“wss works on both http and https” ??? This is a strange phrase. wss is secure only because it means “WebSocket protocol over https“. WebSocket protocol itself is not secure. There is no Secure WebSocket protocol, but there are just “WebSocket protocol over http” and “WebSocket protocol over https”. See also this answer. As the … Read more

Is it possible to reverse a SHA-1 hash?

No, you cannot reverse SHA-1, that is exactly why it is called a Secure Hash Algorithm. What you should definitely be doing though, is include the message that is being transmitted into the hash calculation. Otherwise a man-in-the-middle could intercept the message, and use the signature (which only contains the sender’s key and the timestamp) … Read more

Is it safe to enable ”Access-Control-Allow-Origin: *“ (wildcard) for a public and readonly webservice?

Here’s something relevant from the Fetch spec (which defines CORS): Basic safe CORS protocol setup For resources where data is protected through IP authentication or a firewall (unfortunately relatively common still), using the CORS protocol is unsafe. (This is the reason why the CORS protocol had to be invented.) However, otherwise using the following header … Read more

How to redirect all HTTP requests to HTTPS using .htaccess rules?

The Apache docs recommend against using a rewrite: To redirect http URLs to https, do the following: <VirtualHost *:80> ServerName Redirect / </VirtualHost> <VirtualHost *:443> ServerName # … SSL configuration goes here </VirtualHost> This snippet should go into main server configuration file, not into .htaccess as asked in the question. This article … Read more

Is it OK to return a HTTP 401 for a non existent resource instead of 404 to prevent information disclosure?

Actually, the W3C recommends (RFC 2616 §10.4.4 403 Forbidden) doing the opposite. If someone attempts to access a resource, but is not properly authenticated, return 404 then, rather than 403 (Forbidden). This still solves the information disclosure issue. If the server does not wish to make this information available to the client, the status code … Read more

Using Symfony2’s AccessDeniedHandlerInterface

This sounds about right. Or, if you’re specifically interested in AccessDeniedException you could also define access_denied_handler within your firewall in security.yml: security: firewalls: my_firewall: # … access_denied_handler: kernel.listener.access_denied.handler # … Then define your service in your services.xml or equivalent: <parameters> <parameter key=””>Path\To\Your\Class</parameter> </parameters> <service id=”kernel.listener.access_denied.handler” class=””> <tag name=”kernel.event_listener” event=”security.kernel_response” method=”handle” /> </service> The handler class: … Read more