Tag: security

Form body in a POST ending up as URL params?

Our stack: Vue.js frontend using vuetify component lib custom python middleware rest api using flask + tornado matomo running externally and connected to the frontend using vues plugin system.(https://github.com/AmazingDreams/vue-matomo) We recently added matamo to our site and very very rarely we’ve noticed 4 incidents out of thousands of users where the username/password which is submitted via POST request to our

How to make Google Analytics respond to “Do Not Track”

google-analytics javascript privacy security

I am planning to put google analytics tracking code on my website, but I don’t know how to make it respond to those who send the “Do not track” signal. How can I make GA tracking code track those who don have DNT signal while protecting those who have it? Answer I just want to jump in to say that

vuex empty state on logout

javascript security vue.js vuex

Quick story of my problem: Absolutely no data is stored in my vuex state when the page loads If the user is logged in(or has info stored in window.localStorage and therefore gets auto logged in) my vuex store retrieves all the info from a socket that requires authentication. Then the user logs out, But my vuex state save still retains

Is there any way to make user uploaded SVG images safe from code injection etc?

code-injection javascript security svg

I want to display user uploaded SVG images on a website, but they’re quite open to exploits: https://security.stackexchange.com/questions/11384/exploits-or-other-security-risks-with-svg-upload https://security.stackexchange.com/questions/36447/img-tag-vulnerability For example, arbitrary javascript can be embedded in SVG. There’s also issues with performance exploits, but I’d consider those lower priority. Is there any mechanism to make SVG somewhat safe and only use it as an image? Can I simply trust

CSRF protection with CORS Origin header vs. CSRF token

cors csrf javascript security

This question is about protecting against Cross Site Request Forgery attacks only. It is specifically about: Is protection via the Origin header (CORS) as good as the protection via a CSRF token? Example: Alice is logged in (using a cookie) with her browser to https://example.com. I assume, that she uses a modern browser. Alice visits https://evil.example, and evil.example’s client side

How to store a password as securely in Chrome Extension?

google-chrome google-chrome-extension javascript security

I’m writing an Chrome extension right now which autofills credentials similar to Chrome’s autofill (in which case Chrome’s autofill fails). Is there a secure way to store the username/password in localstorage (all client-side)? If I encrypt the password, won’t the key be locally stored as well effectively making the encryption useless? Effectively, I want the user’s credentials to be as

What makes an input vulnerable to XSS?

html javascript security xss

I’ve been reading about XSS and I made a simple form with a text and submit input, but when I execute <script>alert();</script> on it, nothing happens, the server gets that string and that’s all. What do I have to do for make it vulnerable?? (then I’ll learn what I shouldn’t do hehe) Cheers. Answer Indeed just let the server output