security archive

scott's picture

New York Times Claims HTML5 is a "Pandora's Box" of Privacy Risks

by , Front-End Web Developer

Alarmist rhetoric from news organizations about the web is nothing new, but today's front-page headline on the New York Times still caught my eye: "Web Code Offers New Ways to See What Users do Online." It's about HTML5 privacy risks, and it's a load of crap. Read More…

dylan's picture

URL Shorteners Must Die

by , Lead Development Architect

URL shorteners (such as bit.ly and tinyurl) have been called the "herpes of the web". Beyond just link-rot, a public shortening service is per se an open redirect vulnerability. Their ubiquity makes them an easy vector for spammers, phishers, and cross-site forgery attacks. Joshua Schachter writes: With a shortening service, you're adding something that acts like a third DNS resolver, except one that is assembled out of unvetted PHP and MySQL, without the benevolent oversight of luminaries like Dan Kaminsky and St. Postel. Luckily, you don't have to contribute to this scourge. Read More…

dylan's picture

Using JSONP Safely

by , Lead Development Architect

JSONP is a way to make cross-domain requests through javascript. It takes advantage of a loophole in the browser's same-origin policy: <script src="http://anywhere.com/data.jsonp"></script> tags are allowed to load files from any domain. This differs from normal AJAX requests, which are only allowed to make requests to the same domain as the page you are viewing. Unfortunately, many guides to implementing this technique in PHP contain a dangerous security flaw. Can you spot it? Read More…

dylan's picture

Running Drupal Secure Pages behind a proxy

by , Lead Development Architect

If you plan to use the securepages module behind a proxy that terminates SSL, there are some additional server configuration steps you need to take. In order to detect what the protocol is in use, securepages tests the value of $_SERVER['HTTPS']. Out of the box, this merely reflects the immediate connection to your proxy. If this protocol differs from that used by the original client, then securepages can't work (the most likely outcome is a redirect loop). To resolve this, you'll need to ask your proxy to send the X-Forwarded-Proto header. While you're free to use any header label you choose, X-Forwarded-Proto seems to have become the de facto standard. Read More…

7 comments. Posted on . Filed under drupal, security.

Pages