http post – Public web tool to display the body of the request

Is there a public web endpoint that displays the data in the request body in a human-readable manner?

I have to present dynamic data which is sent via POST to non-technical people. I would like to show them the data in a format similar to what I get in the browser network inspector. I imagine sending my requests to a publicly accessible endpoint that would display the body of the request.

Will javascripts recovered using HTTP and HTTPS be cached separately?

Say if a web server supports both HTTP and HTTPS, if a browser retrieves a Javascript from this server using HTTP and HTTPS, and the script is cacheable, will the script be put cached separately, one for HTTP and one for HTTPS?

Is this behavior consistent for all types of browsers, and what about cache at the CDN and reverse proxy level?

http – Security considerations to consider when redirecting a microservice to another

enter the description of the image here

I'm evaluating the design of the service above where I want to have a mechanism to get a user through multiple microservices. In this simple example, the user goes through a registration process and once completed, the user is redirected to another microservice (B).

The session identifier for microservice A is stored in a session store. However, when the user is redirected to the microservice B, a new session identifier is generated by the microservice B and is therefore also stored in the session store.

This allows the user to go back and forth between the microservices. Are there security implications with this design?

Security – HTTP Web Page Displays "Not Secure" in Chrome

It is a measure to make the Web safer. In addition, it protects all visitors to your site. The long-term solution is to implement SSL on your websites because all websites will eventually have to adopt the use of SSL certificates.

According to the Google developer blog:

Finally, Chrome will display an unsecured warning for all pages served
via HTTP, whether or not the page contains sensitive information
input fields. Even if you adopt one of the most targeted resolutions
above, you must plan to migrate your site to use HTTPS for all
pages.

You absolutely need an SSL certificate. I am aware that they are too expensive at just about every registration desk. To save money, the Linux Foundation has a website that offers free SSL certificates, called * https://letsencrypt.org, although this route may be a little more laborious with respect to the Internet. installation rather than simple purchase from Godaddy.

burp suite – HTTP smuggling attacks – TE.CL against the site

So I created a website hosted on Amazon AWS and running AWSELB. I teach myself web application security while learning development. I have therefore checked with BurpSuite on the site. I discovered some XSS vulnerabilities, I checked them manually and corrected them, but I also got one for HTTP Request Smuggling. I have browsed the information provided by PortSwigger about it, and I think I understand the general idea, so, from what I see, the site may be vulnerable to TE.CL but I have trouble checking. The Burp tool tells me that the vulnerability is present depending on the following query and response:

Post /site/path HTTP/1.1
Host: www.somehost.com
Content-Type: application/x-www-form-urlencoded
Transfer-Encoding: Chunked
Content-Length: 26
Connection: keep-alive
Cookie: sessionid=; sessionid.sig=; AWSALB=;

f
7dj19=x&dsa8k=x
0

and the answer:

HTTP/1.1 504 Gateway Time-out
Server: awselb/2.0
Date: 
Content-Type: text/html
Content-Length: 550
Connection: keep-alive
Set-Cookie: AWSALB=; Expires=date GMT; Path=/


504 Gateway Time-out

504 Gateway Time-out

I've tried using the smuggler tool proposed by PortSwigger, but the 504 seems to be the only mistake that seems to indicate that it could be a vulnerability. of 504. I did some research, but I did not find any examples of this example. the answer that shows that the site is vulnerable to this kind of thing. If anyone could give advice, this would be very appreciated.
Thank you!

php – How to fix the error HTTP 406 Not Acceptable?

Thank you for contributing to Stack Overflow in Portuguese!

  • Make sure you respond to the question. Go into the details of your solution and share what you have found.

But to avoid

  • Ask for clarification or details of other answers.
  • Make statements based solely on your opinion; highlight previous references or experiences.

To learn more, read our tips for writing good answers.

authentication – Are compromises to put an authentication token in an http cookie only for a SPA worth it?

I'm building a web application (API + SPA Rails) to learn / have fun and I'm researching authentication. The most commonly recommended approach for authenticating SPAs that I have read is to place the authentication token (such as a JWT) in a secure HTTP cookie only for protect it from XSS. This seems to have some consequences:

But what is the real disadvantage of just storing the authentication token in the browser's storage memory (ie, session storage)? XSS becomes slightly more convenient for the attacker? Even with an HTTP-only cookie, the attacker can still use the authentication token by addressing requests directly from the site, because if there is an XSS vulnerability, it is not necessary to be able to read the token to use it.

It seems that the popular recommendation only complicates things to protect against the CSRF simply to make things a bit more difficult for the attacker in the case of XSS. Due to the amount of resources making these recommendations, I feel that I am missing something and I would appreciate any comments or clarification!

Here are some sources I've read that have been quite categorical against browser storage for authentication tokens:

Is there an application to share data with an HTTP / HTTPS POST?

I'm trying to send an audio recording of my Android to my website using the sharing menu.

Ideally, I would like an application that I can configure with a URL and that appears in the sharing menu. When I select the application sharing icon, the data is sent to the preconfigured URL during a POST operation.

Note: my question is not how to code it because I'm pretty sure I can do it. I ask if such an application already exists, because I just can not believe that someone has not yet written application to do it!

redirection – My site on the check showing a 403 error on HTTP

My website is working properly, but when I look up the https://httpstatus.io/, it shows the 403 error and, similarly, on the Google page information, it does not show the report.

My DNS website is currently on Cloudflare and I had previously installed the Cloudflare plugin in my WordPress and now I have uninstalled it.

If I deleted my Cloudflare website, the problem will be solved or not, or it will affect my website.

Any help is very appreciated. Thank you in advance.

The WordPress website has an SSL certificate but some HTTP elements (images)

  1. If you have a secure page (HTML transmitted over HTTPS) that calls an image or any resource from an unsecured source, the page will now be considered unsecure. … Mixed content affects how browsers display your web page.

  2. WordPress stores the URL of the complete image in its post database.

So, after converting the website to HTTPS, you must rewrite each src image of your messages with the new HTTPS address. In the backoffice, just delete the old image and replace it with the same thing.

If you have a large number of posts, some plugins could help you convert HTTP to HTTPS. Or ask a developer to replace them in the database.

Then, depending on the theme you use, the developer must also replace links to scripts, CSS … with HTTPS. But if you use an official or recent theme, it should already be good.