content security policy: correct CSP frame-src value for iframes with empty src value

We have below the CSP derivatives defined on our site,

script-src 'self' 'unsafe-inline' 'unsafe-eval'  *.youtube.com; style-src  'self' 'unsafe-inline'; frame-src *.facebook.com  www.youtube.com;

According to this value, we only allow Facebook and YouTube domains as src value in our site's iframes. But then we have iframes on our site.


How are these iframes not restricted by the CSP rule?

Thanks in advance.

python: how to log in to a rest API with flask security through requests

I have disabled CSRF but cannot log in to a REST API using Flask-Security with role-based authorization, from a local front-end server. I do the login, but I believe that cookies are not stored in the request, so I still get the login page on the front-end server. This is the code I am using:

 payload = {'username': request.form('username'), 'password': request.form('password')}
    with requests.Session() as s:
        r = s.post('http://localhost:5002/login', data=payload)
        print(s.cookies)
        if r.ok:
            r2 = s.get('http://localhost:5002/protected', cookies=s.cookies)

Is there a way to keep the session on the front-end client that is connected to show protected content?

security certificate: intermittent problem when establishing a secure HTTPS connection to my site

Your DNS has two IP addresses specified for your site. Only one of the two has a server with security certificates configured correctly.

When you have two A records for the same host name, is known as DNS "round robin". Customers will try to connect randomly to one or the other. Some modern browsers can try both to see which one works, so you may not be seeing the problem in some browsers.

$ dig healthprovement.com
healthprovement.com.    7069    IN  A   108.179.232.43
healthprovement.com.    7069    IN  A   148.105.251.16

the 108.179.232.43 The server is running:

$ curl --head --resolve 'healthprovement.com:443:108.179.232.43' https://healthprovement.com/
HTTP/2 200 

But 148.105.251.16 It is not:

$ curl --head --resolve 'healthprovement.com:443:148.105.251.16' https://healthprovement.com/
curl: (35) error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error

To solve this problem, you must remove the DNS A records pointing to 148.105.251.16 or you need to fix that server to handle HTTPS requests correctly.

private key: a security need for Bitcoin to fork into a quantum resistant algorithm in a few years?

In just a few years, I think there will be quantum that break asymmetric ciphers, and Bitcoin is based on other asymmetric ones like public key cryptography, right? Symmetric algorithms are supposed to be safe.

The question is for experts here:

1) What components of the bitcoin blockchain would be exposed to quantum attacks?

2) Are these components relevant to the complete functionality of the blockchain if they "break" or are simply a minor nuisance but do not have a significant negative impact?

3) What do bitcoin (core) developers do now brainstorm, what could be feasible methods to make these previous components more resistant against quantum?

Thanks for the ideas

jwt symmetric signature security risks (client side)

I am currently implementing an iOS application, which integrates with a backend system hosted in the blue .net cloud, which.

The API logon endpoint takes user / pass -> replies with a signed HS256 jwt token. All subsequent calls to the endpoint require a type bearer authorization header, and the endpoint supports the renewal of this token, provided the token has not expired, so it appears to be an infinite amount of time.
(which in itself is not great). The server side seems to validate the signature of this token on each request.

In the past, having used only RSA tokens, we always shared the public key with customers so they could verify the signature of the token. However, since this API only supports HS256, this is not possible.

What security risks would a customer incur if it does not verify the signature for the client side?
An obvious one is to access the data in cache within the screens. But would there be more serious?
Thanks in advance.

Website design: should the password security meter and password guide be used together?

I saw many registration forms, but none implemented the password security meter and password guide together
Currently the password validation is that it must be min. 8 characters with 1 special characters 1 uppercase and 1 lowercase.

So, should I show both the meter and the guide in the user interface when choosing any of them?

Security check of the visitor who visits my website d7?

I have a requirement as if the visitor is using my website under the particular firewall. Then I need to redirect them to a particular page. And if they are not using that firewall, then it has no effect for them. Is there any module in d7 to achieve this?

confidentiality: why define the security CIA in this way?

As we know, the CIA of the security claim means:

Confidentiality
Integrity
Availability

I don't understand why define the Integrity Y Availability,

  1. If we make a confidentiality of plain text, integrity is plain text, this is the basic one, why brown the lily?
  2. if you defined the Integrity, the decrypted plain text must be usable, so Availability It is to brown the lily too.

career – Question about jobs related to Datacenter Security / Cloud Security

first post here!

I had a question regarding pursuing a career related to Datacenter Security (Iron Mountain type company or Data Integrity type company) or Cloud Security where I am not tied to a desk. I have a big problem being in an environment where I can't be constantly on the move. I was looking for DLP or anything related to surveillance, but I can't seem to determine the exact job. Does anyone have any idea of ​​the job that would be best for me?

TL; DR

Looking for a job perspective where my network security / infosec skills can be translated into the installation and security of physical and logical systems without simply being tied to a desk.

Thanks in advance!

Maybe someone here knows which endpoint security platform is worth using?

Hi, maybe someone here knows which endpoint security platform is worth using?