Software Engineering Stack Exchange
Software Engineering Stack Exchange

Questions tagged [server-security]

18 questions
63
votes
8 answers

Securing sensitive data from developers

I have an enterprise application running that uses both MySQL and MongoDB datastores. My development team all have SSH access to the machine in order to perform application releases, maintenance, etc. I recently raised a risk in the business when…
Clinton Bosch
  • 764
8
votes
1 answer

Securely sending data from shared hosted PHP script to local MSSQL

I'm trying to add data from a webhook (from a web cart) to a local Microsoft SQL Server. It seems like the best route for me is to use a PHP script to listen for new data (POST as json), parse it, then query to add to MSSQL. I'm not familiar with…
lifeofchair
  • 81
5
votes
2 answers

Where to Perform Authentication in REST API Server?

I am working on a set of REST APIs that needs to be secured so that only authenticated calls will be performed. There will be multiple web apps to service these APIs. Is there a best-practice approach as to where the authentication should occur? I…
David V
  • 563
3
votes
1 answer

Why are cloud services needed for push notifications?

We currently have a customer that wants us to implement push notifications to our app. The problem is that for this customer, security is really, really important... I am not able to find any official documents, that state that the only way to send…
Tobe
  • 39
2
votes
1 answer

Do i need to implement Security for my webpage, if it is only connected to a LAN

I am making a websocket server that can communicate with clients. This server is going to be on a private vLAN channel on a public place, AKA only the staff have access to the network which the server is on. When this is the case, do i need to…
Mads Bødker Christensen
  • 55
2
votes
2 answers

Why are Strings in StringPool considered insecure?

Passwords are recommended to be stored in char[] instead of String, as Strings are stored in StringPool. Read more here As per this question Strings in StringPool are not available directly. To obtain Strings in Stringpool, we would need a…
Mohit Kanwar
  • 167
1
vote
1 answer

Should I store session id in server database?

I wanted to implement login system using flask framework. I managed to do this using sessions and set them to expire after 31 days and it works (sessions are created using server secret key, timestamp and cryptography by flask). But there is one…
Paweł Michoń
  • 21
1
vote
0 answers

How to separate user data in database models?

I am writing a web service for research and learning purposes and try to find an approach to separate user data from other users to ensure a request can never deliver or reveal data from another user. I give you an example in a slightly different…
Daniel Stephens
  • 121
1
vote
1 answer

Do I need to secure communications between microservices in a cluster?

So, let's say I have a standard set up for application, that is: - split into micro services - and is running in a cluster (kubernetes or docker swarm, I guess specific implementation does not matter, just the main idea), - there's a API gateway,…
Giedrius
  • 1,334
1
vote
1 answer

Is opening a templating engine to users a bad idea?

My site allows users to create custom HTML templates for their profiles (very much like Tumblr and the theme system), and I picked the Twig template engine for the site. However, I'm not sure if it's a good idea to give users the control of being…
Dubstaphone
  • 209
1
vote
2 answers

Are random number generators security holes?

If I retrieve a random number from a database (e.g. RAND() in SQL Server) or using a programming language and send this in some form back to a client machine, is there an economic chance I will be sending an indicator of what's in my server's memory…
micahhoover
  • 295
1
vote
2 answers

Why special characters are deemed risky in URL and query strings?

From a security perspective, the special characters like '&' or are a big no no in URLs and query strings. I could find the articles that explained the ways to bypass this restriction, but could find something that explained with example how can…
Pankaj Upadhyay
  • 5,080
0
votes
1 answer

How to control, or moderate, files uploaded with a bug report?

Presume a desktop application presents a Problem Reporting interface as part of it's GUI, and I wish to allow users to upload files as part of that PR. One would hope this is only ever used for constructive purposes, however - this raises several…
mountainred
  • 179
0
votes
1 answer

How to reduce DoS and DDoS attacks in an authenticated web server

I came up with an model to reduce DoS and DDoS attacks and would like your input on its effectiveness... Basically, once a request reaches our servers without having a valid key, we add a key as a query parameter of the url, then return a redirect…
McKabue
  • 107
0
votes
1 answer

Send data between database and Apache Cordova app in a secure way

I'm developing a Cordova app and I've got the UI ready but I need data to my app from a database. For example I want my cordova app to include user authentication when the user opens the app which means, I have to access my database in some way to…
Huezzer
  • 1
1
2