can use statistical analysis to filter out a lot of noise in the data. Average values are much more stable than ...
- 16k
6
votes
Accepted
How do you securely delete httpOnly cookies previously used for login?
you cannot,
you have make another request to backend from there you can remove the cookies.
6
votes
Accepted
Magic links: JWT vs random string
Would it not be more prudent to just generate a large ... string
Yes, it would. A token is often a straightforward solution, and is easier to get right. Cryptographic solutions often have pitfalls or ...
- 35.6k
6
votes
Accepted
How to properly invalidate JWT tokens and sessions in this use case?
You can't rely on the client code
General rule of thumb: once you send code down to the client to run on the user's machine, it's not your code anymore. The only security you can count on is security ...
- 59.6k
5
votes
Is this password-less auth flow secure?
The main concept of your flow (magic links) is one of the more well known password-less alternatives for authentication. The general consensus seems to be that the security of such schemes (as has ...
- 948
5
votes
How to deny access to my server end points?
First, regarding what you have tried already:
header('Access-Control-Allow-Origin: https://www.example.com');
This will fail for a number of reasons:
This a client-level control that doesn't stop ...
- 31.9k
5
votes
Accepted
Timing attack - Is safe to check if strings have the same length?
You are correct this implementation of constant-time string comparison will leak information about the length of some string that is being compared against an attacker controlled string.
However, ...
- 39.6k
5
votes
Accepted
Is it safe to set rejectUnauthorized to false when using Heroku's Postgres database?
Heroku does not support client-side certificate validation to its Postgres databases unless you are using Private Spaces or Shield:
Unless you're using a Private or Shield Heroku Postgres database, ...
- 166
5
votes
When to request refresh token? JWT
A few thoughts:
Cookies aren't a great place to put refresh tokens at all, really. They're not the worst, but it's more common to use Local Storage and only ever transmit them when you're using them. ...
- 53.9k
5
votes
Accepted
How does AWS Lambda support eol node.js versions
... how is it that AWS is able to provide security patches to Node.js?
The code for Node.js is open source. If an issue gets known anybody can create a fix and ship it, including AWS. This is not ...
- 213k
5
votes
Security considerations when using Apache with SSL enabled and Node.JS without SSL
Yes, this is secure. The traffic between the client and Apache is encrypted. The traffic between Apache and NodeJS is not encrypted, but still secure because it is not sent over the network.
It is ...
- 35.6k
4
votes
Accepted
Recent ESLint hack or how can we protect ourselves from installing malicious npm packages?
Three words: Supply Chain Management. Except that in our case the "supply" is dependency or "third party libraries".
This isn't a unique problem to npm. This a general problem in software ...
- 565
4
votes
Does it make sense to consider a triggerable server software crash a DOS attack?
Your attack is basically the definition of DOS, it literally denies service and you are using the term correctly.
Consuming bandwidth is a naive approach that does not require the sever to have a ...
- 3,299
4
votes
Magic links: JWT vs random string
It's true that you can use a random string for the magic link and it'll work just fine. However there are a few benefits for choosing to implement it using JWTs:
JWT validation doesn't require a call ...
- 948
3
votes
Accepted
Security best practises for my first ever Node, Mongodb, Nginx production app on a Ubuntu VPS
I recommend to have a bastion host to access your server via a SSH-port forwarding agent to tighten the SSH aspects.
Usually I perform OS hardening images using CIS Benchmark guide.
Always focus on ...
- 154
3
votes
Can I use RSA to encrypt an AES256 key that I put at the beginning of my AES256 encrypted file?
You are reinventing the wheel by trying to solve your problem at a low level. You are trying to combine RSA and AES encryption primitives to create something that will asymmetrically encrypt a file. ...
- 35.6k
3
votes
How is security maintained in session and JWT?
I think your understanding is on par with what the technolgoy does.
Both methods have inherent security risks and security pros. But I think JWT wins for me as it allows you to do without sessions ...
- 101
3
votes
Accepted
Secure Admin Password in Open Source Software
Do not hardcode a password into the code. Instead make program read the password from either a database or a file which is stored with the program. This file should not be uploaded to the source code ...
- 3,853
3
votes
Do I need CSRF token if I'm using Bearer JWT?
I feel that it's important to highlight something regarding Single Page Applications (or requests from any frontend in general) that may make CSRF protections useless. I thought at first it may be a ...
Only top scored, non community-wiki answers of a minimum length are eligible