Issue I have a rest API which developed with loopback framework. And my datastore is mssql. What are my options for API gateway which is easy to integrate? Kindly suggest Solution I was referring to any api gateway such as
Continue readingTag: security
Which are safe methods and practices for string formatting with user input in Python 3?
Issue My Understanding From various sources, I have come to the understanding that there are four main techniques of string formatting/interpolation in Python 3 (3.6+ for f-strings): Formatting with %, which is similar to C’s printf The str.format() method Formatted
Continue readingCan a python view template be made to be 'safe/secure' if I make it user editable?
Issue Say I need to have a templating system where a user can edit it online using an online editor. So they can put if tags, looping tags etc., but ONLY for specific objects that I want to inject into
Continue readingSecurely instantiate PHP class from URL get parameter?
Issue I’ve written a little code-snippet that should instantiate a php class based on a get-parameter. (Code edited based on the suggestions from @sietse85 and @CBroe:) $this->pageVal = preg_replace(‘/[^A-Za-z]/’, ”, filter_input(INPUT_GET, ‘page’)) ? preg_replace(‘/[^A-Za-z]/’, ”, filter_input(INPUT_GET, ‘page’)) : “index”; $file
Continue readingIs it possible to setup Single sign-on for a Single Page Application that will initiate the SSO from an arbitrary (not pre-approved) domain?
Issue Our scenario is the following: We have an SPA that we package and send to multiple customers. The customers hosts the SPA on an arbitrary domain like www.unknown.com/spa/anything-goes, or www.also-unknown.com/spa/really-anything-goes, etc. The customer also opens the SPA in a
Continue readingOkta Not Redirecting due to insecure connection
Issue I got a request from the partner website to establish SSO with them and they provided their OKTA keys to us. Vue.use(Auth, { issuer: ‘https://{theirURL}.com/’, clientId: ‘{theirCliendId}’, redirectUri: ‘http://localhost:8080/auth/callback’, scope: ‘openid profile email’ }) let token = {}; const
Continue readingHow can I fully trust a SAML IDP?
Issue My web application is allowing SSO via SAML authentication and I am doing the development now. The idea is that this by-passes my application’s local authentication and the user is automatically authenticated once they authenticate with the SAML IDP.
Continue readingWhat are the best practices for internal security standards in companies with large SAP investments?
Issue I work in a large company, and I’m interested in best practices for internal security standards. We have a large ($500 million +) investment in SAP, and we also have .Net and a bit of Java EE in our
Continue readingSecurity access in NativeScript Angular app
Issue I’m starting to learn NativeScript Angular (I’m used to develop webapp/websites using Angular) and I’m still kind of confused on how to create some restricted access on the NativeScript app, or to restrict a specific route and/or sets of
Continue readingDo I need Backend-for-Frontend if I am using a framework like Angular
Issue I am using Angular for my frontend application, there is an already established backend service which I am using to retrieve data. I have no control over that backend service, it is more like a legacy system that is
Continue readingDo I need Backend-for-Frontend if I am using a framework like Angular
Issue I am using Angular for my frontend application, there is an already established backend service which I am using to retrieve data. I have no control over that backend service, it is more like a legacy system that is
Continue readingDo I need Backend-for-Frontend if I am using a framework like Angular
Issue I am using Angular for my frontend application, there is an already established backend service which I am using to retrieve data. I have no control over that backend service, it is more like a legacy system that is
Continue readingDo I need Backend-for-Frontend if I am using a framework like Angular
Issue I am using Angular for my frontend application, there is an already established backend service which I am using to retrieve data. I have no control over that backend service, it is more like a legacy system that is
Continue readingDo I need Backend-for-Frontend if I am using a framework like Angular
Issue I am using Angular for my frontend application, there is an already established backend service which I am using to retrieve data. I have no control over that backend service, it is more like a legacy system that is
Continue readingDo I need Backend-for-Frontend if I am using a framework like Angular
Issue I am using Angular for my frontend application, there is an already established backend service which I am using to retrieve data. I have no control over that backend service, it is more like a legacy system that is
Continue readingDo I need Backend-for-Frontend if I am using a framework like Angular
Issue I am using Angular for my frontend application, there is an already established backend service which I am using to retrieve data. I have no control over that backend service, it is more like a legacy system that is
Continue readingDo I need Backend-for-Frontend if I am using a framework like Angular
Issue I am using Angular for my frontend application, there is an already established backend service which I am using to retrieve data. I have no control over that backend service, it is more like a legacy system that is
Continue readingDo I need Backend-for-Frontend if I am using a framework like Angular
Issue I am using Angular for my frontend application, there is an already established backend service which I am using to retrieve data. I have no control over that backend service, it is more like a legacy system that is
Continue readingDo I need Backend-for-Frontend if I am using a framework like Angular
Issue I am using Angular for my frontend application, there is an already established backend service which I am using to retrieve data. I have no control over that backend service, it is more like a legacy system that is
Continue readingDo I need Backend-for-Frontend if I am using a framework like Angular
Issue I am using Angular for my frontend application, there is an already established backend service which I am using to retrieve data. I have no control over that backend service, it is more like a legacy system that is
Continue readingDoes a *.example.com for a content security policy header also match example.com?
Issue Say I have this header set on mywebsite.com: Content-Security-Policy: script-src self https://*.example.com I know it will allow https://foo.example.com and https://bar.example.com, but will it allow https://example.com alone? Looking at the spec…. Hosts such as example.com (which matches any resource on
Continue readingHow to pass main website's secured session cookie to web worker and use it there to call APIs
Issue We use a secure session cookie and the back-end set the cookie through the login API. Http requests are cross-origin. I want to use web-workers to do some calculations and call certain APIs. cookies will be lost in web
Continue readingCan NPM show me the age of packages before installing them?
Issue In light of recent malware in existing npm packages, I would like to have a mechanism that lets me do some basic checks before installing new packages or updating existing ones. My main issue are both the packages I
Continue readingHow to disable third-party cookie for <img> tags?
Issue Is there any solution to disable cookies for images loaded from third-party domains using HTML5 or JavaScript techniques? I’m looking for something similar to sandbox attribute for <iframe> tag, referrerpolicy or crossorigin attributes for <img> tag. Solution Update: This
Continue readingDisable TLS 1.0 & 1.1 OR only use TLS 1.2 and greater in Node.js Express
Issue How can I block TLS 1.0 and TLS 1.1 on my Node.js Express server? I’m using a traditional server setup script: const app = express(); export const server = app.listen(3000); I’m slightly confused why I couldn’t find any documentation
Continue readingprevent multiple login from same user in React Node App
Issue I am unable to understand what should I do to prevent multiple login of same user. I am using google login with firebase in my React Node App with JWT token. How to make user logged out if login
Continue readingHow to avoid "timeout when waiting for 3rd party check iframe message" with Keycloak and Angular
Issue I’m trying to securize an Angular app with a Keycloak server. I’ve followed some tutorials that give more or less the same instructions in order to do so, but I got stuck with the following error: Timeout when waiting
Continue readingHow to password protect a static website? (without htaccess)
Issue I have a static website that I want to protect with a username and/or password like apache’s htaccess does but I don’t want to host an apache server for it to work. How can I achieve this without frontend
Continue readingCodeIgniter – why use xss_clean
Issue if I’m sanitizing my DB inserts, and also escaping the HTML I write with htmlentities($text, ENT_COMPAT, ‘UTF-8’) – is there any point to also filtering the inputs with xss_clean? What other benefits does it give? Solution xss_clean() is extensive,
Continue readingElectron contextBridge returns undefined
Issue I’ve got these 4 project files: main.js preload.js renderer.js index.html Node: 17.4.0 Electron: 18.2.0 I’m attempting to open a text file on my filesystem, triggered by a click event from renderer.js – then load the text file’s contents into
Continue readingHow worried should I be about opening up a JWT to an XSS vulnerability?
Issue I am building a node.js web application with react for the the GUI and graphQL served with Apollo for the back-end connecting to a RDS (MySQL) instance on AWS. I am authenticating users and then returning JWTs. I have
Continue readingHow worried should I be about opening up a JWT to an XSS vulnerability?
Issue I am building a node.js web application with react for the the GUI and graphQL served with Apollo for the back-end connecting to a RDS (MySQL) instance on AWS. I am authenticating users and then returning JWTs. I have
Continue readingAngular: avoid inline javascript
Issue I’m in charge of building an application with Angular 12.0.5. Our developing guidelines states that we are not allowed to use inline javascript and that we have to use a Content Security Policy that prevents inline javascript. Therefore I
Continue readingAngular: avoid inline javascript
Issue I’m in charge of building an application with Angular 12.0.5. Our developing guidelines states that we are not allowed to use inline javascript and that we have to use a Content Security Policy that prevents inline javascript. Therefore I
Continue readingMemory leaks sensitive information – Ionic
Issue In our application, during the security testing, they were able to get the request and response details from the memory dump. Please find the following details they were able to get from the dump, is there any option or
Continue readingWhat is CSS injection and how to prevent it?
Issue I have heard my friend talking about this vulnerability called "CSS Injections" However, I have no idea what this is and as soon as I heard it I thought, how could one possibly do any malicious activity or an
Continue readingRestrict user to view source of HTML
Issue Is there any way, by which I can restrict user to view page source for HTML page or alternate way to encrypt all data of HTML page specially for HTML forms ? Solution There is no way. You can
Continue readingThis document requires 'TrustedScriptURL' assignment
Issue After adding require-trusted-types-for ‘script’; in my Content-Security-Policy header, which introduced from Chrome 83 Beta to help lock down DOM XSS injection sinks, when I open my website, it becomes a blank page. I got many these three kinds of
Continue readingIs there a way to include multiple SecureRoutes in React?
Issue I have a working auth integration into a React app with Okta, and I have 2 routes that require authentication in order to render. The authentication part is working as expected, however, it appears that the login controls are
Continue readingDoes npm's package audit use OWASP?
Issue Does npms internal npm audit command use the OWASP security standards when assessing packages for vulnerabilities? Is there any background information on how npm’s packages get audited? Solution OWASP security standards, as its name suggests, is only a compilation
Continue readingmain.xxxxxxxxxxxx.js in build file contains img src=x onerror=alert(1) which is related to XSS vulnerability. Is there a way to get rid of it?
Issue While making a production build in Angular, the main.xxxxxxxx.js created contains the code <img src=”</style><img src=x onerror=alert(1)”//> which we can find doing Ctrl + F. I have confirmed the behaviour in multiple projects including the boilerplate one. Since this
Continue readingui-router resolve vs .run for security
Issue I am curious as to what others are doing in regards to route security for their applications. At first we implemented our security by calling our security service from the .run method in angular app.run(function ($rootScope, $state, SecuirtyService){ SecurityService.initSecurity().then(function(data){});
Continue readingSafety of allowing custom CSS stylsheets for a JavaFX program
Issue I am planning to allow users of my JavaFX program to select a custom CSS stylesheet, so that they can fully customize their UI layout and design. I am wondering whether this is a safe idea as I am
Continue readingHow to fix the vulnerabilities in npm if I cannot upgrade the major version of dependency?
Issue I have a high risk vulnerability from npm audit –production. This is dependency of snowflake-sdk. But I checked snowflake github it has "requestretry": "^6.0.0" in the package.json which mean it doesn’t support requestretry 7.0.0. Is there any other way
Continue readinggithub Dependabot alert: Inefficient Regular Expression Complexity in nth-check
Issue Possible duplicate, but couldn’t find any clear answers. Dependabot cannot update nth-check to a non-vulnerable version The latest possible version that can be installed is 1.0.2 because of the following >conflicting dependency: react-scripts@5.0.0 requires nth-check@^1.0.2 via a transitive dependency
Continue readingis there a yarn alternative for npm audit?
Issue need pinned resolution feature of yarn, but also want to audit with npm audit? Is there a yarn alternative to npm audit? Or, alternately, will pinning resolutions of dependencies of dependencies work in npm? Solution yarn audit / yarn
Continue readingFound 4 vulnerabilities on npm install
Issue I am just getting started with react-native. On installing this package npm install –save react-native-validator-form https://github.com/NewOldMax/react-native-validator-form/issues/3 I was prompted to npm audit and I was shown 4 vulnerabilities (listed above) After running the 2 helper commands, I was prompted
Continue reading