An emerging standard called Strict Transport Security is starting to gain some traction among web browsers. Google Chrome supports it and Firefox is working on it (currently supported in the noscript FF extension).

Firefox 3.5 now allows you to make AJAX Requests, or more correctly XMLHttpRequests cross domain (in other words foo.com can make XHR requests to bar.com). When I heard about this, my first is that they would use the cross-domain.xml file that Flash has supported for years to achieve this.

FireFox 3.5 was just released about a half hour ago. You can checkout all the new features for web developers here.

For me, as someone that does a lot of security research one of the most interesting new features is the Origin http header that FireFox 3.5 now sends.

If you have access to a Mac or Linux server, chances are you may already have a really simple http load generating tool installed called Apache Bench, or ab. If you are on windows and have Apache installed, you may also have ab.exe in your apache/bin folder.

Have you ever noticed that IIS tends to brand every HTTP response with the header X-Powered-By: ASP.NET - it will do this even if your site is not powered by ASP.

When ColdFusion 7 came out I did a series of blog entries on small often overlooked new features. Well ColdFusion 8 is now out, and I thought it would be a good idea to do the same.

One handy new feature in ColdFusion 8 is the statusCode attribute in the CFLOCATION tag.

One of the things you will notice after you have published an rss feed is that it will consume a lot of the bandwidth. For example on Spendfish.com 18% of the requests are for RSS feeds. This is no wonder since feed readers may download your feed several times a day even if nothing has changed.

Ivan Ristic has posted a proposal on his blog called: Secure Browsing Mode [PDF].

In the document Ivan lists some of the possible effects of his proposal:

Eliminate Cross-Site Request Forgery.

Eliminate off-domain information leakage.

I tend to forget the syntax every time, but one of the first things I do when I setup an Apache web server is add/edit these two directive in my httpd.

I just noticed last week that some of the online web aggregators (such as bloglines, newsgator online, live journal, etc) will send the number of subscribers in their HTTP user agent. For example:

NewsGatorOnline/2.0_(http://www.newsgator.com;_20_subscribers)

Bloglines/2.

RSS Feeds have a content type problem. Most people end up serving them with the content-type: text/xml. But this practice is frowned upon for several reasons.

WatchFire has released a white paper on HTTP Request Smuggling - a new type of attack that targets multi-layer HTTP stacks (proxies, caches, firewalls).

What is HTTP Request Smuggling?

HTTP Request Smuggling (HRS) is a new hacking technique that targets HTTP devices.

It is often stated that CFLOCATION does a client side redirect. This means that it sends back some HTTP headers telling your browser to request a different location. This is done with a 302 (Moved Temporarily) HTTP status code, and the Location header.