Tagged articles - Security

Since December 2021 when Log4Shell vulnerabilty caused by popular package for logging in Log4j for Java was discovered here is raised certain level of awareness of using OpenSource packages in application. Because of these cases it is critical that you have indicator whether you are using a dependency with reported vulnerability before you make your application available for wide audience, practically before you do the production release...read more

Is is not so often than you have to use more than one authentication schemes in your project, but there are some corner cases when you have to do so. One of it is a scenario where you are supporting some weaker authentication schema like basic http authentication where credentials are supplied pretty much on every request. This kind of loosen security schema is to some limited extend suitable for internal APIs meaning that no other than users or most likely application within your organization network will access...read more

SignalR is number one choice for real-time communication between server and client. It implements several transports for communication between server and client...read more

Authentication in web services is a bit more different than with web pages because of one simple reason. There is no UI for entering credentials to authenticate to consume service...read more

Hether your website requires SSL secured connection through HTTPS or not, it is even recommended by Google to use SSL for your website. Starting from 2005 Google page ranking takes into consideration whether your page has SSL certificate installed and serer content thorough HTTPS. If you are hosting your website on IIS, you have some built in tols in Internet Information Service (IIS) manager, for SSL certificate operations but they are pretty limited and most of the time confusing to use. ...read more

With so many online and cloud based services, adding one more additional account for your application adds additional complexity level for your users since they will have to manage one more account and remember one more password. Microsft ASP.NET comes with pretty nice built in provides for social networks, but for office usage social networks are not so convenient to be used. ...read more

Last year I wrote an article about IP address filtering on MVC and WebApi Restrict Access to an MVC Action or Controller based on IP address. Over time the requirements for IP filtering in several web based application increased, so I had t work on this class to make it more extendible and reusable in different scenarios...read more

Last year I wrote an article about ASP.NET web application security check list. Apparently there are always more things to add to improve your web application security...read more

There are several things to be taken care of during development and before deployment to keep you online web app tip top regarding performance and security. 1. Logging informations ...read more

I did not rely how important to restrict hot-linking until one day my friend came to me and told me that he has to pay additional money for the bandwidth on his website. He was surprised that he reached bandwidth quota limit. It was weird, but after some logging of requests coming to a website we realized that most of the requests were initiated from some other website...read more

I found this header option repeating in many guidelines for securing the web application. By adding these headers to response, it restricts browser to load your page into an iFrame tag. ...read more

When you are developing a back-end web application, you might want to restrict access only to people who are working in the company which is maintaining the content or any other operations in the back-end and allowing public access only for the public, usually read-only content. This means you still have to leave some parts of your application public and for some you need to restrict access for the people outside of a network (certain IP range). ...read more

So you got a new requirement for the website you worked on ages ago. You try to login to Umbraco but your password is not correct...read more

Google have recently decided to change the way you can fetch profile image. Good old building of image URL is not supported anymore after Google has applied security policy. In good old, but unfortunately deprecated approach you only needed profile id to build a URL for fetching Google+ profile image like the following: ...read more