Questions tagged [http]
Definition: HTTP - the Hypertext Transfer Protocol - provides a standard for Web browsers and servers to communicate. The definition of HTTP is a technical specification of a network protocol that software must implement. HTTP is an application layer network protocol built on top of TCP. HTTP clients (such as Web browsers) and servers communicate via HTTP request and response messages. The three main HTTP message types are GET, POST, and HEAD.
1,501 questions
0
votes
1
answer
114
views
Securely Transfer Files Between 2 Client Facing System
How do we securely transfer files using HTTP or other protocol in such case?
I have 2 apps, one behave like client and other like server. Both app are publicly available. If I put any secret in the ...
- 111
1
vote
0
answers
115
views
HTTP headers needed for cross-origin communication with postMessage()/onmessage
I'm experimenting with Direct Sockets TCPServerSocket, TCPSocket, and UDPSocket in an Isolated Web App (IWA) on Chromium browser.
The maintainers are trying to uphold the claim that a window can ...
- 149
0
votes
1
answer
109
views
http site security of reputable source [duplicate]
If I visit a website with an http address, and the publisher of the material is reputable, is there a security concern?
In other words if I know the publisher of the website is not trying to attack me,...
- 103
0
votes
3
answers
253
views
Is VPN really that required? [closed]
Cracking HTTP with TLS 1.3 would take longer than anyone's life.
Some articles said cracking AES 256 by brute force would take around 2,158,000,000,000 years.
With VPN, I can bypass geo-blocks - hide ...
0
votes
1
answer
146
views
Block all HTTP/80 traffic? [closed]
We are starting an initiative to remove all unsecure protocols. Logically, we would also need to block HTTP / Port 80. And this is where we cannot agree:
Some say blocking http/80 is a bad idea. port ...
- 195
7
votes
3
answers
2k
views
Using public-key crypto for all HTTP requests of a session – bad idea?
I’m interested in using public-key cryptography for stateless authentication on websites.
The current authentication standard is email + password. Passwords are bad because they can often be guessed, ...
- 305
12
votes
4
answers
6k
views
Why are browser HTTP auth schemes stuck in 1999?
Chromium supports Basic, Digest, NTLM, and Negotiate HTTP authentication schemes. Of those, the newest is Negotiate, which was present no later than 1999, because IE5 supported it (!!!). I can't find ...
- 263
0
votes
2
answers
195
views
Session token shown in the log file
I'm working on a JAVA web application running on Tomcat. A session token is generated and stored in a cookie when a user authenticates.
Unfortunately, when tracing is enabled, Tomcat dumps the value ...
- 111
1
vote
1
answer
854
views
Is it financially safe to use stripe for payment processing with the main website in http?
Stripe.com is a service that allows payment processing to be outsourced. In a similar way to Oauth this works by exchanging tokens.
Of course, running one’s website on an unencrypted connection is ...
- 1,512
1
vote
0
answers
99
views
What is this hacker trying to do by accessing stack exchange specific URLs on my site? [closed]
Every week or so, I see a set of requests like this in my server logs:
191.218.140.7 POST /users/login?ssrc=site_switcher&returnurl=https%3a%2f%2fstackoverflow.com%2fusers%2f6333444%...
- 71
5
votes
2
answers
2k
views
How to allow a user to login via client X.509 certificate or username/password?
I have a niche website programmed by a volunteer. Like pretty much every website it's secured via TLS, and the main page doesn't let you do much except login via username & password or request an ...
- 51
1
vote
1
answer
135
views
how to reset only TCP connections to my web server which are just TCP packets, but no further HTTP packets
How to reset only TCP connections to my web server which are just TCP packets, but no further HTTP packets.
Let's say I have a web server and users connect via browser (so, flow would be TCP handshake ...
1
vote
1
answer
797
views
How to securely allow localhost to access through CORS, without exposing it to anyone's localhost?
It is recommended to do this often in web apps:
import { NextResponse } from 'next/server'
import type { NextRequest } from 'next/server'
// Define allowed origins
const allowedOrigins = [
'http://...
- 716
1
vote
1
answer
177
views
Testing for Broken Object Level Authorization (BOLA) vulnerabilities
I’m a security-conscious developer looking to improve the security of my web application. I’ve been researching Broken Object Level Authorization (BOLA) vulnerabilities and want to ensure that my ...
- 11
0
votes
0
answers
165
views
medusa error when running
I am attempting to perform basic pen testing, I successfully used hydra however I am having some issues with medusa... I keep getting a Segmentation fault after running the command, can anyone help ...
