September 17, 2010
An emerging standard called Strict Transport Security is starting to gain some traction among web browsers. Google Chrome supports it and Firefox is working on it (currently supported in the noscript FF extension).
This entry was:
June 30, 2009
Firefox 3.5 now allows you to make AJAX Requests, or more correctly XMLHttpRequests cross domain (in other words foo.com can make XHR requests to bar.com). When I heard about this, my first is that they would use the cross-domain.xml file that Flash has supported for years to achieve this.
This entry was:
June 30, 2009
FireFox 3.5 was just released about a half hour ago. You can checkout all the new features for web developers here.
For me, as someone that does a lot of security research one of the most interesting new features is the Origin http header that FireFox 3.5 now sends.
This entry was:
February 05, 2009
This entry was:
October 21, 2008
Have you ever noticed that IIS tends to brand every HTTP response with the header X-Powered-By: ASP.NET - it will do this even if your site is not powered by ASP.
This entry was:
August 01, 2007
When ColdFusion 7 came out I did a series of blog entries on small often overlooked new features. Well ColdFusion 8 is now out, and I thought it would be a good idea to do the same.
One handy new feature in ColdFusion 8 is the statusCode attribute in the CFLOCATION tag.
This entry was:
July 12, 2007
One of the things you will notice after you have published an rss feed is that it will consume a lot of the bandwidth. For example on Spendfish.com 18% of the requests are for RSS feeds. This is no wonder since feed readers may download your feed several times a day even if nothing has changed.
This entry was:
June 28, 2006
Ivan Ristic has posted a proposal on his blog called: Secure Browsing Mode [PDF].
In the document Ivan lists some of the possible effects of his proposal:
Eliminate Cross-Site Request Forgery.
Eliminate off-domain information leakage.
This entry was:
July 25, 2005
I tend to forget the syntax every time, but one of the first things I do when I setup an Apache web server is add/edit these two directive in my httpd.
This entry was:
July 25, 2005
I just noticed last week that some of the online web aggregators (such as bloglines, newsgator online, live journal, etc) will send the number of subscribers in their HTTP user agent. For example:
NewsGatorOnline/2.0_(http://www.newsgator.com;_20_subscribers)
Bloglines/2.
This entry was:
June 13, 2005
RSS Feeds have a content type problem. Most people end up serving them with the content-type: text/xml. But this practice is frowned upon for several reasons.
This entry was:
June 10, 2005
WatchFire has released a white paper on HTTP Request Smuggling - a new type of attack that targets multi-layer HTTP stacks (proxies, caches, firewalls).
What is HTTP Request Smuggling?
HTTP Request Smuggling (HRS) is a new hacking technique that targets HTTP devices.
This entry was:
May 16, 2005
It is often stated that CFLOCATION does a client side redirect. This means that it sends back some HTTP headers telling your browser to request a different location. This is done with a 302 (Moved Temporarily) HTTP status code, and the Location header.
This entry was: