Closed jht5945 closed 9 years ago
Were there particular topics within security you'd like to see covered? Its simple enough to add a new tab, the question is what topics to cover, and where that content comes from. Thanks!
I'm not good at CORS.
But I know *
is very dangerous, and the method TRACE
is also very dangerous(will display back the cookie you send, including HttpOnly cookie).
and what about this:
The attacker may trigger x-domain requests through AJAX, although he
cannot read the responses
CSRF exploits
Invisible Arbitrary CSRF File Upload – Kotowicz [4]
var xhr = new XMLHttpRequest();
xhr.open("POST",[URL], true);
xhr.withCredentials = true;
http.send();
ref: https://www.owasp.org/images/7/7c/Gentile_OWASP_EU_Tour_2013.pdf
BTW, if you are interested in learning more about CORS security, my book CORS in Action was just released this month. There is a section in Chapter 6 covering CORS security.
Note that I'm also going to close this issue since it was also mentioned in #70. Let's take this discussion there in order to keep things together.
enable-cors have these tabs:
should we add a security tab, security is so important I think.