IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [http-proxy]

138 questions
47
votes
3 answers

How can a website find my real IP address while I'm behind a proxy?

I just wonder how some website like WhatIsMyIP find out what your real IP address is, even if you use proxy server. It said : Proxy Detected and then they give your real IP address. Is it possible they use JavaScript to send HTTP request for not…
user13934
31
votes
3 answers

Authenticating a Proxy server over HTTPS

When browsing to a website over HTTPS, the web browser typically does a lot of work in the background - negotiating a secure channel, validating the site's certificate, verifying the trust chain, etc. If your browser is configured to use a web…
AviD
  • 72,138
  • 22
  • 136
  • 218
22
votes
6 answers

Securing web applications with only a reverse proxy

In order to secure its public HTTP API (so called REST), my client is asking me to implement a simple HTTP reverse proxy that will verify (OAuth 2.0) access tokens and forward HTTP requests to internal web services for processing. The idea is that…
Michael Técourt
  • 293
  • 2
  • 12
14
votes
1 answer

HTTP Caching Headers: private vs no-cache

We're currently reviewing our set of "no-cache" security headers: Cache-Control "no-cache, no-store, must-revalidate Pragma "no-cache" Expires 0 Besides the "standard" set above, I found this article, recommending to combine "no-cache" and…
Th0mas
  • 171
  • 1
  • 5
14
votes
4 answers

How do proxy servers sniff data?

I live in a country which most website on the internet is blocked by government so we mostly use wide variety of proxies such Web proxies, VPN, SOCKS and most of them are free. My question is: Is there any way, those proxy servers sniff our data…
user13934
13
votes
2 answers

Would a reverse-proxy authentication server be a secure setup?

I work at a small consultancy and we often make web apps for our clients. One part of the web app that is often repetitive to write is the authentication system. In a lot of our web apps we would like to support OAuth login from the various…
illabout
  • 233
  • 1
  • 2
  • 5
12
votes
2 answers

httpoxy - does TLS/SSL mitigate the vulnerability of HTTP Proxy header?

There's a new fancy-named, branded vulnerability called HTTPOXY. My question here: Are sites served via TLS also affected? Or is this an issue only for HTTP sites (unencrypted communication channel)? EDIT: Added image to clarify the threat and the…
boleslaw.smialy
  • 1,627
  • 2
  • 15
  • 25
10
votes
1 answer

Is basic HTTP proxy authentication secure?

I have been looking for cloud based proxies, and I notice that it's very common to authenticate to a proxy using basic auth over an unencrypted connection. I don't understand why this is considered acceptable. Is proxy authentication different than…
William Rosenbloom
  • 1,516
  • 2
  • 6
  • 12
10
votes
2 answers

How does mobile free internet bypass works? (UBT / FBT)

I have encountered a mobile application named "HTTP Injector" which lets you get free internet access (UBT / FBT). The process to get it work and receive free internet seems to be as follows: Guidance videos on YouTube show that an end user needs…
timorzainf
  • 101
  • 1
  • 1
  • 3
9
votes
1 answer

Documented Best Practices for Reverse Proxy Implementation

I'm looking for some best practices documentation for implementation of a reverse proxy. We need to allow an internal database / web server incoming access to the outside world and are trying to determine the most efficient and secure method to…
Irongrave
  • 191
  • 1
  • 1
  • 2
9
votes
3 answers

Are future TLS versions going to prevent traffic inspection?

Nowadays it is possible to inspect (unencrypt) TLS (HTTPS) traffic inside an organization. The mechanism consists in using a root CA that is configured in the web client and a network device that receives the HTTPS connections and forge a on-the-fly…
Eloy Roldán Paredes
  • 1,507
  • 12
  • 25
8
votes
1 answer

What Steps Does An Anonymous Artist Need To Take to Retain Anonymity?

I read these questions which had great information: How can I keep my identity anonymous as a website owner/administrator? and How much can I trust Tor?, however I wonder if this is too extreme for my situation. What I mean by this is I am not in…
user50178
  • 95
  • 1
  • 5
7
votes
1 answer

Restricting access to "hacking" sites and tools

I tried following a link from a post on this site and discovered that insecure.org is blocked by our internet proxy. What are the potential benefits and risks of allowing access to such sites to developers and architects and how might we mitigate…
JimmyJames
  • 2,956
  • 2
  • 16
  • 25
6
votes
4 answers

Burpsuite: just passthrough firefox detect portal

When I enable Burpsuite's Proxy I continiously get http GET requests for firefox's detectportal as seen in the following image: How I can configure it to somehow just pass though theese requests silently and just load the target url? I tried theese…
Dimitrios Desyllas
  • 381
  • 1
  • 2
  • 13
6
votes
1 answer

How SSL/TLS handshake happens when we use Cloudflare Service?

I was reading about the offerings of the Cloudflare and then I read about the working of Cloudflare. Based on my understanding, the domain name of my website(alice.com) is resolved to the IP address of Cloudflare Data Center which communicates with…
Shiv Sahni
  • 921
  • 8
  • 16
1
2 3
9 10