Is this HTTP authorization token secure?

I am new to backend development and read about Authorization methods such as Basic, Bearer and OAuth 2.0.
I haven’t use any of these directly, but used a token based implementation.

User logs in with username and password -> if (correct) then generate token and send token to front end.
The token is a encrypted value of a combination of username,userID, secret message and a random number calculated at runtime.
For the user to make any requests after logging in, has to include the encrypted token in the header.

Since the HTTPS headers are encrypted, I can’t think of a possible vulnerability to the system.

Currently just using a header with the name ‘token’ and the token value as it’s value. Should I use the header “Authorization : Bearer ” or “Authorization: Basic token==” for any reason?
I want to know is this secure enough or are there better methods?

Is this secure?

I am new to backend development and read about Authorization methods such as Basic, Bearer and OAuth 2.0.
I haven’t use any of these directly, but used a token based implementation.

User logs in with username and password -> if (correct) then generate token and send token to front end.
The token is a encrypted value of a combination of username,userID, secret message and a random number calculated at runtime.
For the user to make any requests after logging in, has to include the encrypted token in the header.

Since the HTTPS headers are encrypted, I can’t think of a possible vulnerability to the system.

Currently just using a header with the name ‘token’ and the token value as it’s value. Should I use the header "Authorization : Bearer " or "Authorization: Basic token==" for any reason?
I want to know is this secure enough or are there better methods?

audit – Cookie secure flag with HSTS

We have a portal and try to win a big corporate Client.

Our Pentest showed that we don’t have secure flag on an authentication cookie.

We use HSTS however. With preload.

In latest Chrome, it looks good. In Firefox browser sends cookie over HTTP when requested.

Is this a security issue? Compliance? GDPR?

Will this be a blocker for a corporate Customer win?

Best if folks with experience with audits by big corporations help here, answer here.

I know it is an issue, with FF.

Will this be seen very bad? Be a deal breaker?

Bonus point for info with other Browsers i.e Edge, IE and how to possibly fix FF behavior.

Thanks,

Discussion groups, secure chat platform.

As is, no traffic, no revenue.

I will transfer blogger to wordpress, host to host, move website with secure for $10

I will transfer blogger to wordpress, host to host, move website with secure

I will transfer your website blogger to wordpress,one host to another host or one domain to another domain. I have 3 year experiment in Transfer WordPress Site.

  • Move / Copy from one host to another host
  • Just 1 Gig for one domain
  • Migration from subdomain to root
  • Transfer one domain to another domain
  • Transfer one host to another host
  • Site more than 1GB Size Check Extra Gig Below



10$ will do it withen 3hr Delivery and 100% Satisfaction Guaranteed !

  1. size Just 1.5G , if you need to migrate more than please contact me
  2. Migration from one domain to another
  3. Auto Backup Your Website
  4. High Security Your Website

I worked on many popular hosting sites such as – Whois,GoDaddy, Namecheap, HostGator, Bluehost, Siteground, etc

.

Auto updating attack signature Firewall, WAF, IPS & IDS to secure Azure services?

We have the need to secure the Application Gateway and hundreds of API exposed to the Internet as part of our production environment, Using the existing builtin, Azure services, How to make it secure from Unknown Threat or 0-day attack exploit?

As per my understanding, we must manage or manually update the OWASP exploit Default protection policy in the Application Gateway-WAF settings.

Or if there is no automated Attack signature update or dynamic update heuristically solution from Azure that can update the Threat signature dynamically, is there any 3rd party vendor WAF+IPS&IDS or Firewall appliances/service that can do it automatically?

PHP: Secure file upload for Pdf only

I am trying to create a secure file upload using PHP 7+ where I only allow PDF files.
I found a lot of posts on this topic on different websites but couldn’t find a complete solution that ensures that no harmful files can be uploaded this way.

So far I have the following.
Can someone tell me if I am missing any important steps here or if anthing should be changed or removed in my code ?

(Note: I am not interested in the old x-pdf file types.)

<?php
    include 'session.php';
    include 'header.php';

    if (empty($_FILES('files'))) {
        echo json_encode(('error'=>'No files found for upload.')); 
        return;
    }

    if(!empty($_POST('csrfToken'))) {
        if(hash_equals($_SESSION('csrfToken'), $_POST('csrfToken'))) {
            $postData = $_POST;
            $files = $_FILES('files');
            $uploadRef = preg_replace('/(^A-Za-z0-9)/', '', $_GET('uploadRef'));
            $categoryId = preg_replace('/(^A-Za-z0-9)/', '', $_GET('categoryId'));
            $tags = preg_replace('/(^A-Za-z0-9,)/', '', $_GET('tagsList'));
            $success = null;

            $paths= ();
            $filenames = $files('name');

            for($i=0; $i < count($filenames); $i++){
                if($_FILES('file')('error') !== UPLOAD_ERR_OK) {
                    die('Upload failed with error ' . $_FILES('file')('error'));
                }
                
                $fileTitle = $files('name')($i);
                $fileTitle = substr($fileTitle, 0 , (strrpos($fileTitle, ".")));
                $fileExtensions = explode('.', basename($filenames($i)));
                $fileExtension = strtolower(array_pop($fileExtensions));
                $ok = false;
                switch($fileExtension) {
                   case 'pdf':
                        $ok = true;
                   default:
                       die('Unknown/not permitted file type');
                }
                
                $finfo = finfo_open(FILEINFO_MIME_TYPE);
                $mime = finfo_file($finfo, $_FILES('file')('tmp_name'));
                $ok = false;
                switch($mime) {
                   case 'application/pdf':
                        $ok = true;
                   default:
                       die('Unknown/not permitted file type');
                }
                
                $uploadId = md5(uniqid()) . '_' . $i;
                $target = 'uploads' . DIRECTORY_SEPARATOR . $uploadId . '.' . $fileExtension;
                if(move_uploaded_file($files('tmp_name')($i), $target)) {
                    $success = true;
                    $paths() = $target;
                    
                    $conn = new mysqli($dbHost, $dbUser, $dbPw, $dbName);
                    if($conn->connect_error) {
                        exit($trans('errorConnectionFailedTxt')($lang));
                    }
                    mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT);
                    $conn->set_charset('utf8mb4');
                        
                    $stmt = $conn->prepare("INSERT INTO uploads (uploadId, uploadRef, categoryId, tags, fileTitle, fileExtension) VALUES (?, ?, ?, ?, ?, ?)");
                    $stmt->bind_param("ssssss", $uploadId, $uploadRef, $categoryId, $tags, $fileTitle, $fileExtension);  
                    $stmt->execute();
                        
                    header('Location: ' . $baseUrl . 'upload.php?status=uploadSuccess&lang=' . $lang);
                    
                    $stmt->close();
                    $conn->close();     
                } else {
                    $success = false;
                    break;
                }
            }

            if ($success === true) {
                $output = ();
            } elseif ($success === false) {
                $output = ('error'=>'Error while uploading images. Contact the system administrator');
                foreach ($paths as $file) {
                    unlink($file);
                }
            } else {
                $output = ('error'=>'No files were processed.');
            }

            unset($postData);
            
            echo json_encode($output);
        } else {
             echo json_encode('invalid CSRF token');
        }
    } else {
         echo json_encode('no CSRF token');
    }
?>

Many thanks in advance,
Tim

passwords – Is adding encryption before hashing more secure?

The general idea is that any secure process must be able to remain secure even if the process is known. In this scheme, you’ve just added a step: encryption.

But you have to accept that people will know that you’ve added encryption and what type. This means that you’ve only made the process of checking passwords just one step more difficult because there is that extra step.

This means that you’ve only made it a little more difficult to test passwords: hash(encrypt(password||salt))

Your better bet is to do what is suggested for best practice: multiple rounds of hashing.

How do bonds in Secure Multi‐Party Lotteries work as described in Bitcoin and Cryptocurrency Technologies book

I have understood the details of it but I have a question related to claiming the bond.

We have two parties Alice and Bob and suppose the bond that Alice signs is enter image description here

now if Alice reveals her value X then she will be able to get her bond money back. Suppose if Bob won the lottery then how will he get the money from Alice since she has already reclaimed her bond amount?