How to remove ASP.Net MVC Default HTTP Headers?
Each page in an MVC application I'm working with sets these HTTP headers in requests: X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-AspNetMvc-Version: 2.0 How do I prevent these from showing? ...
security
LTPA Token Not Changing
When I log out of an application on WebSphere and back on, the LTPA token is unchanged. I thought it would change because session tokens are supposed to be unpredictable. ...
Password change: Best practice
I'm writing Baby's First Web Application. My first task has been to set up an authentication system, which I think I've done okay on. I'm new to the whole thing, though, so: When the user reports that he's forgotten his password, I e-mail him a temporary replacement password in plain text. It's perhaps not the most secure way to handle ...
Will ASP.Net MVC's AntiForgeryToken Method work with Load Balancers?
Using ASP.Net MVC v2.0, I am starting to research the use of the Html.AntiForgeryToken() method when submitting forms that process data. I can see it sets a hidden value in the form HTML and it sets the same value in a session cookie. The question is will different web servers in a load balanced configuration create the same token in t...
Is there a way to rename the RequestVerificationToken cookie name?
Using ASP.net MVC v2.0, Any way to change the name of the __RequestVerificationToken cookie? In an effort to conceal our underlying technology stack, I’d like to rename the cookie to something that can’t be traced back to ASP.Net MVC. More info on this at Steve Sanderson's blog. ...
Hiding PHP Files Outside WWW for Security
I've got a "globabVars.php" doc in my own little framework that contains database connection vars etc... I'm thinking would be neat to store outside of the web facing directories to keep it a little more secure. But, then I was thinking, is it really THAT much more secure? I mean, if someone were able to look at my .php files as a whole...
Confused in my choice between (webOS, BADA and Iphone) vs Android.
So I was doing this comparative study between the application security model between android and now I need a benchmark for it to compete against. The problem though is I am pretty new to mobile application development and barely know the names and probably used a phone or two in the process with each of the OSes. Now the dilemma I am in...
Problem with JSF forwarding and security constraint
I'm making a web application in which certain pages are login-protected. I have created a JDBC security realm in glassfish for this, and used Form authentication (Similar to the method described here) I'm using Navigation rules to redirect the user to the secured areas of the website: <navigation-case> <from-outcome>showResults...
Apache Shiro combined with LDAP
Hi guys, I integrated Apache Shiro with a dummy user and it works just fine! But this framework has no tutorials online?! It's very hard to get into it as a beginner. Can somebody help me integrating a ldap integration. I have only found information that it is not that difficult :-/ I started with configuring the realm: [main] ...
Using SmtpClient.SendAsync causes an audit failure of type "Sensitive Privilege Use"
Hi, The code is: try { MailMessage message = new MailMessage(); SmtpClient client = new SmtpClient(); if (this.txtUserName.Text.Trim().Length > 0) { System.Net.NetworkCredential SMTPUserInfo = new System.Net.NetworkCredential(this.txtUserName.Text.Trim...
Should services ask for credentials at each request?
I wonder what is the optimal authentication method for services and webservices: user/password is sent on each request user/password is sent once to obtain an authentication code that will be sent on each request Is there any alternative? Which is better? Why? ...
License scheme, spoof-safe and revoke capabilities
Hi, this is my first question so please be gentle... I am working on a software which I would like to protect using some kind of licensing scheme. A basic scheme would be to generate some "unique" key for a user. The user sends this key and a registration code when he wants to register the software and receives an activation code. Whe...
Secure isolated iFrame? Alternative?
Hello guys, I am running into a problem. I want to host an external page securely. Meaning, no JavaScript in the iFrame. Or it only execute safe code, such as change the text of its page or set the color of its page. And I want to keep CSS alive. They should look the same from the source, but, no melacious code running behind. No Active...
Policy for storing configuration files in SVN
The majority of our C# projects configuration is kept in *.ini files. Mainly these files hold many sections affecting all aspects of programs behaviour. But besides of regular configuration data some of sections are vulnerable like db connection string or server password. We try to keep this sections in following forms: [Database] user=...
Kerberos on Java to connect to C# server
I have been introduced to a system with a C# client and server where the client connects using information set up by service reference. Basically I need to make the C# client, but with Java. It needs to still connect to the C# server, which uses authentication via Kerberos Service Principal Name. The tutorials that I have looked at aren...
Are there any guides/tutorials out there for creating a web application that deal with security/scalability/accessibility from the beginning.
I'm starting a new web application project that I would like to release into the wild, and I'm trying to get into the habit of following best practices early. Are there any good guides out there for creating a web application that can survive in the real world? Most tutorials I've seen thus far include setting up the model, controller,...
PHP - Server Side Validation - Is this a good method?
Hello all, I have done extensive client-side validation through the help from jQuery. Now come to the server side validation, if I found some fields are not valid, can I simply return an error to client and without any useful message? My assumption is that the user has to enable JavaScript in order to access my webpage. The user will n...
Finding security problems in a given code
Hello guys, Can some one please tell me an approach for finding security flaws in a given code. For ex: in a given socket program. Any good examples or good book recommendations are welcome. Thanks & Regards, Mousey ...
Rails security on production server
I am putting my first rails app on the internet, I have read the rails guide on security and have implemented the points listed in there but was interested to hear of anything else ? Also I currently store my uploads in public/documents is this ok ? I noticed there is no htaccess files protecting the directory. ...
Is HTML Email Obfuscation safe enough to stop bots?
I know that most javascript email obfuscation solutions stop bots dead in their tracks - but sometimes it's hard to use/insert javascript in places. To that end I was wondering if anyone knew if the bots were smart enough to translate HTML entities in HEX and DEC into valid email strings? For example, lets say I have a function that ra...