I'm creating a project where a user can login or signup, but I just found out a security flaw. First let me tell the flow when a user received a token from the server, A user can signup or login,…
I am building a cross-platform app and using PHP and MySQLi. Users sign up with either their Facebook account or phone number. If they choose phone number, they enter their number and an SMS is sent containing the verification code.…
I have stacked over the problem where I cannot understand how organisation secure theirs public apis from any person who collects data. I know we use passport and other ways of auth tokens in order to protect private info from…
I just migrated my Website to a new server using Plesk. Firewall (Modsecurity) is enabled by default on Plesk. But looking at the log, I found this message repeated several times : ModSecurity: Warning. Operator GE matched 4 at TX:outgoing_points.…
The following works fine for allowing PHP to be executed on two XML files: <FilesMatch ^(opensearch|sitemap).xml$> AddHandler application/x-httpd-php5 .xml </FilesMatch> However unfortunately this rule would allow this to happen in any child directory as well. /opensearch.xml, working/desired match /henchman24/opensearch.xml, working/NOT…
I am building a node.js web application with react for the the GUI and graphQL served with Apollo for the back-end connecting to a RDS (MySQL) instance on AWS. I am authenticating users and then returning JWTs. I have it…
In relation to How to create a secure login system using cookies and sessions? I'm building a simple forum, spending my time securing $_SESSION => hashing as mindful person about security but simple one because my future website will be…
in reference to this documentation https://httpd.apache.org/docs/2.4/howto/access.html and https://httpd.apache.org/docs/2.4/mod/mod_authz_host.html#requiredirectives , in which file should the directives be inserted? e.g. 'Require ip 127.0.0.1' I'm talking about configuration of apache2 in debian, I want limit access for all except for 127.0.0.1, localhost. Thanks
Some hacker has been annoying me today by succesfully altering my database with a certain type of DOM injection, using automated scripts. I fixed my website, but on top of that I want to redirect future hacking attempts to a…
We've got OpenSSL 1.1.1d installed on a windows server 64 Bit running Apache 2.4.*. Everything was working fine until recentlly (Jan 2020) when our daily PCI scan failed with the following synopsis: The remote service is affected by Multiple Vulnerabilities.…