I did a lot of searching and also read the PHP $_SERVER docs. Do I have this right regarding which to use for my PHP scripts for simple link definitions used throughout my site? $_SERVER[‘SERVER_NAME’] is based on your web server’s config file (Apache2 in my case), and varies depending on a few directives: (1) … Read more
I am doing some penetration testing on my localhost with OWASP ZAP, and it keeps reporting this message: The Anti-MIME-Sniffing header X-Content-Type-Options was not set to ‘nosniff’ This check is specific to Internet Explorer 8 and Google Chrome. Ensure each page sets a Content-Type header and the X-CONTENT-TYPE-OPTIONS if the Content-Type header is unknown I … Read more
I’m trying to understand the whole issue with CSRF and appropriate ways to prevent it. (Resources I’ve read, understand, and agree with: OWASP CSRF Prevention CHeat Sheet, Questions about CSRF.) As I understand it, the vulnerability around CSRF is introduced by the assumption that (from the webserver’s point of view) a valid session cookie in … Read more
