397 liens privés
Ça peut notamment aider à utiliser de bonnes pratiques dans la configuration de nginx.
The HTTP Content-Security-Policy response header allows web site administrators to control resources the user agent is allowed to load for a given page. With a few exceptions, policies mostly involve specifying server origins and script endpoints. This helps guard against cross-site scripting attacks (XSS).
Un générateur de CSP : https://report-uri.com/home/generate
the last step of the validation process is where you can modify the email address and replace it with any regular email address (Highlighted in yellow) since it lacks a proper input validation.
Normalement on est limité à 3 emails (postmaster, hostmaster, webmaster) dont le domaine est celui à valider.
Il s'agit ici d'un hack tout con puisqu'il suffit de forger la requête http avec l'email de notre choix. Sauf que cela permet à n'importe qui de créer un certificat tls pour un domaine qu'on ne possède pas.
Ne jamais faire confiance aux données que les utilisateurs peuvent rentrer dans votre application: https://www.owasp.org/index.php/Don't_trust_user_input
C'est le b.a.-ba de la sécurité.
Si on vient de ton site (Header Referer == http://www.mypersonnaldata.eu/shaarli/), pour aller sur shaarli.callmematthi.eu, on arrive sur Rick Astley qui chante 'Never Gonna Give You Up'.
$ curl -i 'http://shaarli.callmematthi.eu/?anything' -H 'Host: shaarli.callmematthi.eu' -H 'User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:42.0) Gecko/20100101 Firefox/42.0' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8' -H 'Accept-Language: en-US,en;q=0.5' --compressed -H 'Referer: http://www.mypersonnaldata.eu/shaarli/'
HTTP/1.1 301 Moved Permanently
Date: Fri, 11 Dec 2015 14:02:35 GMT
Server: Varnish
X-Varnish: 458813
Location: https://www.youtube.com/watch?v=dQw4w9WgXcQ
Content-Length: 0
Connection: keep-alive
"""
RequestBin gives you a URL that will collect requests made to it and let you inspect them in a human-friendly way.
Use RequestBin to see what your HTTP client is sending or to inspect and debug webhook requests.
"""
"""
Httplog and httptop go one step further by implementing some basic decoding of the raw data that echo_fds shows. In particular, if the connection is carrying HTTP data, they extract information like the URL and the response time. You can think about this as a simple version of ngxtop, but web server agnostic and able to see inside containers.
"""
Notez qu'ils parlent de 'containers', mais quand on en précise aucun (exemple 'sysdig -pc -c httplog') cela utilise le container "host" qui est donc la machine locale en elle-même.
"""
Does HTTP/2 require encryption?
No. After extensive discussion, the Working Group did not have consensus to require the use of encryption (e.g., TLS) for the new protocol.
However, some implementations have stated that they will only support HTTP/2 when it is used over an encrypted connection.
"""
tiens tiens, le chiffrement est passé de requis à facultatif...
quand t'as la flemme de te mettre les doigts dans le 'curl'. ^^
à utiliser avec le client httpie (https://github.com/jkbr/httpie) ou cURL.