I wonder if I should use the CAS protocol or OAuth + some authentication provider for single sign-on. Example Scenario: A User tries to access a protected resource, but is not authenticated. The application redirects the user to the SSO server. If beeing authenticated the user gets a token from the SSO server. The SSO … Read more
I’ve been experimenting with Docker recently on building some services to play around with and one thing that keeps nagging me has been putting passwords in a Dockerfile. I’m a developer so storing passwords in source feels like a punch in the face. Should this even be a concern? Are there any good conventions on … Read more
What is the difference between a cer, pvk, and pfx file? Also, which files do I keep and which am I expected to give to my counter-parties? 4 Answers 4
As it currently stands, this question is not a good fit for our Q&A format. We expect answers to be supported by facts, references, or expertise, but this question will likely solicit debate, arguments, polling, or extended discussion. If you feel that this question can be improved and possibly reopened, visit the help center for … Read more
I’m building a mobile app and am using JWT for authentication. It seems like the best way to do this is to pair the JWT access token with a refresh token so that I can expire the access token as frequently as I want. What does a refresh token look like? Is it a random … Read more
Will content requested over https still be cached by web browsers or do they consider this insecure behaviour? If this is the case is there anyway to tell them it’s ok to cache? 3 Answers 3
I know cookie-based authentication. SSL and HttpOnly flags can be applied to protect cookie-based authentication from MITM and XSS. However, more special measures will be needed to apply in order to protect it from CSRF. They are just a bit complicated. (reference) Recently, I discover that JSON Web Token (JWT) is quite hot as a … Read more
As it currently stands, this question is not a good fit for our Q&A format. We expect answers to be supported by facts, references, or expertise, but this question will likely solicit debate, arguments, polling, or extended discussion. If you feel that this question can be improved and possibly reopened, visit the help center for … Read more
In order to mitigate against kernel or cross-process memory disclosure (the Spectre attack), the Linux kernel1 will be compiled with a new option, -mindirect-branch=thunk-extern introduced to gcc to perform indirect calls through a so-called retpoline. This appears to be a newly invented term as a Google search turns up only very recent use (generally all … Read more
How do I create a self-signed certificate for code signing using tools from the Windows SDK? 7 Answers 7
