Archives for Web Applications
How attackers can bypass CloudFlare
Also read CloudFlare and CORs Whitelisting Introduction To ensure that Origin Server denies all IPs except the CloudFlare IP (this will need to be AT the server level, not cloudlfare).…
CSRF protection for APIs?
High Level Overview Cookie-authenticated APIs versus Authorization headers What Is CSRF Protection for API Endpoints? CSRF stands for Cross-Site Request Forgery. It’s a type of web attack where a malicious…
How Can a Hacker Abuse Poor CORS Configuration?
Basic High Level Flow The attacker hijacks your authentication credentials (your cookie) - and uses that to call a sensitive API. If the API is callable from 'all origins', then…
File Transfer versus APIs
API vs File Transfer: Choosing the Right Method for Data Exchange APIs and file transfers are both widely used methods for data exchange between systems. While they serve a similar…
What the heck is CORs? Can CloudFlare help me with CORs security issues?
Why CORS Is Important (And How to Secure It) Why CORS Is Important (And How to Secure It) What is CORS and why is it important? CORS (Cross-Origin Resource Sharing)…
Preventing CORS – Server Explicitly Sets CORS Headers for an HTTP Request versus CloudFlare
How a Server Explicitly Sets CORS Headers for an HTTP Request A server explicitly sets CORS headers by including them in the HTTP response to a cross-origin request. These headers…
CloudFlare and Server Side Whitelisting for CORS
Overview The CORs headers need to be set explicitly on the server. For some websites, CloudFlare can be used to control CORS header logic at the edge. Note that you…
Securing Browser Cookies in Outbound SSO: Best Practices
Securing Browser Cookies in Outbound SSO: Best Practices In an outbound Single Sign-On (SSO) scenario, a user logs into Site 1, which then authenticates access to Site 2. During this…
Best Practices for Username Recovery and Password Reset
🔐 Best Practices for Password Reset, Username Recovery & MFA Code Recovery In a digital world increasingly reliant on secure access, users often face hurdles like forgotten passwords, misplaced…
CORS origin False Positives
Almost all CORS misconfiguration notifications are false positive. If you have checked "Access-Control-Allow-Origin: *", you will get these false positives. It needs to be set to "Access-Control-Allow-Credentials: true