Category "websecurity"

Is there a way to use haveibeenpwned (HIBP) without sending email in clear text?

For legal reasons we can't send the email to HIBP in clear text. Regarding "Domain Search" functionnality, there's no API (as far as I know). It works by sendin

Which mechanism to use for CSRF token handling with spring security

I am new to web security and implementation of same using spring-security. One important concept is prevention from CSRF using CSRF token. Spring security has p

How does HttpOnly cookie protect against XSS/Injection attack if they are passed automatically with every request?

From what I understand, HttpOnly cookies cannot be read by client js but they are passed by the browser with any subsequent requests. If an attacker is able to

Other Categories