IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [header]

129 questions
3
votes
1 answer

Are requests with no UserAgent header a risk?

A service I use has decided to block HTTP requests that do not provide a UserAgent, citing security reasons. As far as I can tell, the UserAgent is a string without a standard format used primarily for statistics, serving different page versions…
Holly
  • 133
  • 1
  • 4
3
votes
2 answers

Can I trust the Host header received in the request?

The question is very simple: can I trust the value of the Host header? We are developing an application that serves some resources via HTTP and we wan't to have some private services and some others public. We have internal domains such as…
Pablo Matias Gomez
  • 157
  • 6
2
votes
1 answer

HTTP and HSTS Web Server

If I have HSTS enforced on a web server with HTTPS 443, but HTTP port 80 is still open, does this make HTTP still accessible, or only for the first time before it's added to the browser HSTS list? I imagine best practice would be just to disable…
Sjim49
  • 23
  • 3
2
votes
3 answers

HttpResponse Headers Information Leakage on Server Error (Verbose Headers)

In the past I have dealt with security issues related to Default Service Banners/Verbose Headers/Information Leakage via HttpResponse Headers. These issues are quite common, and usually look something like this for an Asp.Net - IIS Server. Server: …
MattyMerrix
  • 151
  • 6
2
votes
3 answers

Is there any way for a client to view headers set by an NGINX reverse proxy?

I am setting up an NGINX reverse proxy, which sits in front of an API. I would like to use: proxy_set_header X-Secret-Key ${SECRET_VALUE}; to add a token to the request, which is then read by the API. ${SECRET_VALUE} is pulled from a secrets vault…
Lachy
  • 121
  • 2
2
votes
1 answer

Should I check Host header or ServerName for CSRF defense when serving behind proxies?

In a CSRF defense based on checking forbidden headers, should I check Origin/Referer header against the ServerName configuration directive, or is it sufficient to simply check against the HTTP Host header? I'm asking because I'm trying to make my…
DannyNiu
  • 328
  • 2
  • 14
2
votes
1 answer

Content-Secure-Policy headers

I am performing a security assessment on a web application and I found it doesn't have the Content-Security-Policy, but instead it has Content-Secure-Policy. It is literally the first time I'm seeing such a case and I would like to know: Are these…
felipe guerraruiz
  • 21
  • 1
2
votes
1 answer

How to determine start and end bytes of LUKS header?

How can I determine the exact start byte and exact end byte of a LUKS header on a block storage device? I use Linux Unified Key Setup (LUKS) for Full Disk Encryption (FDE), so all of the data on my drive is encrypted using a strong master key that's…
Michael Altfield
  • 826
  • 4
  • 19
2
votes
1 answer

Is there any way to pretend like we are routing our request via cloudflare?

There is this Web App which uses cloudflare and to bypass certain things I had to find a way to access the actual web server directly. I tried numerous things and finally I think I have found the actual server's IP but seems like direct access to IP…
John
  • 21
  • 2
2
votes
1 answer

Is there any way to keep the request in intercepting proxy for atleast a min before application says check your connection?

I just bypassed SSL pinning on an android application but the problem is application won't let me play with the request on my intercepting proxy. It says something like problem with your network or check your internet connection, it might be slow.…
Sam
  • 21
  • 2
2
votes
1 answer

Why we should not allow our pages to be loaded through Iframe by unknown hosts?

One of OWASP recomendations is to set the header X-Frame-Options to allow our pages to be loaded in Iframes only by sameorigin. One reason is because of phishing attacks, ok I understand. But if I were an attacker and the target was configured to…
Vivi
  • 69
  • 4
2
votes
3 answers

How to tell if an email source is spoofed?

I've received an email to my gmail account from FCMB, a bank in Nigeria (flashing warning lights already). It's not addressed to me (i.e., the email starts off "Dear Daniel," [not my name]). But the email address is mine. When I look at the…
Joel
  • 123
  • 4
2
votes
2 answers

Flow of a host header injection attack?

I am new to this field and would like to know how the flow happens in a host header injection attacks. I believe it's as below: Client generates the request. Attacker manipulates the request and changes the host header (to say example.com). Server…
pratik pattanaik
  • 21
  • 6
2
votes
2 answers

How do web browsers detect XSS attempts when the X-XSS-Protection header is enabled?

Simple question but hard to understand how web browsers make the distinction between legitimate and malicious code when mode=block is enabled? Of course, I would like to know how each rendering engine works.
user2284570
  • 1,402
  • 1
  • 14
  • 33
2
votes
1 answer

Should HTTP Security headers be configured for all servers?

I recognise the importance of configuring HTTP security headers (X-Frame-Options, X-XSS-Protection and X-Content-Type-Options) for web servers (and other internet facing servers such as loadbalancers). But is this necessary for non internet facing…
ellefc
  • 499
  • 2
  • 6
  • 14
1 2
3
8 9