The whole lot is encrypted† – all the headers. That’s why SSL on vhosts doesn’t work too well – you need a dedicated IP address because the Host header is encrypted. †The Server Name Identification (SNI) standard means that the hostname may not be encrypted if you’re using TLS. Also, whether you’re using SNI or … Read more
If you are doing something like writing HTML and Javascript in a code editor on your personal computer, and testing the output in your browser, you will probably get error messages about Cross Origin Requests. Your browser will render HTML and run Javascript, jQuery, angularJs in your browser without needing a server set up. But … Read more
This is bcrypt: Generate a random salt. A “cost” factor has been pre-configured. Collect a password. Derive an encryption key from the password using the salt and cost factor. Use it to encrypt a well-known string. Store the cost, salt, and cipher text. Because these three elements have a known length, it’s easy to concatenate … Read more
Encrypting the session value will have zero effect. The session cookie is already an arbitrary value, encrypting it will just generate another arbitrary value that can be sniffed. The only real solution is HTTPS. If you don’t want to do SSL on your whole site (maybe you have performance concerns), you might be able to … Read more
We need to store the JWT on the client computer. If we store it in a LocalStorage/SessionStorage then it can be easily grabbed by an XSS attack. If we store it in cookies then a hacker can use it (without reading it) in a CSRF attack and impersonate the user and contact our API and … Read more
Authentication is the process of ascertaining that somebody really is who they claim to be. Authorization refers to rules that determine who is allowed to do what. E.g. Adam may be authorized to create and delete databases, while Usama is only authorised to read. The two concepts are completely orthogonal and independent, but both are … Read more
I think it’s well explained here — quoting just the key sentences of the long article: The general concept behind a token-based authentication system is simple. Allow users to enter their username and password in order to obtain a token which allows them to fetch a specific resource – without using their username and password. … Read more
Updated Answer If you are using the following Windows versions or later: Windows Server 2012, Windows Server 2012 R2, or Windows 8.1 then MakeCert is now deprecated, and Microsoft recommends using the PowerShell Cmdlet New-SelfSignedCertificate. If you’re using an older version such as Windows 7, you’ll need to stick with MakeCert or another solution. Some … Read more
Yes. The querystring is also encrypted with SSL. Nevertheless, as this article shows, it isn’t a good idea to put sensitive information in the URL. For example: URLs are stored in web server logs – typically the whole URL of each request is stored in a server log. This means that any sensitive data in … Read more
My favourite CAPTCHA ever: