If you think URLs can’t contain code, think again! https://owasp.org/www-community/xss-filter-evasion-cheatsheet Read that, and weep. Here’s how we do it on Stack Overflow: /// <summary> /// returns “safe” URL, stripping anything outside normal charsets for URL /// </summary> public static string SanitizeUrl(string url) { return Regex.Replace(url, @”[^-A-Za-z0-9+&@#/%?=~_|!:,.;\(\)]”, “”); }
Add this to your global.asax.cs: protected void Application_PreSendRequestHeaders() { Response.Headers.Remove(“Server”); Response.Headers.Remove(“X-AspNet-Version”); Response.Headers.Remove(“X-AspNetMvc-Version”); }
EDIT (2016): use Argon2, scrypt, bcrypt, or PBKDF2, in that order of preference. Use as large a slowdown factor as is feasible for your situation. Use a vetted existing implementation. Make sure you use a proper salt (although the libraries you’re using should be making sure of this for you). When you hash the passwords … Read more
Okay, I take back what I commented earlier. Just talked to one of the senior guys in my shop and he said it is possible to lock it down hard. What you can do is convert the pdf to an image/flash/whatever and wrap it in an iFrame. Then, you create another image with 100% transparency … Read more
As of 2010, all modern, current-ish browsers cache HTTPS content by default, unless explicitly told not to. It is not required to set cache-control:public for this to happen. Source: Chrome, IE, Firefox.
Hiding a salt is unnecessary. A different salt should be used for every hash. In practice, this is easy to achieve by getting 8 or more bytes from cryptographic quality random number generator. From a previous answer of mine: Salt helps to thwart pre-computed dictionary attacks. Suppose an attacker has a list of likely passwords. … Read more
It should suffice to say whether bcrypt or SHA-512 (in the context of an appropriate algorithm like PBKDF2) is good enough. And the answer is yes, either algorithm is secure enough that a breach will occur through an implementation flaw, not cryptanalysis. If you insist on knowing which is “better”, SHA-512 has had in-depth reviews … Read more
Security through obscurity would be burying your money under a tree. The only thing that makes it safe is no one knows it’s there. Real security is putting it behind a lock or combination, say in a safe. You can put the safe on the street corner because what makes it secure is that no … Read more
Salt is traditionally stored as a prefix to the hashed password. This already makes it known to any attacker with access to the password hash. Using the username as salt or not does not affect that knowledge and, therefore, it would have no effect on single-system security. However, using the username or any other user-controlled … Read more