There is no right or wrong answer. There are numerous factors to consider: If this is for/in G-Suite, then your G-Suite admins’ll have (or can get) access to anything. This may or may not be an issue. If you put the data in a sheet, anyone that has read access to the sheet can see … Read more
You are right, the RSA signature size is dependent on the key size, the RSA signature size is equal to the length of the modulus in bytes. This means that for a “n bit key”, the resulting signature will be exactly n bits long. Although the computed signature value is not necessarily n bits, the … Read more
CSRF protection comes in a number of methods. The traditional way (the “Synchronizer token” pattern) usually involves setting a unique valid Token value for each request and then verifying that unique value when the request is subsequently sent in. It is usually done by setting a hidden form field. The token value is usually short … Read more
For quite a long time, there was no formal specification of the PEM format with regards to cryptographic exchange of information. PEM is the textual encoding, but what is actually being encoded depends on the context. In April 2015, the IETF approved RFC 7468, which finally documents how various implementations exchange data using PEM textual … Read more
In addition to the other reasons (especially performance related) you can only host a single domain per IP address* when using HTTPS. A single server can support multiple domains in HTTP because the Server HTTP header lets the server know which domain to respond with. With HTTPS, the server must offer its certificate to the … Read more
Edit: Some time around the end of 2014 a change in the Google Forms service invalidated this hack. Look at Is it possible to ‘prefill’ a google form using data from a google spreadsheet? and How to prefill Google form checkboxes? for a solution that relies on the Form methods. A Google Form, when shown … Read more
RedirectMatch as in e.g. RedirectMatch 404 /\. does the trick, it prohibits access to all files or directories starting with a dot, giving a “404 Not Found” error. From the Apache manual: “The Redirect[Match] directive maps an old URL into a new one by asking the client to refetch the resource at the new location.” … Read more
Decrypting the Authentication Cookie without needing the keys It’s worth noting that you don’t need to gain access to the keys to decrypt the authentication cookie. You simply need to use the right IDataProtector created with the right purpose parameter, and subpurpose parameters. Based on the CookieAuthenticationMiddleware source code https://github.com/aspnet/Security/blob/rel/1.1.1/src/Microsoft.AspNetCore.Authentication.Cookies/CookieAuthenticationMiddleware.cs#L4 it looks like the purpose … Read more
Passwords are hashed to 32, 40, 128, whatever length. The only reason for a minimum length is to prevent easy to guess passwords. There is no purpose for a maximum length. The obligatory XKCD explaining why you’re doing your user a disservice if you impose a max length: