IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [header]

129 questions
7
votes
1 answer

iOS Mail App Security

I have my own domain name and I had some issues with the delivery time. So, I started looking at the mail header to see where my mail was stuck and why. That is not the issue.. While messing around the header file I noticed that the mail header not…
teravice
  • 73
  • 1
  • 4
6
votes
1 answer

How does X-XSS-Protection: "0" affect the security of my website?

How does disabling XSS protection affect my website? What security vulnerabilities does it open? My site requires the header to be used on certain pages, so what can I do to secure the pages with the header? (try-it editor)
Nisala
  • 173
  • 7
5
votes
1 answer

Is cache-control: no-cache enough for sensitive information like bank accounts, etc.?

I have read somewhere that when storing sensitive information on a website you should include cache-control: no-store for telling the browser not to store that information on the local system. But I think when cache-control: no-cache is used it just…
tester
  • 53
  • 3
5
votes
1 answer

Is it worth verifying the request hostname in API-to-API communications?

When authenticating from a browser application to an API layer, you can verify the request origin for CORS requests. I'm aware that this is primarily to prevent CSRF attacks. It doesn't prevent an attacker from accessing the endpoint themselves, but…
M Miller
  • 153
  • 1
  • 4
5
votes
1 answer

Content-type validation in REST APIs

I'm trying to wrap my head around, why it is advised to validate the content-type, sent by a client to a REST API. OWASP states in their REST Security Cheat Sheet: When POSTing or PUTting new data, the client will specify the Content-Type (e.g.…
SaAtomic
  • 989
  • 2
  • 15
  • 27
5
votes
1 answer

How can the Origin header be used for CSRF prevention if Firefox doesn't send it for same origin requests or requests from data URIs?

I'm planning to use synchronizer tokens for CSRF prevention, but OWASP recommends checking the referrer and origin headers too. I've been trying to figure out the correct logic for this, but my experiments suggest that there is no valid way to check…
J Taylor
  • 51
  • 1
  • 2
5
votes
2 answers

Is the Origin header really useful for securing a WebSocket?

I've been reading some posts about WebSockets security, and a few of them mention to use the Origin header for helping secure the connection. For example this one https://www.christian-schneider.net/CrossSiteWebSocketHijacking.html. However, I'm…
The Illusive Man
  • 10,487
  • 16
  • 56
  • 88
4
votes
1 answer

Adding Expect-CT header to HTTP response

In the security test report, I have a recommendation to add Expect-CT header to the HTTP response from web application, additionally developers set this to: Expect-CT: max-age=0, report-uri= I am not sure if it is a good idea to add this header.…
user187205
  • 1,163
  • 3
  • 15
  • 24
4
votes
2 answers

How can I have received this email?

I usually delete SPAM, but this email caught my attention: As you can see, in "To:" field there is spammer account, but I thought: it's not important, in message header there must be some hidden "for" parameter which links to my email account...…
j0kky
  • 43
  • 1
  • 3
4
votes
1 answer

HTTP authentication - the HTTP header name is Authorization - why?

Why by HTTP authentication the HTTP header which contains credentials is called "Authorization"? Any historical explanation? I am asking because I realized that some people mix authentication with authorization and this name convention by HTTP…
Marcin Sanecki
  • 143
  • 5
3
votes
1 answer

Is there a reason for a server-side limit on the number of HTTP headers allowed for each request?

The security team at my company has set a limit on the number of headers a HTTP request can contain (not header size, but an actual hard count limit on the number of headers). A vendor has added a few headers for request tracing purposes, which has…
Jessica
  • 133
  • 5
3
votes
1 answer

Web-Application with CORS Origin: * using authorization header

As stated here, https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS at "Credentialed requests and wildcards". Quote: When responding to a credentialed request, the server must specify an origin in the value of the Access-Control-Allow-Origin…
SaAtomic
  • 989
  • 2
  • 15
  • 27
3
votes
1 answer

Is host header injection possible without cache or password reset?

I am a beginner in security and reading about host header injection. I tested an application for this vulnerability and it is possible there for some request, but the developer implemented no-cache, no-store flags and this vulnerability is not in…
Pawan Dwivedee
  • 65
  • 6
3
votes
1 answer

X-Content-Type-Options without content-type

X-Content-Type-Options helps to protect against attacks that take advantage of the browser trying to interpret HTTP responses with an incorrectly stated Content-Type. But what happens when the HTTP response sets the X-Content-Type-Options header but…
Silver
  • 1,824
  • 11
  • 23
3
votes
1 answer

X-Frame-Options Absent but cant load the page in iframe

I am trying to find the reason that a certain webpage is not getting iframed even when X-Frame-Options header is absent. Observation: When I write an HTML with iframe tag pointing to the URL and save this file locally and open it, I can find the…
one
  • 1,781
  • 3
  • 18
  • 45
1
2
3
8 9