Authentication verifies the identity of the user. Basically, most of the Web authentication scheme falls into two kinds stateless and stateful.
If the webserver stores data in the server memory and uses it to identify the user as an always-connected client, the service is called Stateful. There are different types of Stateful Authentication.
Basic HTTP Authentication transmits credentials as user ID/password pairs encoded using base64. It is stateful authentication. The user submits login credentials (username and password)
HTTP authentication scheme
Authorization: <type> <credentials>
Authorization: Basic userid:passwordAuthorization: Basic QUFBQUFBQUF:CQkJCQkJCQkI=
The username and password are concatenated with a colon (:) in…
This article is for beginners who want to learn about Browser security headers and concepts. Let’s get started! 😃
Prerequisite knowledge: HTML basics and How HTTP request works
HSTS tells the browser that it should always connect over HTTPS, even for the initial request. HSTS is easy to enable on the web page but at the same time, it is easy to overlook. If attackers try to change HTTPS to HTTP it automatically redirected to https, if HSTS is enabled.
For instance
What is a Cookie? why do we need to set up in the HTTP header?
For example, let’s assume the user is returning user in some website,
Step1 → The user submits login credentials (username and password)
Step2 → The Server verifies the credentials against the Database,
Step3 → The server creates a temporary user session and issues a cookie with the Session ID,
Step4 → The user sends the cookie with each request, ( because HTTP is stateless, so each request is considered as a new request)
Step5 → The Server validates it against the session store & grants…
Cross-site scripting is a classic well-known type of attack that is possible because some software applications take user input in an insecure way. This happens via search fields, survey forms, cookies, and online web forms.
Types → Reflected XSS, Stored XSS, and DOM XSS.
For Instance,
An attacker gives your web application JavaScript tags on input(<script type=’text/javascript’>alert(‘Possible XSS’);</script>
When this input is returned to the user unsanitized, the user’s browser will execute it. It can be as simple as crafting a link and inducing…
Security Engineer