Passing a value to standard input in Bash is as simple as: your-command <<< “$your_variable” Always make sure you put quotes around variable expressions! Be cautious, that this will probably work only in bash and will not work in sh.
“wss works on both http and https” ??? This is a strange phrase. wss is secure only because it means “WebSocket protocol over https“. WebSocket protocol itself is not secure. There is no Secure WebSocket protocol, but there are just “WebSocket protocol over http” and “WebSocket protocol over https”. See also this answer. As the … Read more
The collision resistance property of MD5 has been broken for a long time. Note that that preimage resistance and second preimage resistance have not yet been cracked, however as there are better algorithms out there (SHA-2) it would be wise to move to these rather than relying on a cryptographic hash that has already begun … Read more
No, you cannot reverse SHA-1, that is exactly why it is called a Secure Hash Algorithm. What you should definitely be doing though, is include the message that is being transmitted into the hash calculation. Otherwise a man-in-the-middle could intercept the message, and use the signature (which only contains the sender’s key and the timestamp) … Read more
Here’s something relevant from the Fetch spec (which defines CORS): Basic safe CORS protocol setup For resources where data is protected through IP authentication or a firewall (unfortunately relatively common still), using the CORS protocol is unsafe. (This is the reason why the CORS protocol had to be invented.) However, otherwise using the following header … Read more
The Apache docs recommend against using a rewrite: To redirect http URLs to https, do the following: <VirtualHost *:80> ServerName www.example.com Redirect / https://www.example.com/ </VirtualHost> <VirtualHost *:443> ServerName www.example.com # … SSL configuration goes here </VirtualHost> This snippet should go into main server configuration file, not into .htaccess as asked in the question. This article … Read more
Actually, the W3C recommends (RFC 2616 §10.4.4 403 Forbidden) doing the opposite. If someone attempts to access a resource, but is not properly authenticated, return 404 then, rather than 403 (Forbidden). This still solves the information disclosure issue. If the server does not wish to make this information available to the client, the status code … Read more
This sounds about right. Or, if you’re specifically interested in AccessDeniedException you could also define access_denied_handler within your firewall in security.yml: security: firewalls: my_firewall: # … access_denied_handler: kernel.listener.access_denied.handler # … Then define your service in your services.xml or equivalent: <parameters> <parameter key=”kernel.listener.security.class”>Path\To\Your\Class</parameter> </parameters> <service id=”kernel.listener.access_denied.handler” class=”%kernel.listener.security.class%”> <tag name=”kernel.event_listener” event=”security.kernel_response” method=”handle” /> </service> The handler class: … Read more
Yes, the transfered data is still sent encrypted. -k/–insecure will “only make” curl skip certificate validation, it will not turn off SSL all together. More information regarding the matter is available under the following link: curl.haxx.se – Details on Server SSL Certificates
The HTTP RFC states, in section 15.1.3 Encoding Sensitive Information in URI’s : Clients SHOULD NOT include a Referer header field in a (non-secure) HTTP request if the referring page was transferred with a secure protocol. So, this is expected / standard behaviour.