Thursday, May 16, 2019
Monday, May 13, 2019
Saturday, January 16, 2016
Saturday, May 2, 2015
Attached a list of a recommended security HTTP Response Headers: Access-Control-Allow-Origin – e.g. Access-Control-Allow-Origin: http://test.example.com Access-Control-Expose-Headers Cache-Control Content-Disposition – e.g. Content-Disposition: attachment; filename=myfile.html Content-Encoding – e.g. Content-Encoding: gzip Content-Length – e.g. Content-Length: 103 Content-Security-Policy, X-Content-Security-Policy, X-WebKit-CSP – e.g. Content-Security-Policy: default-src 'self' Content-Security-Policy-Report-Only (For debugging purpose only) – e.g. Content-Security-Policy-Report-Only: default-src 'self'; report-uri http://test.example.com/test.aspx Content-Type – e.g. Content-Type: text/plain Expires P3P Public-Key-Pins – e.g. Public-Key-Pins: pin-sha384="<sha384>"; pin-sha384="<sha384>"; max-age=15768000; includeSubDomains Set-Cookie Strict-Transport-Security – e.g. Strict-Transport-Security: max-age=16070400; includeSubDomains X-Content-Type-Options – e.g. X-Content-Type-Options: nosniff X-Download-Options – e.g. X-Download-Options: noopen X-Frame-Options, Frame-Options – e.g. X-Frame-Options: deny...
Friday, May 1, 2015
The following article cover the main steps that need to be taken to Secure HTTP Cookies. Cookie Name = Random Name that change each session (e.g. 256 Bit GUID)Domain = Web Site FQDN (Fully Qualified Domain Name Path = / (or any relative directory)Secure = TrueHttpOnly = TrueExpire = ASAP (As Soon as Possible) Please Note: 1. Avoid a situations where sensitive information is saved in the HTTP cookie. In special cases, encrypt the the sensitive information that is stored in the HTTP cookie by using AES 256 Bit algorithm. The encryption key should be replaced...
Tuesday, April 28, 2015
The following best practices cover the main settings that need to be set to avoid caching locally a sensitive information such as: credit cards details, authentication cookie, etc. 1. HTTP/1.1 Cache-Control: private, no-cache, no-store, must-revalidate, pre-check=0, post-check=0, max-age=0, s-maxage=0 Expires: 0 2. HTTP/1.0 Pragma: no-cache Note: Its highly recommended to disallow the use of HTTP/1.0 in the client and the server side. 3. HTTP/2 HTTP/2 offer a compliance to HTTP/1.1 standards in a variety of areas. Due this, HTTP/1.1 HTTP Cache Control Headers can be applied to HTTP/2 traffic. However, due the fact that currently HTTP/2...