Do best practices eliminate the need for a CSRF token when writing an API server?

I realize that OWASP recommends CSRF tokens but I rarely see them used with public standalone HTTP APIs. This would seem to indicate that they’re not always necessary.

To make this a little more concrete, I would envision the following scenario:

  • The API server serves a limited number of frontends with an explicit CORS whitelist.

  • HTTP method semantics are followed religiously (no writes in GET).

  • All routes require authentication.

  • All POST routes require a request body[1].

  • All routes that take a request body require a JSON content-type header.

  • Cookies are httpOnly but not sameSite.

Based on my understanding of SOP setting a JSON content-type header on requests should trigger a preflight request which would fail for untrusted origins. If all POST routes require a JSON content-type header, that should then mean they’ll always fail the preflight, leaving only GET requests.

So this would not mitigate CSRF attacks against GET routes but as these can’t be used for exfiltration (as SOP prevents the response from being read) and the GET routes should not cause any data modification, guarding these requests with CSRF tokens would not appear to make a practical difference.

Given how viciously some people defend CSRF tokens, I can’t shake the feeling I’m overlooking an obvious problem here. I realize redundant protections may be valuable in their own right, but what I’m trying to understand is whether in the scenario described the CSRF token would really be redundant or not.


[1]: I realise this might be a practical limitation of this approach as in some real-world APIs there are legitimate POST routes that don’t take a request body or there may be routes that need to take a content-type like form-data that won’t trigger a preflight.

best way to handle subscriptions with a licence?

I have a product with 3 packs: – 14-days trial (user should not have to enter paypal details) – monthly – yearly

We used WooCommerce with “WooCommerce Subscriptions” and “WooCommerce Software License”. And we want to use PayPal.

There was also a problem with recurring payments and PayPal Plus so let’s assume we use PayPal Standard which is supported by WooComemrce and WooCommerce Subscriptions.

The problem is the “14-days trial” logic:

  1. If I create a subscription with a 14-day free trial then it would charge the user after those 14 days because it’s only a delay.

  2. If I put the price to $ 0 then the user could renew it for $ 0

  3. I can create a simple product and only use the licence manager and creating a licence which expires after 14 days. But then the user will not be able renew it. He would have to go to the page again and order the correct subscription.

Does anyone has some experience with subscriptions, free trial and licences?

What is the best way to host a site with many images without it being too slow?

I have a friend that wants me to help them with their WordPress website that has about 150 images for their gallery. Their site is quite slow even after I optimized the images using the ImageOptim app. They are using SiteGround as their web host provider, but they are only using the StartUp package because it is the most affordable. I know that the site is slow to load because of the images, but not sure what the best approach is to try and speed it up without paying for a more expensive hosting package.

I am thinking that perhaps the best way to go about doing this would be to have them just put their images on Google Images and use that as their gallery instead, or maybe an Instagram feed like Smash Balloon.

What would you all suggest?

Thanks

Best SSD Shared Web Hosting Services -Hostpoco.com

Hostpoco.com is one of the best reliable, cheaper, affordable and quality web hosting service providers in the markets. Hostpoco’s servers are empowered by solid-state drives (SSD) which are up to 100 times faster than regular hard disk drives to ensure maximum performance, stability and reliability. We offer CPanel with a CloudLinux system which improves the overall stability of a shared hosting environment and increases server density by 100%. Hostpoco ensures best high-quality web hosting to our customers at a cheap price. We are currently offering locations – Canada, USA, UK and France. Our main priority is to provide our customers with secure & private hosting services at an affordable price to fulfill all their hosting needs.

Some of our features like free web hosting, unlimited HDD hosting, cheap and low SSD hosting, unlimited resources, 30 days money-back guarantee, private nameservers, free shared SSL, free setup and unconditional free migration service makes us special than others. We are also offering cheaper unlimited Linux reseller hosting services than the others and no one is offering much cheaper rates than us. Think and sign up today for best quality web hosting services:

Features :

* 30 Day Unconditional Money-Back Guarantee
* 99.9% Uptime Guarantee
* Unlimited Space
* Unlimited Bandwidth
* Free Website Migration Service
* Softaculous Script Installer (Auto-Install: Joomla, PhpBB, WordPress, Coppermine and More!)
* Unlimited Script Installs
* Anonymous Unbranded Nameservers FREE!
* Private Nameserver Registration (NS1.yourdomain.com/ NS2.yourdomain.com)
* Free SSL for each domain
* Attracta SEO tool
* Bandwidth on Gigabit Port
* 24x7x365 Technical support
* WordPress Support Hosting
* Instant Setup
* No Hidden Charges
* Easy Refund Policy
* Unlimited DB Space
* Easy Upgrades Available
* And Much More…..

Hostpoco.com : cheap host $1, hosting offers, web hosting offers, reseller hosting offers, instant Cpanel hosting, cheap hosting, hosting, Cpanel host, WordPress host, cheap web host, budget WordPress hosting, unlimited Cpanel hosting, unlimited DB hosting, unlimited MySQL, unlimited databases, web hosting, hosting, web hosting, Linux shared hosting, half dollar hosting, one dollar hosting, $1 hosting, $1 web hosting, $1 unlimited hosting, reliable web hosting, affordable web hosting, latest PHP hosting, free SSL hosting, money back hosting, cheap dedicated servers, low cost dedicated servers, priority hosting support, 24×7 support, best support hosting, dollar1host, dollar 1 host, dollar host, 1 dollar host, 1 dollar hosting, 1 dollar web, web hosting $1, cheap hosting solutions, cheap VPS hosting, cheap SSL cert, free domain hosting.

https://hostpoco.com/

Thank you.

How to get the best resolution of image from srcset

I have an image code with srcset and sizes like this:

    <img src="/uploads/2012/12/Multitronics-TC-750-300x175.jpg"  class="attachment-medium size-medium wp-post-image lazyloaded"  alt="Multitronics TC 750"  srcset="/uploads/2012/12/Multitronics-TC-750-300x175.jpg 300w, /uploads/2012/12/Multitronics-TC-750-513x265.jpg 513w, /uploads/2012/12/Multitronics-TC-750.jpg 1260w"  sizes="(max-width: 300px) 100vw, 300px"> 

How to get the maximum image size (like Multitronics-TC-750.jpg 1260w) using the function? For example wp_calculate_image_srcset ()?

Best practices or advice to convince IT admins not to map network drives in privileged sessions with users

Why are currently trying to enhance the security posture of our company, and this means changing how some IT personnel work.

Precisely, our IT helpdesk now have 2 separate accounts: 1 for normal day to day usage (mails, internet, etc…), and 1 for administrative tasks. The later is a privileged account having several rights on the AD and some servers.

The way they work is not very secure when it comes to supporting the users: they use their privileged account to login to the user’s workstation and perform tasks where admin rights are needed.

But my question is more accurately related to network drives being mapped in their privileged account’s profile. They insisted on using the same logon script as with their standard account.

Do you have any recommendations, references to guidelines and/or best practices in such a case ? I’d like to present them some resources to convince them it’s not secure to have network drives mapped in this profile.

I tried to explain to them that if they log in a ‘contaminated’ workstation, their privileges might spread the infection to the network… But they did not understand and argued they need to access some files on the network while assisting the users. They don’t want to waste time typing UNC path, etc…

*Super Deal With Best Featured One Dollar Hosting!-[Hostpoco.com]

Friends, we all know that the hosting for each website is important but are the plan prising is ideal and comparatively suitable for your exact use? Because still there are peoples who are paying quite the specified monthly billing payments as they never tried to find out or never tried to match other hosting provider’s plans. There always huge difference between the amount of charges of old traditional web hosting providers and newly started ones but the thing is clients should have try newcomers. We agree that the hosting amount depends on its specifications, but we at Hostpoco.com offers you an equivalent features at a really low price and that we guarantee that our renewal amount will remain the same throughout life.

Hostpoco.Com is a website hosting business enterprise released for a brand new generation. We have designed our plans in such a manner which can be perfectly appropriate for Beginners and Experts, so that you can manipulate your website hosting renewal charges and can store your very own money.

Hosting #Characteristics Of Hostpoco.com :
– Unlimited Space
– Unlimited Bandwidth
– Softacolous Script Library
– No Hidden Costs
– Customised Hosting Plans
– Easy Upgrades Available
– Auto SSL Available
– Dedicated IP $6/Year
– 24 x 7 Live Chat Support
– Multi DC Locations

Hostpoco : Hugely Demanded Low Cost Hosting >> Sign up Today

https://hostpoco.com/

Thank you.