Skip to main content
Information Security

Tag Info

users hot new synonyms

Hot answers tagged

Day Week Month Year All
170 votes
Accepted

Is it more secure to program a client-server system in a language other than English?

Technically slightly, yes. But: It would be security by obscurity, which is a bad idea It does not boost confidence in your product It would be very easy to figure out what does what, it would only ...
Peter Harmann's user avatar
Peter Harmann
  • 7,878
61 votes

Is it more secure to program a client-server system in a language other than English?

It would not be appreciably more secure. Reverse engineers are often forced to work with systems that do not have any original names intact (production software often strips symbol names), so they get ...
forest's user avatar
forest
  • 67.8k
51 votes
Accepted

Protect API from being tampered?

What if the attacker decides to tamper the "from:id" such that it could send arbitrary messages to anyone from any user? Create a session, and use the session identifier as identifier, not the user ID ...
vidarlo's user avatar
vidarlo
  • 18.5k
35 votes

Is it more secure to program a client-server system in a language other than English?

Not really - all of the built-in functions will still be in English, so it wouldn't take much extra effort to work out what your variables are going to represent. It might slow someone down slightly, ...
Matthew's user avatar
Matthew
  • 27.5k
32 votes

Is splitting a REST API server from a Web server considered a security threat?

It would be more accurate to say that "using two servers e.g. api.myservice.org and www.myservice.org has security implications " --in other words, would normally be blocked by default ...
MarkHu's user avatar
MarkHu
  • 421
31 votes

What is PKCE actually protecting?

The reason PKCE is important is that on mobile OS, the OS allows apps to register to handle redirect URIs so a malicious app can register and receive redirects with the authorization code for ...
Grokify's user avatar
Grokify
  • 619
28 votes
Accepted

Spoofing POST/GET requests in a RESTful service

My question is what prevents users from intercepting their regular post form the app (getting the token) and then possibly sending bunch of POST requests (using something like postman or fiddler) to ...
Hector's user avatar
Hector
  • 11k
26 votes
Accepted

Generating one time URLs which can be revoked

Looks like you have a pretty good idea what you're doing. The one-time link pattern is pretty common for things like email verification. Typically, you'd store the expiration date in a database and/...
nbering's user avatar
nbering
  • 4,038
26 votes
Accepted

Why should someone block all methods other than GET and POST in a RESTful application?

I suspect this is a case of someone zealously applying "best practices" that they don't understand. HTTP Verb Tampering Attack The reason this best practice exists is because of the HTTP ...
Mike Ounsworth's user avatar
Mike Ounsworth
  • 59.6k
25 votes

Do I need to hash or encrypt API keys before storing them in a database?

Yes, you should absolutely hash your API keys. In effect, they are your passwords and should be treated as such. And note that's hashed - not encrypted. You never need to decrypt the API keys, hence ...
Anders's user avatar
Anders
  • 65.9k
25 votes
Accepted

Store Auth-Token in Cookie or Header?

Cookie Based Authentication Pros HttpOnly Flag: Session cookies can be created with the HttpOnly flag which secures the cookies from malicious JavaScript (XSS-Cross-Site Scripting). Secure flag: ...
Shiv Sahni's user avatar
Shiv Sahni
  • 985
24 votes
Accepted

What is PKCE actually protecting?

This write-up Okta has on this subject explains this pretty well IMHO. I believe it's because PKCE is intended for native applications (e.g. Android, iOS, UWP, Electron, etc.) where you leave the ...
someone1's user avatar
someone1
  • 776
23 votes

Store Auth-Token in Cookie or Header?

The accepted answer is conflating session based authentication - where a session is maintained in backend database and is stateful with cookies, which are a transport mechanism and so the pros and ...
Melbourne2991's user avatar
Melbourne2991
  • 331
23 votes
Accepted

Is splitting a REST API server from a Web server considered a security threat?

From the information provided, it is definitely not a security risk. As long as proper controls are set on the API endpoint (HTTPS, HSTS, etc.), you should be good to go. One thing to note here is ...
Sachin S Kamath's user avatar
Sachin S Kamath
  • 488
22 votes
Accepted

Do I need additional encryption on top of HTTPS for a REST API?

The communication between the Frontend and Backend is completely unencrypted, resulting in the credentials of a user logging in send over the intranet/internet completely clear text. ...the ...
Anders's user avatar
Anders
  • 65.9k
21 votes

Is it more secure to program a client-server system in a language other than English?

That is security through obscurity and will delay a dedicated attacker all of five minutes. If you want to confuse an attacker, naming things their opposite or something unrelated would have the same ...
Tom's user avatar
Tom
  • 10.8k
18 votes

Should I use CSRF protection on Rest API endpoints?

Whether or not CSRF protection is needed is based on 2 factors: - Is the request doing a state changing action (not the same as REST API Statelessness) - State changing actions are any action that ...
an0904's user avatar
an0904
  • 343
13 votes

Should I use CSRF protection on Rest API endpoints?

"there is no way for a browser to automatically provide authentication credentials even if it is somehow tricked into visiting the API endpoint" Just be careful on private networks using ...
stuartm9999's user avatar
stuartm9999
  • 131
13 votes
Accepted

Should we encrypt all REST API calls from a mobile device?

Considering that TLS is in place with a solid configuration (i.e. certificate pinning), which I find no reason not to, you'd need to work out the business risk you're trying to mitigate by encrypting ...
Pedro's user avatar
Pedro
  • 3,971
13 votes

Protect API from being tampered?

Basically, you have to treat every input from the user as potentially malicious. Vidarlo has already mentioned two security issues and how they can be prevented in his answer. I'd also add that the ...
Lukas's user avatar
Lukas
  • 3,188
12 votes

Spoofing POST/GET requests in a RESTful service

My question is what prevents users from intercepting their regular post form the app Nothing. Does the fact that the traffic to the service will eventually go via TLS make this a non-issue? If you ...
Ruben_NL's user avatar
Ruben_NL
  • 119
11 votes

Protect API from being tampered?

What if the attacker decides to tamper the "from:id" such that it could send arbitrary messages to anyone from any user? Do not use from:id in your API. You already know it from user authenticated ...
Oleg V. Volkov's user avatar
Oleg V. Volkov
  • 789
10 votes

Store Auth-Token in Cookie or Header?

The accepted answer is totally wrong! Please don't mix Cookie, Token, Stateful, Stateless. So many people consider Cookie == Stateful. No it's totally wrong! Stateful == Session-based -> You store ...
Kevin's user avatar
Kevin
  • 201
10 votes

Generating one time URLs which can be revoked

To use symmetric crypto for an URL parameter would give you one advantage: It eliminates the need to do a database lookup. The downside is that you introduce a secret (the encryption key) that you ...
Anders's user avatar
Anders
  • 65.9k
10 votes
Accepted

A simplistic stateless alternative to HTTP basic auth for API's

Your proposed solution is almost identical to JSON Web Tokens (JWT), which are precisely that: A stateless token containing information about the user Signed and/or encrypted using shared secret or ...
IMSoP's user avatar
IMSoP
  • 3,930
9 votes

Is splitting a REST API server from a Web server considered a security threat?

Only the person behind the rejection could answer definitely why they consider it a security issue. I've found the following questions helpful for such a discussion (not necessarily all of them, since ...
l0b0's user avatar
l0b0
  • 3,045
8 votes

Is it more secure to program a client-server system in a language other than English?

Your system MUST be secure by itself. If it relies on user-side javascript passing a parameter with the value "open sesame", you are doing it wrong. You should develop the program in the language ...
Ángel's user avatar
Ángel
  • 19.5k
8 votes
Accepted

Does PUT or DELETE offer any security advantage over GET or POST?

The GET (as well as HEAD, OPTIONS and TRACE) is defined as a safe method (RFC 7231, 4.2.1). By this definition you should never use GET to replace PUT, DELETE etc. The PUT and DELETE are idempotent ...
Esa Jokinen's user avatar
Esa Jokinen
  • 19.7k
7 votes

Is it more secure to program a client-server system in a language other than English?

It could even make things worse by making the system harder to maintain. Take an extreme example inspired by history, and communicate between front and back ends in Navajo. When (not if) you need to ...
Chris H's user avatar
Chris H
  • 4,425
7 votes
Accepted

Exploitability of allowed wildcard (*) CORS Origins with Bearer Token Authorization

ACAO: * will prevent the browser from automatically sending any form of credentials, but that's only relevant for the kinds that the browser can actually send automatically (cookies and HTTP BASIC, ...
CBHacking's user avatar
CBHacking
  • 53.9k

Only top scored, non community-wiki answers of a minimum length are eligible

388

questions tagged

 × 388
 × 118
 × 95
 × 51
 × 49
 × 39
 × 34
 × 34
 × 24
 × 23
 × 22
 × 22
 × 21
 × 17
 × 15
 × 14
 × 14
 × 12
 × 12
 × 11
 × 11
 × 11
 × 11
 × 10
 × 10