HTTP Strict Transport Security

web An emerging standard called Strict Transport Security is starting to gain some traction among web browsers. Google Chrome supports it and Firefox is working on it (currently supported in the noscript FF extension).


This entry was:

Ajax Same Origin Policy No More with Firefox 3.5

web Firefox 3.5 now allows you to make AJAX Requests, or more correctly XMLHttpRequests cross domain (in other words foo.com can make XHR requests to bar.com). When I heard about this, my first is that they would use the cross-domain.xml file that Flash has supported for years to achieve this.


This entry was:

Firefox 3.5 Introduces Origin Header, Security Features

web FireFox 3.5 was just released about a half hour ago. You can checkout all the new features for web developers here.

For me, as someone that does a lot of security research one of the most interesting new features is the Origin http header that FireFox 3.5 now sends.


This entry was:

Using Apache Bench for Simple Load Testing

apple coldfusion linux web If you have access to a Mac or Linux server, chances are you may already have a really simple http load generating tool installed called Apache Bench, or ab. If you are on windows and have Apache installed, you may also have ab.exe in your apache/bin folder.


This entry was:

Remove X-Powered-By: ASP.NET Header

web Have you ever noticed that IIS tends to brand every HTTP response with the header X-Powered-By: ASP.NET - it will do this even if your site is not powered by ASP.


This entry was:

New StatusCode Attribute in CFLOCATION

coldfusion When ColdFusion 7 came out I did a series of blog entries on small often overlooked new features. Well ColdFusion 8 is now out, and I thought it would be a good idea to do the same.

One handy new feature in ColdFusion 8 is the statusCode attribute in the CFLOCATION tag.


This entry was:

8 Ways to Save Bandwidth on your RSS Feed

web One of the things you will notice after you have published an rss feed is that it will consume a lot of the bandwidth. For example on Spendfish.com 18% of the requests are for RSS feeds. This is no wonder since feed readers may download your feed several times a day even if nothing has changed.


This entry was:

Secure Browsing Mode

web Ivan Ristic has posted a proposal on his blog called: Secure Browsing Mode [PDF].

In the document Ivan lists some of the possible effects of his proposal:

Eliminate Cross-Site Request Forgery.

Eliminate off-domain information leakage.


This entry was:

ServerTokens Prod, ServerSignature Off

web I tend to forget the syntax every time, but one of the first things I do when I setup an Apache web server is add/edit these two directive in my httpd.


This entry was:

Finding Feed subscribers from the User Agent

web I just noticed last week that some of the online web aggregators (such as bloglines, newsgator online, live journal, etc) will send the number of subscribers in their HTTP user agent. For example:

NewsGatorOnline/2.0_(http://www.newsgator.com;_20_subscribers)

Bloglines/2.


This entry was:

The Proper Content Type for XML Feeds

web RSS Feeds have a content type problem. Most people end up serving them with the content-type: text/xml. But this practice is frowned upon for several reasons.


This entry was:

HTTP Request Smuggling (HRS)

web WatchFire has released a white paper on HTTP Request Smuggling - a new type of attack that targets multi-layer HTTP stacks (proxies, caches, firewalls).

What is HTTP Request Smuggling?

HTTP Request Smuggling (HRS) is a new hacking technique that targets HTTP devices.


This entry was:

What CFLOCATION Does

coldfusion web It is often stated that CFLOCATION does a client side redirect. This means that it sends back some HTTP headers telling your browser to request a different location. This is done with a 302 (Moved Temporarily) HTTP status code, and the Location header.


This entry was:

foundeo


did you hack my cf?