Questions tagged [client]
In a client-server model, the server serves services to the client.
130 questions
2
votes
2
answers
138
views
Understanding PKCE flow security after the first request
Pardon if this is meant to be obvious. As I understand it, the point of PKCE is to mitigate client-side credential hijacking by giving the auth server a way to distinguish legitimate client-side ...
- 40.5k
74
votes
4
answers
21k
views
What is PKCE actually protecting?
I'm trying to get my head around how PKCE works in a mobile app and there's something I don't quite understand.
So from what I can gather the client app creates a random cryptographically secure ...
- 54.1k
1
vote
1
answer
359
views
In TLS1.3 server hello can the legacy version field set to 0x0304
As part of TLS1.3 handshake client hello sent containing the TLS1.3 version support as part of suppored_versions extension, consider if as part of server hello supported_versions extension is not ...
- 214k
0
votes
1
answer
567
views
How to reliably identify referrer on client browser?
Is there any way to reliably identify the referring site on modern browsers (not considering manual HTTP requests outside of a browser e.g. cURL, etc.)?
Referrer header will not work because the ...
CommunityBot
- 1
9
votes
3
answers
17k
views
Certificate Chain checking
I have a very specific question.
A client verifies a server by taking the certificate and checking specific values and that the digital signature of the intermediate CA is correct (according to the ...
- 8,197
0
votes
0
answers
147
views
Can I setup and enforce additional WiFi connection (and password) requirements on managed laptops using Windows or MacOS?
Can I setup and enforce additional WiFi connection (and password) requirements on managed laptops using Windows or MacOS?
Such as:
blocking (or entirely hiding) the option to connect to open networks
...
- 7,725
2
votes
1
answer
1k
views
Public client or Confidential client: should I generate a client secret?
I've read about this but I don't fully understand how to choose.
I have two options:
Public client
"A native, browser or mobile-device app. Cognito API requests are made from user systems that ...
- 123
0
votes
1
answer
778
views
What does it mean to store secret keys as an "environment variable" as opposed to hardcoded in the source code?
I see why it is obviously bad to store a secret key and client ID in the source code for a web application. However, how do you go about the alternative? Surely, that information has to be stored ...
- 2,169
2
votes
1
answer
201
views
Defining scope of a software pen test
If I own a software and I want to conduct a pen test with pen testers, should I define the scope or do the pen testers assess the software first and they define the scope? How does scope definition ...
CommunityBot
- 1
3
votes
1
answer
158
views
Is a client server model to do root operations without asking for password everytime secure?
I'm writing a python application that will do some operations that will require root privileges. Instead of asking for user password every time i decided to use server client model.
A python script ...
CommunityBot
- 1
3
votes
1
answer
1k
views
Can clients visit my site, and spam socket.emit(something); to my server, or is there some security behind socket.io?
I'm using Socket.IO and the client side looks like this.
<script src="/socket.io/socket.io.js"></script>
<script>
var socket = io();
socket.emit("sendData", "hello!");
</...
CommunityBot
- 1
0
votes
2
answers
163
views
How would you enforce user to only connect on a given network?
How would you enforce user PC to only connect to a given network?
Answers need to be OS agnostic.
One weak solution could be to set client-side firewall rules to only allow communications with ...
- 19.7k
1
vote
2
answers
879
views
How do I create a Client Authentication Certificate without a domain signed by a commercial CA?
For sending soap messages to a webservice we need to include a client authentication certificate with these messages. Normally we simply created a self signed client auth. certificate (with as a ...
- 182
1
vote
1
answer
583
views
Is braintree clientToken supposed to be public?
I'm building an app that uses Braintree for processing payments. According to the documentation, I need a server-side endpoint that returns the clientToken, which is then used to manage a user's vault ...
CommunityBot
- 1
28
votes
5
answers
38k
views
What are the security issues with "eval()" in JavaScript?
Every time that someone mentions eval(), everyone says that there are "security issues" with it, but nobody ever goes into detail about what they are. Most modern browsers seem to be able to debug ...
